ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Preparing Your Own Virus Signatures
GuitarBob


Joined: 09 Jul 2006
Posts: 4266
Location: USA
Reply with quote
There are literally tens of thousands of computer viruses/malware prepared each day. The virus writers change their viruses often, but much of it is just new versions of yesterday's malware. Because of this, Clam AV has asked for users to help by submitting their signatures to it. When you upload your sample to Clam, if you have a signature for it, just paste your signature into the comments block of the Clam AV submission form. Cam AV will handle any false positive detections on a signature you submit.

You can check out suspected virus/malware files on the web by uploading them to the Jotti or Virus Total or Virus Scan web sites--I would only use those three services. To verify a suspected file, I like to see at least 2 of these "trigger" AVs detect a virus/malware: Avast, Avira AntiVir, Bitdefender, Fortinet, Nod32, Kaspersky, Malwrebytes, Microsoft, and Sophos. Pick one AV and consistently use the names it gives its detections for your signatures. If there are no detections of your file and it is a new file, wait a day or so and rescan on the service--if it is infected, it should get some detections by then.

The easiest signature to prepare is an MD5 hash, but it will only detect one version of one file, but this is okay when you consider that most viruses are changed often anyway. A hash is a cryptographic representation of a file--such as: 97d2cbed1a78471052a57d92ab55c993. All MD5 hashes are the same size, but each file hash is a bit different. In rare cases, hashes for different files can "collide" or be the same, but Clam AV minimizes this by putting the file size in each hash signature. You can prepare an MD5 hash for just about any type of file. The scanning services will actually give you enough information to prepare a Clam AV MD5 ahsh signature: File platform, file size, and MD5 hash. Make sure the MD5 hash is in small letters--not capital letters because Clam AV can not use large letters for its hashes. There will be no false positives on an MD5 signature if you make sure the file is really infected by a virus/malware. You could also get a file hasher to make MD5 signatures, but you will not need it for MD5 file hashes. Most file hashers can make many different hashes, so choose MD5 for your signatures. I like dphash by Dirk Paehl because it makes MD5 hashes and it gives you valuable file information as well.

A Clam AV MD5 hash takes this pattern: 7d2cbed1a78471052a57d92ab55c993:bytesize:platform.Virustype.virusname. That is the MD5 hash, then a colon, then the bytesize of the file (no commas), then a colon, then the computer platform used by the virus, then a period, then the virus type (trojan, exploit, etc.), then a period, then the last part of the virus name. Clam AV will assign a number to the virus name. Here is a real virus signature: ac8798fe7b5c237c5ec521bbe129b3eb:1283072:Win.Trojan.Agent.

Paste your signature in a Windows notepad/text file and call it Sigfile.hdb (hdb indicates an MD5 file hash). Save the file in your ClamWin database directory. Test your signature before submitting it by manually scanning the file on your computer with ClamWin. Keep the hdb signature file on your computer for about a week to give Clam AV time to check and publish your signature--they may be behind in working malware submissions.

If you do not know what to name a virus, call it Win.Trojan.Agent (if it is a Windows virus). The scanning service will tell you the platform. A PE file indicates it is for Windows (portable executable file.) I like the Virus Total service because it gives more information about a file--such as date first seen, which can help because new viruses often do not have many detections. It also tells you the date the file was first seen on Virus Total. If a file is new, I will accept a detection by only 1 trigger AV if at least one other AV also detects it.

Never run/execute a virus--you do not need to do that if you use the scanning services. Just in case a virus does get away from you and executes on your computer, I recommend these scanners/cleaners: Malwarebytes Antirootkit (beta), F-Secure online scanner, Bitdefender Bootkit Remover, and as a last resort, Microsoft Windows Defender Offline.

Clam AV could really use some help. It does not have any full-time sigmakers, and it is unable to address every user submission on a timely basis. Please post here if you have any questions about this material.

Regards,
View user's profileSend private message
Preparing Your Own Virus Signatures--2
GuitarBob


Joined: 09 Jul 2006
Posts: 4266
Location: USA
Reply with quote
To continue this informal look at preparing signatures for ClamAV/ClamWin, let us next look at MDB signatures. MDB signatures are an MD5 hash for only one section of a Windows PE file. To get an MDB signature, you have to break up a Windows PE file into sections and get an MD5 file hash for the section that you have picked for the signature. The MDB signature takes this form: bytesize:sectionhash:platform.virustype.virusname. Clam AV will assign a number to the signature. Your hash should use
small letters because Clam AV can not use hashes made with capital letters.

Here is a real MDB virus signature:
2048:ac65056031e91d3b1774050ecad68630:Win.Trojan.Ransom. You can see that it is similar to the HDB signature mentioned previously, but the bytesize goes before the file hash this time. You can paste your MDB hash into a Notepad text file named sigfile.mdb and save it to your ClamWin database folder. Then do a manual scan of your sample file with ClamWin to make sure your signature is detected. You can put several MDB signatures each on a separate line in the Notepad file. Keep your signature file for about a week to give Clam AV a chance to process your signature.

There are lots of file hasher programs but not very many programs can break up a file into sections and give you a section hash or let you save the section to a file that for which you can get a hash. The dphash program by Dirk Paehl will show the file sections and give you an MD5 section hash, but it will be in capital letters, which Clam AV can not use. I have painted dphash section hashes and copied them to a word processor, then toggled the upper case of the letters to lower case, and then pasted the lower case MD5 hash into a Notepad file for my MDB signatues, but that is very slow and cumbersome.

It is much easier to use the Virus Total online scanner, which will show you the section names, sizes (for the total file and for each section) if you look at the File Details provided by Virus Total. You can use Virus Total as the a source for your MDB (or HDB signatures). Just make sure to verify that the file is infected by a virus and that your signature is detected in the file by ClamWin before you submit it to Clam AV.

Be careful in selecting the section that you are going to use for your hash. First of all, total up the byte size of all sections of the file and make sure that the total bytesize of all the file sections is close to the total bytesize for the original file. The total bytesize of all sections will usually differ slightly from the total bytesize of the original file--the section total bytesize is usually smaller than the file total bytesize. If the total difference is less than 10K, do not worry about it. If the total difference is more than 10K, get an HDB signature because the difference in size indicates that the file is probably an installer file and is not the real malware file--an HDB signature is best in that case. An MDB signature for an installer file will probably result in a false positive detection for the installer file--as the virus file is not available until the installer runs.

As to which section of a file to use for your MDB signature, I suggest that you use the section that has the largest byte size, which is probably the most important section. If you are still not sure which section to use, get the section that is labeled "code" or the section labeled "rsrc." These are standard section names, but some files may not use the standard names. You usually can't go wrong with an MDB signature on the largest file section--except on installer files.

Virus writers are lazy, and other viruses may re-use the same section from which you prepared your MDB hash, so your MDB signature may detect them also. An MDB signature is usually better than an HDB signature, which will only detect one version of one file. However, malware can use sections from "good" files, so there can be an occasional false positive detection from an MDB signature, but your false positive rate will be low unless you use an MDB signature for those installer files. Also, do not use sections for your MDB signature that are named for a packer--such as Themida. If you do, your signature will probably be for the packer, which can result in a false positive detection because packers are used by both "good" programmers and malware programmers. If there is any doubt about a signature, get an HDB signature to minimize the possibility of false positives.

Please post if you have any questions about preparing your own signatures.

Regards,
View user's profileSend private message
Preparing Your Own Virus Signatures-- 3
GuitarBob


Joined: 09 Jul 2006
Posts: 4266
Location: USA
Reply with quote
Part III NDB Entry Point Signatures

NDB signatures are the standard Clam AV virus signatures. To get a NDB signature, you have to open up a file in a debugger, find the portion of the entry point hexadecimal code that you want, and copy it into a signature for Clam AV. The file sections are very large, so I like to copy just the 1st 8 lines (128 bytes) of the entry point section.

An NDB entry point signature takes this form: Platform:VirusType.VirusName:SignatureType:FileLocation:HexidecimalSignature.

Here is an actual NDB entry point signature: Win.Trojan.FakeAV-59332:1:EP
+0:6824114000e8eeffffff000000000000300000004000000000000000f2e84a1d163ae64e9f59673c4e53958b000
00000000001000000442e6261730d416762696e66667972667100795762760000000006000000d0514000070000008
0474000070000003847400001000200dc43400000000000ffffffffffffffff00000000. The platform is Windows, the virus type is a trojan, and the name is FakeAv. Clam AV has already assigned a number after the virus name. The signature type is always 1 for an NDB entry point signature, and the file location is always EP+0--which means the entry point. As usual, put your signature in a Notepad file and name it Sigfile.ndb and save it in the ClamWin DB data folder. Test the signature to make sure it is detected by ClamWin when you
scan the infected file before you upload it to Clam AV.

To tell whether or not an infected file is a good candidate for an NDB entry point signature, you have to break it up into sections. The size of the code section and the entry point section should be the same, and the total file size should only be 10K or less larger than the
size of all sections added together--just like for the MDB signatures. Since malware can obscure the entry point, your signature may not be for the actual entry point, but it will still be a good signature if you follow these guidelines, which will also minimize false positives.

If you have gotten this far and are still interested in preparing Clam AV signatures, I can give you some software tools that will make it much easier for you to prepare all signatures--NDB, MDB, and HDB. Send email to: rwsmc at yahoo dot com. Identify yourself in
the email, and tell where you are located.

You are an exceptional person if you have gotten this far!

Regards,
View user's profileSend private message
scanfan


Joined: 14 Aug 2014
Posts: 4
Reply with quote
The path to the database directory is:

%ALLUSERSPROFILE%\.clamwin\db

If it's not there, perhaps because you installed for the current user only, try your user profile instead.
View user's profileSend private message
Preparing Your Own Virus Signatures
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic