[Community-sigs] php

Mon Aug 21 11:06:38 EDT 2017

Hello Roma,

Due to the injection, ClamAV is not recognizing the infected file as normal
web content. It will normalize specific files & drop select artifacts based
on various format checks.

If you wish to scan without normalization, you'll have to try out the
0.99.3 beta. This version is the first to include the *--normalize=no *flag,
allowing you to scan the raw file.

On Tue, Aug 8, 2017 at 7:31 AM, Рома Слєпчик <roma at slepchik.com.ua> wrote:

> hi. i made signature PHP.firstline.inject.1;Engine:81-255,Target:0;1;0:
> 3c3f706870{4000-}3f3e0a3c3f706870;0/<\?php\x20[^\x0A]{4000,}\?>\x0A<\?php/
> but it do false positive for some files.
> here link for test file archive
> https://www.dropbox.com/s/m3wwmm6jv9z0iyj/testsig.tgz?dl=0 c_ means clean
> i_ infected
> when i tried check test file clamscan  --debug -d long_str.ldb -ri
> testsig/c_unix_sql.virtuemart.php debug out show me normalize hex. for
> testsig/i_object.php debug hex don't normalize. how clamav decides what
> file normalize? and how disable normalize for all files?
>
> ClamAV 0.99.2/23644/
>
> 2017-08-04 13:05 GMT+03:00 Рома Слєпчик <roma at slepchik.com.ua>:
>
> > Thanks for spending your time and explaining how it work.
> >
> > 2017-08-03 19:29 GMT+03:00 Matthew Molyett <mmolyett at sourcefire.com>:
> >
> >> For my own use, I would start from
> >>
> >> Html.Packed.PhpInjection;Engine:81-255,Target:0;1;0:3c3f7068
> >> 7020{4000-}3f3e0a;0/<\?php[^\x0A]{4000,}\?>/
> >>
> >> Where:
> >>
> >> VIRUS NAME: Html.Packed.PhpInjection
> >> TDB: Engine:81-255,Target:0
> >> LOGICAL EXPRESSION: 1
> >>  * SUBSIG ID 0
> >>  +-> OFFSET: 0
> >>  +-> SIGMOD: NONE
> >>  +-> DECODED SUBSIGNATURE:
> >> <?php {WILDCARD_ANY_STRING(LENGTH>=4000)}?>
> >>
> >>  * SUBSIG ID 1
> >>  +-> OFFSET: ANY
> >>  +-> SIGMOD: NONE
> >>  +-> DECODED SUBSIGNATURE:
> >>      +-> TRIGGER: 0
> >>      +-> REGEX: <\?php[^\x0A]{4000,}\?>
> >>      +-> CFLAGS: (null)
> >>
> >> Engine 81 is required for the PCRE-style ldb signature.
> >> Target type 0 is required for the detection of newline characters.
> ClamAV
> >> normalizes HTML (type 3) and ASCII text (type 7) files such that
> sequences
> >> of white space are replaced with single spaces.
> >> LOGICAL EXPRESSION: 1 is used to set the PCRE rule as the final
> >> determination for alerting.
> >> SUBSIG ID 1 TRIGGER: 0 is used to make your 3c3f70687020{4000-}3f3e0a
> be a
> >> precondition on the further scanning.
> >> SUBSIG ID 1 REGEX is used to make sure that none of those 4000
> characters
> >> are newline 0x0A.
> >>
> >> I added SUBSIG ID 0 OFFSET: 0 to require the <?php to occur at byte 0
> >> within the file, to have it only check the first line.
> >>
> >> As proposed, the detection signature is likely too broad for inclusion
> as
> >> an official signature, but hopefully this helps you with your local Clam
> >> AV
> >> usage and future signature creation.
> >>
> >> On Thu, Aug 3, 2017 at 7:46 AM, Рома Слєпчик <roma at slepchik.com.ua>
> >> wrote:
> >>
> >> > hi.
> >> > i try write signature for php inject with base64 encode and need some
> >> help.
> >> > all injections always insert into first line of file and have size
> more
> >> > 4000 symbols begin with <?php and close ?>. i try use sig
> >> > 3c3f70687020{4000-}3f3e0a but it not work, because into 4000- include
> >> 0a.
> >> > how can stop check file after first match 0a? or how can i check only
> >> first
> >> > line of file?
> >> > add example file https://www.dropbox.com/s/ppzg
> >> f6aa1hqk60y/object.php?dl=0
> >> >
> >> > i can write sig for this injection but new injections always change.
> >> stable
> >> > always more 4000 symbols and <?php  ?>
> >> > _______________________________________________
> >> > Community-sigs mailing list
> >> > Community-sigs at lists.clamav.net
> >> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >> >
> >> > http://www.clamav.net/contact.html#ml
> >> >
> >>
> >>
> >>
> >> --
> >>
> >> Matthew Molyett
> >> Malware Researcher
> >>
> >> mmolyett at cisco.com
> >> Phone:  (410) 309-4834
> >> Mobile: (410) 674-2049
> >>
> >> Cisco.com - http://www.cisco.com
> >>
> >> This email may contain confidential and privileged material for the sole
> >> use of the intended recipient. Any review, use, distribution or
> disclosure
> >> by others is strictly prohibited. If you are not the intended recipient
> >> (or
> >> authorized to receive for the recipient), please contact the sender by
> >> reply email and delete all copies of this message.
> >>
> >> For corporate legal information go to:
> >> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
> >> _______________________________________________
> >> Community-sigs mailing list
> >> Community-sigs at lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> >
> >
> >
> > --
> > С любовью и терпением Роман
> > jabber: roma at slepchik.com.ua
> > skype: zysylcheg
> >
>
>
>
> --
> С любовью и терпением Роман
> jabber: roma at slepchik.com.ua
> skype: zysylcheg
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975