Re: [clamav-users] Reference a normalized variable name without hardcoding a specific one?
Arnaud Jacques via clamav-users wrote: Hello Kris, [...] > /(n\d+).htmldomstuff;function(\1);/ > > Do any of Clam's signature types support something like this? I use : 6e3?3?3? that matches n000, n003, n024, n781 ... Right, and I've used that in cases where tracking a particular normalized variable isn't as important, but there are two problems: 1) You can't start or end the overall pattern with this 2) It's not matching "this specific normalized variable, for immediate local values of this specific normalized variable", it's matching "any normalized variable". As I said in my original message, the specific sample at hand just now came out with n007 for the specific variable but variations in the scam could make that normalize to n003 or n024 or something else. I only want to match that particular variable - irrespective of what n\d\d\d value it normalizes *to* in any specific sample file. Which is why I want to capture the first case, and backreference it for further instances of it later in the pattern. -kgd ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Reference a normalized variable name without hardcoding a specific one?
Hello Kris, [...] > /(n\d+).htmldomstuff;function(\1);/ > > Do any of Clam's signature types support something like this? I use : 6e3?3?3? that matches n000, n003, n024, n781 ... -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] Reference a normalized variable name without hardcoding a specific one?
So, I've been creating local signatures for a variety of obfuscated Javascript for a while. But I've been missing a way to more precisely target malicious actions based on surrounding variables. With my latest sample, I want to match "[variable].[htmldomstuff]", "function([variable])", across several nearby substrings. But I *don't* want to hardcode any one specific normalized variable name - this particular sample has n007, but with very little fiddling it could well end up as n003 or n024. What I want is a metareference of some kind to use across the substrings that will only match the same normalized variable name in all of them. In PCRE I would just do something like: /(n\d+).htmldomstuff;function(\1);/ Do any of Clam's signature types support something like this? Logical signatures or Yara rules seem likely, but I've had trouble getting some more complex signature concepts to actually work with either. -kgd ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat