Friday, February 11, 2011

How to create custom signatures for Immunet 3.0, powered by ClamAV

Immunet 3.0 is Sourcefire’s new cloud-based desktop anti-malware solution for Microsoft Windows. For best performance, an Internet connection is recommended. Additionally, Immunet 3.0 is powered by ClamAV, which allows users to stay protected even when not connected to the Immunet cloud. ClamAV built its reputation over the years on the UNIX platform as being a robust and capable enterprise-level anti-malware solution, which allows the advanced user to create their own signatures to complement the ones supplied and updated several times a day by Sourcefire.

Why is being able to use your custom signatures a great feature? Well, it’s because you can make your anti-malware program look for threats that you are the first to see or that you will be the only one to see (e.g. Advanced Persistent Threats, or APT). Or, you could have found that an older version of a proprietary program that's running on your network is vulnerable and you want to make sure that users only run the latest version. Writing a custom signature that targets the older program, can help you enforce that policy.

Here's how to get started on writing your own custom ClamAV signatures for Immunet 3.0.

Download the ClamAV command-line Signature Tool, sigtool (MD5:838f6b4ea87199b86f04e9efb96241c3). Now let’s say that test.exe is the file you want to create a signature for. To create a signature that will match only that file, use the --md5 option of sigtool (in this example, I am redirecting the output from sigtool into a file with a .hdb extension):

sigtool --md5
Pic.1: Signature using full MD5 hash of file.

Now, in this case the signature will match on only one file. You may want to write something that matches on multitple files. For example, in the case of executable files you may want to write a signature that will match a particular PE-section, and all files that have the same PE-section. To do so, break up your executable into its different PE-sections either manually or by using tools, identify the one you want to write a signature for (typically the sections are labelled .text, .rdata, .data, .idata, etc..) and use the --mdb option of sigtool (in this example I am redirecting the output from sigtool into a file with a .mdb extension):

sigtool --mdb
Pic.2: Signature using the hash of the PE-section of an executable.

Another way to have ClamAV detect a file is to base your signature on a hexadecimal fragment contained within the body of the file. Let's say you have a text file that contains the text I look like a benign file but actually I am a bad script and I will pwn your machine, if you don't pay attention. We decide that our detection will be based on detecting the phrase I am a bad script in any text files. To write a signature, we can start by echoing I am a bad script into sigtool --hex-dump (this time I'm not redirecting output into a file just yet):


Pic.3: Signature using the a hex fragment of a file.

Then I'm going to create a signature that has the format Name:TargetType:Offset:HexSignature and redirect it to a file with a .ndb extension, like I did at the end of the example above. You'll notice that I did not include the line break 0d0a in the hex signature.

For more in-depth information on how to create signatures, check out the documentation on Creating Signatures for ClamAV. There is also a webcast on the topic as well as a blog entry on how to create logical signatures for ClamAV.

Well, all that is good and I've created signatures, how do I load them into Immunet 3.0? You may very well ask.

First things first: Make sure that the ClamAV detection engine is turned on. Open Immunet 3.0, select “Settings” and switch the ClamAV “on”. Click on “Apply”.


Pic.4: Making sure that the ClamAV engine is turned on.

Optional (but highly recommended): Back in the main pane, click on “Update Now” to download the latest official ClamAV signatures.


Pic.5: "Update Now" to get the latest official ClamAV signatures.

Next, launch SigUI from Start->All Programs->Immunet 3.0->Custom Signature Tool.


Pic.6: SigUI's interface.

SigUI is a graphical user interface used to configure a back-end tool called Freshclam, which is used to download ClamAV signatures. Under the "Updater configuration”tab, you can enter proxy settings if you access the Internet using a proxy. To ensure that the settings have been entered properly, click on "Run freshclam to test configuration". Upon successfully accessing the Internet, Freshclam will exit without error (“Freshclam exited with code: 0”) (see Pic. 7):


Pic.7: Freshclam running.

Next, from the pull-down menu "Download Official Signatures from mirror", select where you want to download official ClamAV signatures from. By default, official signatures will be fetched from db.local.clamav.net. Although this works well most of the time, you may get better performance by using a server closer to your location. Mirrors are in the form db.XY.clamav.net, where XY is a two-letter country code. Alternatively, you can manually enter a hostname, such as your own server if that is where you are hosting the official ClamAV signatures. This completes the configuration for the automatic retrieval of official signatures.

To deploy your own signatures (or signatures provided by third-parties), you can either:
- specify their full URI (URL or UNC path) under Custom signatures URLs (see Pic. 6). The signatures can be in any format that ClamAV understands
- add the signatures file(s) under the "Local signature management tab" (see Pic. 8). At that point the signature aren’t yet installed. You must click on Verify and Install signatures to test the new signatures (see Pic. 9). The ones that pass verification will be installed and ClamAV will load them at the next database update


Pic.8: SigUI's "Local signature management" tab


Pic.9: Signatures installed after verification

Your custom signatures will be copied to the ClamAV signatures folder and loaded the next time the system is idle.

Voila! You now know how to write and deploy your own ClamAV signatures. You can also load third-party signatures written in the a format that ClamAV understands the same way you would your custom signatures. Again, you don't have to write your own signatures, but you can if you want and that is a powerful feature at your disposal. Feel free to contribute your signatures to our online forum. Feel free to post your questions to our mailing list. Additionally, you will find someone to answer your questions in the IRC chat room #clamav on irc.freenode.net.

3 comments :

  1. This is a great howto article and introduction to making custom signatures. It's pretty safe to say that a large number of malware analysts do so on platforms other than Windows, such as Linux and MacOSX. Is there a sigtool for those platforms? Will you be posting a similar article for other platforms?

    ReplyDelete
  2. Kevin, you can find a webcast on how to write ClamAV signatures for UNIX here: goo.gl/oACdt

    ReplyDelete
  3. Great article, and I appreciate you sharing your insight. The sigtool you linked in your article for creating new signatures, I thought could be quite useful for me, but, upon trying to download it, Google Chrome blocked the download, flagging as a dangerous threat. Still hoping to reap the benefits of such a tool, but at that point, being not entirely sure about it, I downloaded it to a secure location and scanned it with some tools of my own that leverage the ClamAV database, which flagged it under the "PUA.Win32.Packer.SetupExeSection" signature of the database.

    I also can see that the previous two comments were dated from back in 2011.

    Can you please verify if this file is safe to download, and perhaps confirm if there have been any unwarranted potentially malicious changes to that file since the date that it was originally linked by this article?

    Thanks.

    ReplyDelete