[clamav-users] Kindly help in create unofficial signature

[G.W. Haywood]

Hi there,

On Sun, 20 Sep 2020, Dismas Axel (Thomas) via clamav-users wrote:

> Today I got a spam email, containing .xz file in its attachment. I
> downloaded it, and unzipped it, then I found .exe file inside ...

If a malicious attachment is not currently detected you could submit
it to the ClamAV team at https://www.clamav.net/reports/malware.

> My question is, what kind of signature type would be best to fit for
> this kind of file? Is it a .hdb or .ndb, or maybe both of them, or
> other file type? And why?

It is not clear to me whether by "this kind of file" you mean the .xz
(archive) type or the .exe (Portable Executable, PE) type.  I guess
you mean PE because that's what your signature is for.

The .hdb and .ndb extensions refer to database files which contain
hash signatures and extended signatures respectively.  If you write a
hash signature (for a complete file) you would put it in a .hdb file
in the ClamAV database, and if you write an extended signature (as you
have in your sample) you would put it in a ClamAV database .hdb file.

It is up to you to choose which kind of signature to write and you can
create several if you wish.  Be aware that one of the many ways in
which malware authors try to avoid detection is by making changes in
the malware, which do not affect its operation, but which will defeat
detection using a hash-based signature for an entire file.  Last week
I was looking at about sixty thousand extended signatures for a single
malware (called 'Emotet') in the daily database, so even if you don't
try to match an entire file you still have to consider the issue. You
may need to be perspicacious and creative when writing signatures.  It
is something of an art to write good signatures.  If you have trouble
expressing exactly what you want with extended signatures, you might
want to consider using Yara rules - although there are limitations in
the ClamAV implementation.

> And, I also have created a signature Returned_Swift Copy.ndb, kindly
> help me to review my signature attached here, whether I created the
> signature correctly or incorrectly?

When I load your signature manually it does not appear to cause any
problem for clamscan.  Of course I do not have a sample of the malware
to test if it will match.  Your signature is for target type 1, a PE,
so ClamAV will need to (a) uncompress the file if it is compressed and
(b) recognize it as a PE type.  If in testing you use target type 0 it
will only need to uncompress the file.  To avoid even that you can run
clamscan against the file after you have manually extracted it.  Do be
aware that it may need large amounts of memory to decompress a file in
some compressed formats.  If ClamAV has to extract it during scanning,
that may be an issue.  There are other limits to be aware of, and you
can scan with limits at different settings - see the documentation.
If for example you want to scan mail in your inbox without extracting
or recognizing files you might use type 4 (of course with a completely
different signature).

Look at "Important rules of the naming convention".

Look at "Testing rules with clamscan", in particular the suggestion

clamscan --debug --verbose

which you can for example run using the 'script' utility to record its
(rather extensive) output.

Where did the original email come from?

-- 

73,
Ged.