Re: [clamav-users] ICON_HASH signature for PE files

2018-11-09 Thread Micah Snyder (micasnyd) 
Steve, Irshad,

I put this together from just a little research reading the documentation, 
examining the `clamscan --debug` output, and examining existing signatures in 
`daily.idb` and `daily.ldb`. Someone call me out if the details aren't 100% 
correct. I'm relatively inexperienced with writing signatures.

---

1. Scan your PE file with `clamscan --debug`, and redirect the output to a file 
so you can analyze it.

eg:
clamscan --debug ~/Downloads/iexplore.exe &> iexplore.log

2. Search the log for `IDB SIGNATURE`.  There will probably be a bunch.

Example output from `iexplore.exe`:

LibClamAV debug: IDB SIGNATURE: 
ICON_NAME:GROUP1:GROUP2:20fe8160af66040ae550f010be5fe00176760d0fffff1503ff0008ef0f00ef0708ef00107f160f760e0b680b021136150737161735002e37
LibClamAV debug: cli_scanicon: Icongrp @e690 - 24x24x4 - (id=9b, rsvd=1, 
planes=16, palcnt=0, sz=1e8)
LibClamAV debug: parseicon: Bitmap - 24x24x4
LibClamAV debug: edge areas: 148@(16,12) 144@(10,9) 107@(10,16)
LibClamAV debug: noedge areas: 19@(0,0) 75@(13,0) 78@(0,6)
LibClamAV debug: color areas: 4072@(16,7) 3907@(3,7) 3793@(2,13)
LibClamAV debug: gray areas: 113@(0,0) 1470@(9,12) 2017@(9,4)
LibClamAV debug: bright areas: 255@(0,0) 255@(15,3) 255@(0,6)
LibClamAV debug: dark areas: 233@(11,0) 233@(5,6) 233@(0,12)
LibClamAV debug: color spread: 43,0,56 56%

3. Copy the "IDB SIGNATURE" content for the icons of interest into an `.idb` 
file.  Choose a unique ICON_NAME for each line in the `.idb` file.

The naming for `GROUP1` and `GROUP2` are a little arbitrary.  If you look in 
`daily.idb`, you'll note that `GROUP2` names appear to be used for related 
malware families, where `GROUP1` appear to be for file types.  For both group 
names, you may specify "UNUSED" if you don't plan to use it.

Example IDB sigs based on `clamscan` debug output scanning `iexplore.exe`:

```
iexplore-1:IEXPLORE:UNUSED:18f931008ea2040cdbe04060555f20a056e80006ffff1000ff0c06e90902ec0308f8000e6c08026001115e0109081b09111c101137022a38
iexplore-2:IEXPLORE:UNUSED:20fe8160af66040ae550f010be5fe00176760d0fffff1503ff0008ef0f00ef0708ef00107f160f760e0b680b021136150737161735002e37
iexplore-3:IEXPLORE:UNUSED:18fe81007f430307ed1020d0715be090c7e10904ffff0f03ff0006e90b00e90506e9000c94100c900a096b0a10134b0d004e00062b003838
iexplore-4:IEXPLORE:UNUSED:10f530204f530209f0906010fe75f07037f40608ffff0400ff0903df0701df0305e7000999070a88070369030a283f040043000422004144
```

4. Finally, you need to write a Logical Signature (`.ldb`) that triggers on the 
`IconGroup#` you chose above.

Example LDB sig:

```
iexplore-example-sig;Engine:51-255,IconGroup1:IEXPLORE,Target:1;(0);4D5A9300
```

The LDB signature will alert if any of the `.idb` signatures matching the group 
name trigger. As a disclaimer, the example signature above is pretty lousy, 
because the sub-signature `4D5A9300` would trigger on any PE file. Take 
a look at signatures in `daily.ldb` that make use of `IconGroup1` or 
`IconGroup2` for production quality examples.

Regards,
-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Nov 9, 2018, at 6:45 AM, Irshad 
mailto:meradumpem...@gmail.com>> wrote:

Hi Steve
This does not solve the problem, I don't know how to calculate the fuzzy hash  
of icon that is used in the signature.

On Nov 9, 2018 5:54 PM, "Steve Basford" 
mailto:steveb_cla...@sanesecurity.com>> wrote:

On Fri, November 9, 2018 9:00 am, Irshad wrote:
> Hi,
>

>
> My apologies, if I am missing something obvious. I spent around 3 hours

Hi Irshad

Not sure if this will help but there are a few icon based sigs I think in
the current daily.cvd

So unpack them and then grep for IconG, something like this:

sigtool --unpack-current=daily
grep "IconG" daily.ldb

You can then see some examples on how they are used.

--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ICON_HASH signature for PE files

2018-11-09 Thread Irshad 
Hi Steve
This does not solve the problem, I don't know how to calculate the fuzzy
hash  of icon that is used in the signature.

On Nov 9, 2018 5:54 PM, "Steve Basford" 
wrote:

>
> On Fri, November 9, 2018 9:00 am, Irshad wrote:
> > Hi,
> >
>
> >
> > My apologies, if I am missing something obvious. I spent around 3 hours
>
> Hi Irshad
>
> Not sure if this will help but there are a few icon based sigs I think in
> the current daily.cvd
>
> So unpack them and then grep for IconG, something like this:
>
> sigtool --unpack-current=daily
> grep "IconG" daily.ldb
>
> You can then see some examples on how they are used.
>
> --
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ICON_HASH signature for PE files

2018-11-09 Thread Steve Basford 


On Fri, November 9, 2018 9:00 am, Irshad wrote:
> Hi,
>

>
> My apologies, if I am missing something obvious. I spent around 3 hours

Hi Irshad

Not sure if this will help but there are a few icon based sigs I think in
the current daily.cvd

So unpack them and then grep for IconG, something like this:

sigtool --unpack-current=daily
grep "IconG" daily.ldb

You can then see some examples on how they are used.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ICON_HASH signature for PE files

2018-11-09 Thread Irshad 
Hi,

I have a bunch of PE files for which I need to create the ICON_HAHS based
signatures, In documentation, here
,
it says

The ICON_HASH field can be obtained from the debug output of libclamav.

I have ran the clamscan on PE files with --debug flag but there is no field
named ICON_HASH in output.
I am also confused about the purpose of IconGroup1 or IconGroup2  and how I
need to define them in .idb file.

My apologies, if I am missing something obvious. I spent around 3 hours to
find an answer about this before sending this email.

Thank you all.

Regards,
Irshad Muhammad.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml