[Community-sigs] new sig
Rok Potočnik
rok.potocnik at t-2.com
Thu Apr 16 08:23:43 EDT 2015
On 16.04.2015 14:13, Andrea Allievi wrote:
> Hi Rok!
> First of all, sorry fo the delay in the answer.
>
> Thank you for the signature but unfortunately we are trying to limit the
> number of hash-based signatures and we don't accept them anymore as
> community signatures. The details for the Community Signatures program
> is available here:
> http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
> Given that the malware sample is of concern, we will analyse it and
> release a signature for it as soon as possible.
>
> If you would like, you can start writing a body-based signature, like a
> logical one.
> Here is the document that describe all the details:
> https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf
> <https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf>
>
>
> Thanks,
> Andrea Allievi
Awsome - I'll take a look.. In the mean time... I have a bunch (~5k of
files) of virus samples, that are mostly the same, hashes differ, but
the essence seems to be the same - email messages that contin zip files
that contain cab files that contain .scr files (PE32 Windows Executables).
What would be the easiest way to mass analyze the files. Running
clamscan --debug on one-on-one basis seems to be a bit of a challenge
for me.
# sigtool --sha256 *cab | tail -10 | cut -d\: -f-2
5aa3541d6e4ad548d211db1237a2d704a1bff672678cd15a4e4251e7e7747363:19523
c5149c8d528ffa8a28bad437c66789b6f11656c26d7a36482fb40b94c5c0ce56:18760
5c62188d3a0ea0db6172e2af6ac268c067b599c30e8c7d98b75032eb7719466d:22589
597eea3d8430e66545f0edb1d7747e77b8e49cd59dc51be8cb157c172732b8f1:22547
5ffee60cbbc16819c05e7bec8471ed0cfe92f3f0219e8f3559a17e55d473a42f:22566
48018934af5234b7414758d22bb8f9a3fbbb8c34426681f51c7ee2ac9b379e30:22575
af5b13eff485820d80cacce3e3c25c720d31d22f42a9959ec60b533f0ccd7027:19565
8e681ef766b4e4669463bf6b28df25b3ed44a7ec56625ced75a10f333db65e0a:19574
c6361c85af5383441315f1fec02f605b3a84b00eb156a2dc37ebf6e60e3ccf2b:19568
06c49794070f517d04c2b3416d636a2d76fde1237759454bd07dde9abfe9d50d:19557
# sigtool --sha256 *scr | tail -10 | cut -d\: -f-2
4abf6b28b1b8df0cd66eba97d8ac1553c97e4f608930273f811f05779eb96887:65536
088789e57568136fbaa0421a55a212e59dab049dc7d81e108b27b9d5cc70f039:69632
00b12d48da4b241ad19c1accc299a94e96313ea975847cc1afdc0e9261f8ae9f:65536
6f11374dd25adfdb0238b87394242a0fb491e8352729bf13d176e558d0ad9669:65536
e75b4844f86ad5687298127f55930d1206bbb5e8ef2ed37901a55aaafba6086e:77824
53c502622ad583f9098734ee0cb24d31442959f356400bf6ebb5b92f2035c403:73728
9722cf9ec853d207c83edbb49230a28ce3f64efa41f1619f616a87b973e9734c:69632
faaf86f456ad3b7278862b4b80fab143c63e172f6e8efcd6a1f64913ec5aa009:73728
9429b28e52be07f55b42faeaba44699816b9873702d6cc4a810df2470e947efa:69632
9b9d3c620b9e1f64dee763d499b5fa3339cefa79925e3b975065fe687646ef35:77824
--
LP, Rok Potočnik
T-2 d.o.o.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2212 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.clamav.net/pipermail/community-sigs/attachments/20150416/cf2ebf4a/attachment.bin>
More information about the Community-sigs
mailing list