[Community-sigs] ADWIND and CryproWall

Angel Villegas anvilleg at sourcefire.com
Mon Aug 10 14:04:20 EDT 2015

Hey Joerg,

Thank you for your signatures.

Please check out the documentation for creating ClamAV signatures at:

Signature Names
When creating ClamAV signatures we hold to a specific naming convention. A
signature name follows the format <Platform>.<Category>.<Malware_Name>.
Platform Examples:
- Win
- Email
- Pdf
- Swf
- Java
- Unix
- etc.

Category Examples:
- Exploit
- Downloader
- Malware
- Trojan
- Worm
- etc.

A generic trojan malware for Windows system would be labeled
Win.Trojan.Agent or Win.Trojan.Agent.Gen. The ".Gen" suffix is optional and
generally not used.

Our signatures do not include the exploit kit associated with the sample,
so to meet our signature naming convention we would alter your signature
names to:
malware.ADWIND.Java.A        -> Java.Malware.Adwind
malware.ADWIND.Java.B        -> Java.Malware.Adwind
anglerek.CryptoWall30.elf.A  -> Unix.Malware.CryptoWall30
nuclearek.CryptoWall30.elf.A -> Unix.Malware.CryptoWall30

Targe Types
Each signature should be created in such a way that it will be applied to
the smallest set of samples as possible. The listing of target types can be
found in the ClamAV signature documentation section 3.2.6 Extended
signature format. Your ndb signatures are all target type 0, which means
the signatures will be used on every file scanned with ClamAV. Instead, it
would be better for performance to use target type 12 (Java) for the Adwind
signatures and 6 (ELF) for the CryptoWall30 signatures. This will aid in
preventing false positives (FPs) from occurring and requiring us to
dropping the signature(s) from ClamAV.

Submitting signatures to ClamAV Community Sigs List
When submitting your signatures to our list please provide MD5/SHA256 of
the sample(s) the signature matches on and provide your reasoning for why
you created the signature you did. For example, if your signature is based
on the custom de-obfuscation technique or unique mutext name used by the
malware then it will help us determine if the signature is too generic or
will likely FP in real world scans.

Once we review the signatures and do not require additional information,
then it will be queued for FP testing. If it passes then we will publish
the signatures soon after, however, if it fails we will inform you and
provided hashes for samples it detected as malicious.

Learning to create ClamAV signatures
To aid in learning how to write ClamAV signatures I would recommend looking
at the signatures document. If you have IDA Pro 6.7 and higher, or the demo
version, you can make use of ClamAV Signature Create (CASC) -
https://github.com/vrtadmin/CASC. CASC is an IDA Pro plugin that aids in
creating ClamAV ndb and ldb signatures.

I hope this helps! Please provide me with some more information about your
signatures (hashes for samples it matched on and reasoning behind the
signature) so I can review them. Let me know if you have any other

Angel M. Villegas

On Fri, Aug 7, 2015 at 12:09 PM, Jörg Stephan <jost2208 at gmail.com> wrote:

> Hi there,
> I am still doing tiny steps in writing signatures, so sorry.
> Here are some malware signatures I have found.
> Maybe useful.
> malware.ADWIND.Java.A:0:*:4E42474B3645395A4B6A53594A676B734E6E514559484A37
> malware.ADWIND.Java.B:0:*:675261704B41366364616B54496858686352536E7A376479
> anglerek.CryptoWall30.elf.A:0:*:0A0045003400710030006700380038004C00380057000700
> nuclearek.CryptoWall30.elf.A:0:*:0000000030002E0032002E0031002E00360000006A002300
> --
> Regards
> Joerg Stephan
> IDSBlog: http://sendmespamids.blogspot.nl/
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> http://www.clamav.net/contact.html#ml

More information about the Community-sigs mailing list