Monthly Archives: November 2008

Create Your Own Anti-Virus Signatures with ClamAV

Posted on by

I use ClamAV on my own mail servers, I’ve also used it at work alongside several commercial AV engines and every now and again there will be a viral attachment that none of the AV engines catch, especially when a new threat is released. As a Linux user, most virus and malware threats mean little to me, however if you are responsible for Windows users then you need to be on top of the game.

Even though viral email attachments aren’t the major attack vector for Windows PCs that they were a few years ago, a few times recently I’ve found the need to block viral emails which the major AV engines weren’t catching or they were sufficiently behind the curve that I’ve had to create my own signatures to block viral attachments while I waited for the AV vendors to catch up.

Enter ClamAV. ClamAV is an anti-virus toolkit for Unix and Windows. Aside from being an on-demand virus scanner, ClamAV comes with a suite of tools for creating your own anti-virus signatures which can then be used as part of the regular AV definitions when running a scan.

The first thing you need is something which you want to detect. It might be a virus, some other piece of malware or maybe just a nuisance application installer. It helps if you’re not running Windows so you don’t infect yourself with whatever it is you are trying to detect and running the following commands will be easy for you. If you have an email with your attachment or file in, you need to save the attachment to your PC. If it’s still on the mail server, either download the mail and save the file or if you have shell access to the server, copy the entire mail file itself to your PC which is easy if you’re using maildirs. If you use mboxes you need to take a copy of the mail somehow so it’s in a file of it’s own (look at csplit for example).

If you have a file containing the email rather than having saved the attachment from within your mail client, you need to split the text and attachment parts out from each other. The following script does this for you. You need Perl and the MIME::Parser module from CPAN (sudo cpan install MIME::Parser for Ubuntu users).

#!/usr/bin/perl
use MIME::Parser;
$file = $ARGV[0];
my $parser = new MIME::Parser;
mkdir(“/tmp/$$”);
$parser->output_under(“/tmp/$$/”);
$parser->output_prefix(“msg”);
$entity = $parser->parse_open(“$file”);
$entity->dump_skeleton;

Save it as strip-attach.pl or something and make it executable. Then run it with an argument of the file to strip such as:

strip-attach.pl <mail file>

The output will give you the paths to the text portion and the attachment portion of the email. If you saved the email attachment to your PC from your mail client, you can start to pay attention now.

What you now have is the file you want to block. If it’s zipped, compressed or in any other kind of container then unzip it or extract it as ClamAV can see inside these archives if you configured it to do so and you have the right tools installed (like unzip under Linux for example).

Next create a signature of the file using ClamAV’s sigtool:

cat testfile | sigtool –hex-dump | head -c 2048 > customsig.ndb

In this case, testfile is your undesirable file and we have taken a signature of the first 2KB, otherwise the signature would be huge and therefore scanning would be inefficient. We have saved the generated signature in customsig.ndb. In theory, you need to take a signature of a unique portion of the file. You can also take a signature from an off-set within the file, it doesn’t have to be from the start of the file. See the ClamAV signature docs for more detail on how to create signatures.

You should edit customsig.ndb and prefix the content with the appropriate Name, Type and Offset in the following format:

Name:Type:Offset:malware hex output

Such as:

Trojan.Win32.Emold.A:1:*:4d5a80000100000004001000ffff000040010000000000004000000000000000000000000000000000000000

Name is the virus name. Type is one of the following:

  • 0 = any file
  • 1 = Portable Executable (ie Windows exe)
  • 2 = OLE2 component (e.g. a VBA script)
  • 3 = HTML (normalised)
  • 4 = Mail file
  • 5 = Graphics
  • 6 = ELF
  • 7 = ASCII text file (normalised)

Offset is either * or an offset in bytes from the beginning of the file to where the hex string occurs. This is best left as * unless you know your where in the file your hex string occurs. Read the Clamav documentation if this is the case.

For most purposes, a type of 0 (or 1 for a Windows exe), and an offset of * will suffice.

Either name the virus yourself if it’s just a file you don’t want on your network or it’s a new virus, or take a look at what other AV engines call a virus by submitting your suspicious file to somewhere like http://www.virustotal.com/. ClamAV has it’s own virus naming conventions as detailed in the docs.

My good friend and malware expert Barbie of Message Labs and Birmingham Perl Mongers gave a talk at LugRadio Live UK 2008 where he explained that the people that are first to identify a new virus are the people who name it, though different AV vendors often use the different names and the name which is popularised in the press is the one that sticks. If you detect a virus before anybody else, then name it as you like and then find a way of making sure everybody uses your chosen name. Fun and profit awaits you 🙂

Now, test the signature against your suspect file:

clamscan -d customsig.ndb testfile

It’s pretty inefficient to store one virus signature per file, so if you’re going to be doing this frequently or you want your signature to used as part of regular operations, you may as well start keeping your own virus db file as part of ClamAV itself. Simply copy your customsig.ndb to the directory used by ClamAV’s own signatures. On most Linux boxes that’s /var/lib/clamav/, though it might be something like /usr/local/share/clamav/ on FreeBSD or if you compiled ClamAV yourself. So restart ClamAV and run a regular scan without having to specify your custom sig:

clamscan testfile

And that’s it. Add each new signature line into the customsig.ndb file you put in ClamAV’s signatures directory but be sure to test it first from a standalone sig file so you know it works as expected without affecting the operation of the main ClamAV installation.

Having created sigs for files which the commercial AV engines weren’t catching, I submitted the suspicious file I was working on to the ClamAV team for detection within ClamAV. Now I guess you have to be a bit closer to the project and certainly more experienced than the novice I am to generate sigs and have them included in ClamAV, but there’s nothing stopping you submitting the suspicious files to the project by uploading them at http://www.clamav.net/sendvirus/.

I did exactly that and was quite pleased to get an email a few weeks later which said a signature for the file I submitted had been included in a ClamAV update, although the same file had been submitted by several other people.

Most people suggest advocacy or documentation as ways non-programmers can help a project, it just goes to show that there are many more ways to help a Free Software project than you might think if you’re not a programmer.

So, why would you want to use ClamAV? If you run mail servers then you should be using it already, regardless of whether you run a proprietary AV engine. ClamAV is free and plugs easily into most Unix style mail servers, either directly or though something like Amavis. ClamAV is pretty good at catching phishing emails too, which is something I’ve not seen much of from the major AV vendors. Details on dealing with phishing sigs are here.

A few years ago I worked at a college where Windows permissions were sufficiently lax that the students were able to install MSN Messenger (now known as Windows Live Messenger) on the PCs which were supposed to be for educational purposes only, as certain applications they needed to run required access to write to parts of the registry so they couldn’t be locked down any further without serious effort. We had a terrible time trying to keep up with removing it and stopping them downloading it. Had we known at the time, (ignoring the concept of actually trying to lock the machines down properly), we could have run ClamAV on a filtering proxy and created a signature which detected MSN Messenger or other unwanted installers, blocked them at the gate and run a scan across the user directories for saved copies brought in on memory sticks. While it’s fighting fires instead of solving the bigger problem, you could apply a simple fix to the major threats and it would buy you enough breathing space to solve the real problems.

Note that ClamAV is not an in memory, on-access, real-time background virus scanner, it won’t detect viruses in files as you open or execute them. You need to manually scan files to detect viruses, it’s not intended as a replacement for a desktop AV, it’s intended for gateway services like web and mail filtering or scheduled scanning.

Do I need to tell you any more? Go geddit tiger.

Get Simon Burke Home

Posted on by

A few weeks ago I was lying in bed watching an episode of Channel Five’s ‘Locked Up Abroad’. The episode featured the story of Sarah Jackson and Simon Burke. In early 2007, Sarah, having got herself in debt with a threatening and abusive drug dealer had agreed to go to Peru and smuggle cocaine back with her in exchange for clearing her debts. She invited her friend Simon on the holiday to unwittingly provide an air of legitimacy for her trip. Simon was unaware of the real reason for the trip.

Towards the end of the trip, Sarah excused herself from Simon and returned to the hotel room where she took delivery of the cocaine and hid it inside her suitcase. At the airport she sent Simon to the information desk to enquire about his luggage which had gone missing on the flight over there while she checked in. Sarah checked in ok but was stopped because of a suspicious passport. When her bag was searched the police found the cocaine. Simon, unaware of this, returned from the info desk to find her and was taken by the police into a room where he saw Sarah and the cocaine. Simon’s shyness and stumbling speech convinced the police that he was involved despite Sarah’s protestations that he was innocent. The police footage taken during the search and shortly after the arrest shown in the show demonstrate just how dumbfounded and terrified Simon was. Nevertheless Sarah and Simon were jailed for 18 days together before being separated and sent to different prisons. Simon was sent to a violent, nightmarish men’s prison while Sarah was sent to a women’s prison which had much in common with a busy day care centre.

The Peruvian justice system is so overwhelmed that only 1 in 8 inmates of Sarah’s prison have been convicted. It took 10 months in prison before the police accepted Sarah’s confession and statement of Simon’s innocence and Simon was freed in November 2007. However until Sarah’s is convicted, the police are retaining Simon’s passport as he is still a witness in the Peruvian courts and potentially, still a suspect. As such, Simon was stuck in limbo in Peru, awaiting the outcome of Sarah’s trial so he can be allowed home.

I watched this show a few weeks ago as I said and I decided to check up on what happened to the case, I remember watching the show cringing and thinking how awful it must be to be trapped in limbo like that. I thought the show might have been recorded last year or something and was horrified that Simon is still stuck in Peru a year on from his release, visiting court regularly while he awaits Sarah’s trial. I couldn’t believe it, he was such a nice, honest, genuine guy. His only mistake is to be unwittingly caught up in somebody else’s scam.

What amazes me is that apart from the Banged Up Abroad episode, how little mainstream press this case is getting. The guy is clearly innocent and yet is being held in a country with no means of supporting himself. He is staying in the spare room of a Peruvian family waiting to be cleared. It has cost his family £10,000 and he has lost 2 years of his life and still counting for doing nothing wrong. It doesn’t even bear thinking about. The whole thing touched me so much I decided to get involved. I’ve never met Simon but the story really upset me.

After being refused a petition by http://www.number10.gov.uk/ on the basis that it is a Home Office issue, you can sign the petition to campaign for Simon to be allowed to return home at http://www.gopetition.com/petitions/send-simon-home.html

There are 2 Facebook groups dedicated to campaigning for him to be allowed to return home. If you’re on Facebook, search for “Get Simon Burke Home” and “Send Simon Home”. While the petition and Facebook groups will have little affect on the Peruvian government or judicial systems directly, the campaign for greater media exposure that these things are aiming for will hopefully push the otherwise ineffectual British Home Office and British Embassy in Lima into working harder to get Simon sent home.

A few people have asked why he doesn’t just jump the border by illegal means or whether he would return to Peru if allowed home. He says himself that he doesn’t want to jeopardise his case. If he were caught trying to jump the border he would be screwed. He has no wish to avoid the legal proceedings he is involved in, he just wants to clear his name and get back to his life.

There are 2 local newspaper articles featuring the case here and here. Read them if you will. Simon has been to court several times since they were published, despite one article claiming he may soon be released.

You can watch the episode of Banged Up Abroad at Channel Five here though I’m told you need to sign-up and it requires Windows Media Player. If you find it affects you in the same way it did me, then why don’t you sign the petition and join the Facebook groups which are keeping his spirits up and are the focal point for people trying to raise the media’s awareness of the case.

Now I’m not prone to this kind of thing, I’m not the type for campaigning like a teen soap character who is always fighting for some cause or other, but I just felt really bad for the guy and I was really surprised that he was still stuck in Peru.

In any case, I wish Simon the best I hope he is allowed to return home soon.

UPDATE 22/11/2008: Simon’s innocence was confirmed by the Peruvian courts on 24th November 2008 and is now free to return home, pending application for the return of his passport and should be home by Christmas. Best wishes my man.

UPDATE 17/03/2009: Simon is still in Peru as the prosecution has appealed despite Simon’s acquittal. Looks like he could be there for several more months. You can vote to ask David Miliband, the UK Foreign Secretary about Simon’s case here or donate to the cost of Simon’s living expenses here. To date it has cost Simon’s parents around £20,000 as he receives no income in Peru, anything you can add to offset those costs would be gratefully received.

Keep up to date with Simon’s case by joining the Get Simon Burke Home group on Facebook here.

UPDATE 09/10/2009: After 2 and a half years, Simon’s case has been completed and all paperwork finished, he is now free to return home and should do so on Sunday 11th October 2009. It looks like there might be quite a large welcoming party 🙂 You can find out more on Facebook here. Best wishes mate, good to have you home 🙂

UPDATE 12/10/2009: Simon is now back home with his family in England.