[Community-sigs] PHP.Shell-83 signature problem in database

Kurt Fitzner kurt+clamav at va1der.ca
Mon Dec 21 21:05:03 EST 2015 

 

Hello, 

There is a fairly common backdoor known colloquially as the "FilesMan"
backdoor that is not detected by ClamAV on Unix/Linux machines due to an
error in it's signature in ClamAV's database. I'm hoping this is the
correct mailing list to report this to. 

I discovered copies of the "FilesMan" backdoor had been injected through
a WordPress weakness onto a Linux server I manage. It was not detected
by ClamAV on the server. When I copied the file to Windows and inspected
it, I found that it _was_ detected as PHP.Shell-83 by ClamAV but only on
Windows. Eventually, after some embarrassing back-and-forth on the
ClamAV users mailing list, I realized that unbeknownst to me, my scp
program performed Unix-to-Windows LF -> CRLF processing on the file
making this a signature problem, not the ClamAV problem I had thought it
was. 

ClamAV's signature for this malware, PHP.Shell-83 in main.cvd, has
CRLF's hard encoded into it. This means that ClamAV will detect
"FilesMan" only if it has had LF -> CRLF processing done on it. Since
this is a Linux/Unix backdoor, this means that it is not being detected
on the machines it infects. I suspect that whomever originally submitted
this malware did what I did, which is bring it from a Linux environment
to Windows through a mechanism that also did LF -> CRLF processing on
the file. 

I tried re-submitting this file along with an explanation through the
normal ClamAV submission form, but it has been some few days and I have
not seen an updated signature. Therefore I am providing the one that I
modified. I have simply replaced the hardcoded CRLF's with (L) so that
it will match regardless of what line termination is used. All other
aspects of the signature have been left as they were. 

PHP.Shell-83-FilesMan:0:*:24617574685f70617373203d20223633613966306561376262393830353037393662363439653835343831383435223b(L)24636f6c6f72203d202223646635223b(L)2464656661756c745f616374696f6e203d202746696c65734d616e273b(L)2464656661756c745f7573655f616a6178203d2074727565


Incidentally, VirusTotal has two entries for this malware, one for the
CRLF and one for the LF-only version of the file. They are: 

 	* CRLF:
https://www.virustotal.com/en/file/6e709d5679eac7c8d844f849b0c6e95f4b3f8b716fbae4c27037b760754152bf/analysis/1450059899/
 	* LF:
https://www.virustotal.com/en/file/9a4a084309f51684ca86a1a5fac5a5c0951d5e82a407308ad09b69c6dcaca32b/analysis/1450621430
[1]

As you can see, the LF version is detected by about half the checkers. A
subset detect both the LF and CRLF versions. ClamWin is the only one
that detects the CRLF version only. 

Additionally, there are some 4600+ signatures in main.cvd that have
embedded hard CRLF's in them. These may need looking into. 

 Kurt Fitzner 

-- 

YOU DON'T KNOW THE QSO OF THE DARK SIDE! 

Links:
------
[1]
https://www.virustotal.com/en/file/9a4a084309f51684ca86a1a5fac5a5c0951d5e82a407308ad09b69c6dcaca32b/analysis/1450621430

More information about the Community-sigs mailing list