Monday, May 18, 2015

For years, we've had a system named "Lurker" that displayed the archives for our mailing lists, well, we are actually keeping the archives for the mailing lists in two places.  On Lurker, and on mailman itself.  So, we've decided to End of Life the lurker machine, in favor of the mailman system.

The most common place that links to lurker directly is inside of the notification emails that are sent to malware submitters when coverage is written as well as the clamav-virusdb list when the db updates are pushed.

We plan on brining lurker down and changing the links in the alert emails on Friday, May 22, 2015.

Please be patient with us as we remove this system from the ClamAV network.

Wednesday, May 13, 2015

The ClamAV community is growing and we are receiving more user-generated ClamAV signatures through our community signatures mailing list. Thanks to all who have contributed! For those who find the task of writing your own signatures daunting, we have created something you may be interested in.

To aid users in developing better ClamAV signatures faster, I've created the ClamAV Signature Creator (CASC), an IDA Pro plug-in. A quick and easy installation into IDA Pro 6.7 or higher (reduced feature set for IDA Pro 6.6) will have you creating basic ClamAV ndb and ldb signatures in no time. CASC allows users to select aspects of a sample's disassembly, a function block, or a set of strings to create a sub-signature. Each sub-signature can contain user-defined notes to keep track of information contained within the sub-signature. Once you've selected enough sub-signatures to get the job done, or until your heart's content, a ClamAV signature can be created from one or more sub-signatures.

Check out this IDA Pro plug-in on Github and its wiki for documentation.

Wednesday, April 29, 2015

TeslaCrypt, another malware family in the list of "lockers" that have come out (Cryptolocker, Cryptwall, etc) is being dropped constantly in several methods, infecting, and generally making people's lives terrible.

That being said, a couple of researchers here on the ClamAV team at Talos took a look at this malware, broke it down for an explanation, and even released a tool to decrypt TeslaCrypt locked drives yourselves.

We've released the tool on our blog post, to include the source code (Open Source, GPLv2), and will be placing the code on our Github page soon.

Please take a look at this blog post if you've been a victim of TeslaCrypt, and if you have comments please leave them on the blog post over on our Talos blog!


ClamAV 0.98.7 is here! This release contains new scanning features
and bug fixes.

    - Improvements to PDF processing: decryption, escape sequence
      handling, and file property collection.
    - Scanning/analysis of additional Microsoft Office 2003 XML format.
    - Fix infinite loop condition on crafted y0da cryptor file. Identified
      and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
    - Fix crash on crafted petite packed file. Reported and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
    - Fix false negatives on files within iso9660 containers. This issue
      was reported by Minzhuan Gong.
    - Fix a couple crashes on crafted upack packed file. Identified and
      patches supplied by Sebastian Andrzej Siewior.
    - Fix a crash during algorithmic detection on crafted PE file.
      Identified and patch supplied by Sebastian Andrzej Siewior.
    - Fix an infinite loop condition on a crafted "xz" archive file.
      This was reported by Dimitri Kirchner and Goulven Guiheux.
    - Fix compilation error after ./configure --disable-pthreads.
      Reported and fix suggested by John E. Krokes.
    - Apply upstream patch for possible heap overflow in Henry Spencer's
      regex library. CVE-2015-2305.
    - Fix crash in upx decoder with crafted file. Discovered and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
    - Fix segfault scanning certain HTML files. Reported with sample by
      Kai Risku.
    - Improve detections within xar/pkg files.

As always, we appreciate contributions of bug reports, code fixes,
and sample submissions from the ClamAV community members:

Sebastian Andrzej Siewior
Minzhaun Gong
Dimitri Kirchner
Goulven Guiheux
John E. Krokes
Kai Risku

ClamAV 0.98.7 is always available from on the downloads page.

Wednesday, February 25, 2015

I spotted this blog article over on thepcn3rd blog, with a really simple blog article on how to generate ClamAV detection quickly given an md5 for a malicious file.

As I have researched malware and the indicators of compromise an MD5 checksum of the files are provided so that you can detect them in your environment. I am not sure about your anti-virus but I am not able to plug-in an MD5 and have it search for them across the enterprise as it does it's scan.
The blog highlights a great point about ClamAV and Open Source, the ability to generate your own detection!

Take a look at the blog here.

Monday, February 2, 2015

We are honored to announce to our community that ClamAV was chosen for the "Community Choice" award on Sourceforge for the month of February!

A big thanks goes out to all of our users for voting for us, and we look forward to many new innovations in upcoming releases!

An excerpt:

For our February “Community Choice” Project of the Month, the community elected ClamAV, a GPL antivirus toolkit for UNIX that integrates with mail servers. The ClamAV team shared their thoughts about the project’s history, purpose, and direction.
Read our interview over on Sourceforge's webpage for our answers!

Tuesday, January 27, 2015

ClamAV 0.98.6 is a bug fix release correcting the following:

  • library shared object revisions.
  • installation issues on some Mac OS X and FreeBSD platforms.
  • includes a patch from Sebastian Andrzej Siewior making ClamAV pid files compatible with systemd.
  • Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team.
  • Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team.
  • Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab.
  • Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. CVE-2014-9328.
  • Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior.

Thanks to the following ClamAV community members for code submissions
and bug reporting included in ClamAV 0.98.6:

Sebastian Andrzej Siewior
Felix Groebert
Kevin Szkudlapski
Mark Pizzolato
Daniel J. Luke

Please download the latest release of ClamAV from 0.98.6 from our download page.