[Community-sigs] php
Рома Слєпчик
roma at slepchik.com.ua
Tue Aug 8 07:31:39 EDT 2017
hi. i made signature PHP.firstline.inject.1;Engine:81-255,Target:0;1;0:
3c3f706870{4000-}3f3e0a3c3f706870;0/<\?php\x20[^\x0A]{4000,}\?>\x0A<\?php/
but it do false positive for some files.
here link for test file archive
https://www.dropbox.com/s/m3wwmm6jv9z0iyj/testsig.tgz?dl=0 c_ means clean
i_ infected
when i tried check test file clamscan --debug -d long_str.ldb -ri
testsig/c_unix_sql.virtuemart.php debug out show me normalize hex. for
testsig/i_object.php debug hex don't normalize. how clamav decides what
file normalize? and how disable normalize for all files?
ClamAV 0.99.2/23644/
2017-08-04 13:05 GMT+03:00 Рома Слєпчик <roma at slepchik.com.ua>:
> Thanks for spending your time and explaining how it work.
>
> 2017-08-03 19:29 GMT+03:00 Matthew Molyett <mmolyett at sourcefire.com>:
>
>> For my own use, I would start from
>>
>> Html.Packed.PhpInjection;Engine:81-255,Target:0;1;0:3c3f7068
>> 7020{4000-}3f3e0a;0/<\?php[^\x0A]{4000,}\?>/
>>
>> Where:
>>
>> VIRUS NAME: Html.Packed.PhpInjection
>> TDB: Engine:81-255,Target:0
>> LOGICAL EXPRESSION: 1
>> * SUBSIG ID 0
>> +-> OFFSET: 0
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> <?php {WILDCARD_ANY_STRING(LENGTH>=4000)}?>
>>
>> * SUBSIG ID 1
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> +-> TRIGGER: 0
>> +-> REGEX: <\?php[^\x0A]{4000,}\?>
>> +-> CFLAGS: (null)
>>
>> Engine 81 is required for the PCRE-style ldb signature.
>> Target type 0 is required for the detection of newline characters. ClamAV
>> normalizes HTML (type 3) and ASCII text (type 7) files such that sequences
>> of white space are replaced with single spaces.
>> LOGICAL EXPRESSION: 1 is used to set the PCRE rule as the final
>> determination for alerting.
>> SUBSIG ID 1 TRIGGER: 0 is used to make your 3c3f70687020{4000-}3f3e0a be a
>> precondition on the further scanning.
>> SUBSIG ID 1 REGEX is used to make sure that none of those 4000 characters
>> are newline 0x0A.
>>
>> I added SUBSIG ID 0 OFFSET: 0 to require the <?php to occur at byte 0
>> within the file, to have it only check the first line.
>>
>> As proposed, the detection signature is likely too broad for inclusion as
>> an official signature, but hopefully this helps you with your local Clam
>> AV
>> usage and future signature creation.
>>
>> On Thu, Aug 3, 2017 at 7:46 AM, Рома Слєпчик <roma at slepchik.com.ua>
>> wrote:
>>
>> > hi.
>> > i try write signature for php inject with base64 encode and need some
>> help.
>> > all injections always insert into first line of file and have size more
>> > 4000 symbols begin with <?php and close ?>. i try use sig
>> > 3c3f70687020{4000-}3f3e0a but it not work, because into 4000- include
>> 0a.
>> > how can stop check file after first match 0a? or how can i check only
>> first
>> > line of file?
>> > add example file https://www.dropbox.com/s/ppzg
>> f6aa1hqk60y/object.php?dl=0
>> >
>> > i can write sig for this injection but new injections always change.
>> stable
>> > always more 4000 symbols and <?php ?>
>> > _______________________________________________
>> > Community-sigs mailing list
>> > Community-sigs at lists.clamav.net
>> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>> >
>> > http://www.clamav.net/contact.html#ml
>> >
>>
>>
>>
>> --
>>
>> Matthew Molyett
>> Malware Researcher
>>
>> mmolyett at cisco.com
>> Phone: (410) 309-4834
>> Mobile: (410) 674-2049
>>
>> Cisco.com - http://www.cisco.com
>>
>> This email may contain confidential and privileged material for the sole
>> use of the intended recipient. Any review, use, distribution or disclosure
>> by others is strictly prohibited. If you are not the intended recipient
>> (or
>> authorized to receive for the recipient), please contact the sender by
>> reply email and delete all copies of this message.
>>
>> For corporate legal information go to:
>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> С любовью и терпением Роман
> jabber: roma at slepchik.com.ua
> skype: zysylcheg
>
--
С любовью и терпением Роман
jabber: roma at slepchik.com.ua
skype: zysylcheg
More information about the Community-sigs
mailing list