Steve, Irshad, I put this together from just a little research reading the documentation, examining the `clamscan --debug` output, and examining existing signatures in `daily.idb` and `daily.ldb`. Someone call me out if the details aren't 100% correct. I'm relatively inexperienced with writing signatures.
--- 1. Scan your PE file with `clamscan --debug`, and redirect the output to a file so you can analyze it. eg: clamscan --debug ~/Downloads/iexplore.exe &> iexplore.log 2. Search the log for `IDB SIGNATURE`. There will probably be a bunch. Example output from `iexplore.exe`: LibClamAV debug: IDB SIGNATURE: ICON_NAME:GROUP1:GROUP2:20fe8160af66040ae550f010be00005fe00176760d0fff0000ff1503ff0008ef0f00ef0708ef00107f160f760e0b680b0211000036150737161735002e37 LibClamAV debug: cli_scanicon: Icongrp @e690 - 24x24x4 - (id=9b, rsvd=1, planes=16, palcnt=0, sz=1e8) LibClamAV debug: parseicon: Bitmap - 24x24x4 LibClamAV debug: edge areas: 148@(16,12) 144@(10,9) 107@(10,16) LibClamAV debug: noedge areas: 19@(0,0) 75@(13,0) 78@(0,6) LibClamAV debug: color areas: 4072@(16,7) 3907@(3,7) 3793@(2,13) LibClamAV debug: gray areas: 113@(0,0) 1470@(9,12) 2017@(9,4) LibClamAV debug: bright areas: 255@(0,0) 255@(15,3) 255@(0,6) LibClamAV debug: dark areas: 233@(11,0) 233@(5,6) 233@(0,12) LibClamAV debug: color spread: 43,0,56 56% 3. Copy the "IDB SIGNATURE" content for the icons of interest into an `.idb` file. Choose a unique ICON_NAME for each line in the `.idb` file. The naming for `GROUP1` and `GROUP2` are a little arbitrary. If you look in `daily.idb`, you'll note that `GROUP2` names appear to be used for related malware families, where `GROUP1` appear to be for file types. For both group names, you may specify "UNUSED" if you don't plan to use it. Example IDB sigs based on `clamscan` debug output scanning `iexplore.exe`: ``` iexplore-1:IEXPLORE:UNUSED:18f931008ea2040cdbe040605500005f20a056e80006ff0000ff1000ff0c06e90902ec0308f8000e6c08026001115e01090800001b09111c101137022a38 iexplore-2:IEXPLORE:UNUSED:20fe8160af66040ae550f010be00005fe00176760d0fff0000ff1503ff0008ef0f00ef0708ef00107f160f760e0b680b0211000036150737161735002e37 iexplore-3:IEXPLORE:UNUSED:18fe81007f430307ed1020d07100005be090c7e10904ff0000ff0f03ff0006e90b00e90506e9000c94100c900a096b0a101300004b0d004e00062b003838 iexplore-4:IEXPLORE:UNUSED:10f530204f530209f0906010fe000075f07037f40608ff0000ff0400ff0903df0701df0305e7000999070a88070369030a2800003f040043000422004144 ``` 4. Finally, you need to write a Logical Signature (`.ldb`) that triggers on the `IconGroup#` you chose above. Example LDB sig: ``` iexplore-example-sig;Engine:51-255,IconGroup1:IEXPLORE,Target:1;(0);4D5A900003000000 ``` The LDB signature will alert if any of the `.idb` signatures matching the group name trigger. As a disclaimer, the example signature above is pretty lousy, because the sub-signature `4D5A900003000000` would trigger on any PE file. Take a look at signatures in `daily.ldb` that make use of `IconGroup1` or `IconGroup2` for production quality examples. Regards, -Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On Nov 9, 2018, at 6:45 AM, Irshad <[email protected]<mailto:[email protected]>> wrote: Hi Steve This does not solve the problem, I don't know how to calculate the fuzzy hash of icon that is used in the signature. On Nov 9, 2018 5:54 PM, "Steve Basford" <[email protected]<mailto:[email protected]>> wrote: On Fri, November 9, 2018 9:00 am, Irshad wrote: > Hi, > > > My apologies, if I am missing something obvious. I spent around 3 hours Hi Irshad Not sure if this will help but there are a few icon based sigs I think in the current daily.cvd So unpack them and then grep for IconG, something like this: sigtool --unpack-current=daily grep "IconG" daily.ldb You can then see some examples on how they are used. -- Cheers, Steve Twitter: @sanesecurity _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
