[clamav-users] Kindly help in create unofficial signature

Dismas Axel (Thomas) dismasc at protonmail.com
Mon Sep 21 03:48:53 UTC 2020 

Dear Ged,

Thanks for your reply and explanation, it appears there is still a lot I need to learn in order to start contributing the signature to the community.

Yes, I was referring to by "this kind of file" for .xz file types (Sorry, I was not clear before).

Here is the header of the spam email and attached is the screenshot of the fake email containing this .xz file:

Return-Path: <y.safary at kums.ac.ir>
Delivered-To: y.safary at kums.ac.ir
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=5.63.15.95; helo=server507.dnslake.com; envelope-from=y.safary at kums.ac.ir; receiver=y.safary at kums.ac.ir
Received: from Server507.dnslake.com (webmail.kums.ac.ir [5.63.15.95])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)

From: "UCO Bank" <y.safary at kums.ac.ir>
To: y.safary at kums.ac.ir
Subject: Draft Swift copy of returning funds to your company account!!
Date: Sun, 20 Sep 2020 11:46:16 +0430
Reply-To: y.safary at kums.ac.ir
Message-ID: <038d86257de64701bf789ca685f0fcaa at kums.ac.ir>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=148533ebca0643218b0bdbb74ec262b0

So, I finally do the following:

I created .ndb signature previously using this command:

1) I extracted the Returned_Swift Copy,PDF.tar.xz
2) I found Returned_Swift Copy.exe inside it.
3) I ran the command:

cat Returned_Swift Copy,PDF.tar.xz | sigtool --hex-dump | head -c 2048 > Returned_Swift_Copy.ndb

4) This gave me the output of the signature previously attached.
5) I tested the .ndb using this command:

clamscan -d Returned_Swift_Copy.ndb Returned_Swift Copy,PDF.tar.xz

6) And here is the summary:

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.12 MB
Data read: 0.18 MB (ratio 0.71:1)
Time: 0.102 sec (0 m 0 s)

7) However, I also created the .hdb file just in case though by running this command:

sigtool --sha256 Returned_Swift Copy.exe > Returned_Swift_Copy.hdb

8) Also, I tested the .hdb file againts the .xz file and here is the summary:

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.55 MB
Data read: 0.18 MB (ratio 3.13:1)
Time: 0.025 sec (0 m 0 s)



Thank you,
Dismas


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, September 20, 2020 10:23 PM, G.W. Haywood via clamav-users <clamav-users at lists.clamav.net> wrote:

> Hi there,
>
> On Sun, 20 Sep 2020, Dismas Axel (Thomas) via clamav-users wrote:
>
> > Today I got a spam email, containing .xz file in its attachment. I
> > downloaded it, and unzipped it, then I found .exe file inside ...
>
> If a malicious attachment is not currently detected you could submit
> it to the ClamAV team at https://www.clamav.net/reports/malware.
>
> > My question is, what kind of signature type would be best to fit for
> > this kind of file? Is it a .hdb or .ndb, or maybe both of them, or
> > other file type? And why?
>
> It is not clear to me whether by "this kind of file" you mean the .xz
> (archive) type or the .exe (Portable Executable, PE) type. I guess
> you mean PE because that's what your signature is for.
>
> The .hdb and .ndb extensions refer to database files which contain
> hash signatures and extended signatures respectively. If you write a
> hash signature (for a complete file) you would put it in a .hdb file
> in the ClamAV database, and if you write an extended signature (as you
> have in your sample) you would put it in a ClamAV database .hdb file.
>
> It is up to you to choose which kind of signature to write and you can
> create several if you wish. Be aware that one of the many ways in
> which malware authors try to avoid detection is by making changes in
> the malware, which do not affect its operation, but which will defeat
> detection using a hash-based signature for an entire file. Last week
> I was looking at about sixty thousand extended signatures for a single
> malware (called 'Emotet') in the daily database, so even if you don't
> try to match an entire file you still have to consider the issue. You
> may need to be perspicacious and creative when writing signatures. It
> is something of an art to write good signatures. If you have trouble
> expressing exactly what you want with extended signatures, you might
> want to consider using Yara rules - although there are limitations in
> the ClamAV implementation.
>
> > And, I also have created a signature Returned_Swift Copy.ndb, kindly
> > help me to review my signature attached here, whether I created the
> > signature correctly or incorrectly?
>
> When I load your signature manually it does not appear to cause any
> problem for clamscan. Of course I do not have a sample of the malware
> to test if it will match. Your signature is for target type 1, a PE,
> so ClamAV will need to (a) uncompress the file if it is compressed and
> (b) recognize it as a PE type. If in testing you use target type 0 it
> will only need to uncompress the file. To avoid even that you can run
> clamscan against the file after you have manually extracted it. Do be
> aware that it may need large amounts of memory to decompress a file in
> some compressed formats. If ClamAV has to extract it during scanning,
> that may be an issue. There are other limits to be aware of, and you
> can scan with limits at different settings - see the documentation.
> If for example you want to scan mail in your inbox without extracting
> or recognizing files you might use type 4 (of course with a completely
> different signature).
>
> Look at "Important rules of the naming convention".
>
> Look at "Testing rules with clamscan", in particular the suggestion
>
> clamscan --debug --verbose
>
> which you can for example run using the 'script' utility to record its
> (rather extensive) output.
>
> Where did the original email come from?
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> 73,
> Ged.
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

</clamav-users at lists.clamav.net></y.safary at kums.ac.ir></y.safary at kums.ac.ir>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: thespam.png
Type: image/png
Size: 89604 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200921/09f29fc7/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Returned_Swift_Copy.hdb
Type: application/octet-stream
Size: 96 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200921/09f29fc7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Returned_Swift_Copy.ndb
Type: application/octet-stream
Size: 2081 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200921/09f29fc7/attachment-0001.obj>

More information about the clamav-users mailing list