Hi all,
Well, i didn't look what kind of virus is emotet and i supposed it's
spread trough executable file where the defenses presented should work.
For the emotet itself i am using the list provided by abuse.ch guys ( i
suggest trough all the defenses they have) but those two might/should
help:
https://feodotracker.abuse.ch/browse/ ||
https://feodotracker.abuse.ch/blocklist/
https://urlhaus.abuse.ch/browse/tag/emotet/ ( here you have also clamav
file signature urlhaus.ndb )
Bonus: https://paste.cryptolaemus.com/
The idea is to build either trough clamav(here we talk about clamav) or
spamassassin a way to defend yourself based in the input provided.
---
Best regards,
Iulian
On 2020-09-16 14:50, G.W. Haywood via clamav-users wrote:
Hi there,
On Wed, 16 Sep 2020, Cyril AECK via lists.clamav.net wrote:
Is there a reason why the Emotet detection rate is very low for
ClamAV?
The macro in the attachment is heavily disguised. See for example
https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/
It's very easy for the sender to change disguises in code. Some code
will even do it by itself, on the fly. Using a grossly oversimplified
example, I could write code like this:
void somefunc() { while(1) { something_new; } }
int abc=1; if(abc==1) { somefunc(); }
but the same effect can be achieved with different names everywhere:
void otherfunc() { while(2) { something_old; } }
int xyz=3; if(xyz==3) { otherfunc(); }
You really want to analyze the behaviour of the code but that's much
harder to do than making simple string comparisons which look for
words -- which is more or less all that signature matching does. You
need a signature for every disguise, which probably explains why there
are at the moment just shy of sixty thousand signatures in the 'daily'
database which have a name containing 'Emotet'.
On Wed, 16 Sep 2020, iulian stan via clamav-users wrote:
If you are talking about compressed files you have multiple choice to
do
this as well: 1) use complicated MTA rules to unzip/untar/unrar/etc
the archive and
check if executable is inside. 2) use foxhole unoficial clamav
signatures (might not cover all the
situations) 3) write your own signatures like this. Please check
before the manual:
https://www.clamav.net/documents/extended-signature-format
Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:*
Unfortunately none of these suggestions is likely to succeed against
the current Emotet threats. The malicious email generally contains a
disguised macro, not a Windows executable. The macro downloads and
runs a payload (maybe more than one), thus avoiding a scan or perhaps
without even writing it to a file which ClamAV will be able to scan.
The foxhole signatures, the ClamAV official signatures and a couple of
dozen other third-party signatures have all failed to detect threats
in mail recevied here in the past few days.
But the messages were obvious as soon as they appeared in the greylist
queue. They posed as replies to mail abuse reports which we had sent,
but the reports were sent many years ago.
Evidently our reports have been stolen from the poorly-secured systems
at the providers to whom we were reporting abuse at the time. A neat
trick, but not nearly neat enough. We don't run Windows boxes anyway.
:)
--
73,
Ged.
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
