2015 Snort Scholarship is now open!

Annually, Cisco provides a Snort Scholarship to two individuals selected at random (by drawing) in the amount of $5000 US for higher education purposes.

To be eligible, you must meet the legal criteria found here on our website (at the bottom), sign up for the scholarship here, and following that, on or about July 10, 2015, two winners will be selected.

Good Luck!

ClamAV 0.99b Meets YARA!

The first beta release of ClamAV 0.99 is now on SourceForge! ClamAV 0.99 has some important new features to improve malware detection.

First, ClamAV 0.99 supports YARA rules. YARA is another popular open source project for malware detection, analysis, and classification. YARA rules, in a nutshell, contain a list of strings and a powerful logical expression called the YARA condition. A YARA condition is typically composed of logical operations upon the YARA rule’s strings, with many other condition operators available as well. YARA strings come in three flavors: literal text strings (with modifier keywords NOCASE, FULLWORD, WIDE and ASCII), hexadecimal (including wildcard and alternates, similar to substrings in ClamAV’s logical signatures), and regular expressions. The full documentation about YARA rules may be found at http://plusvic.github.io/yara/.

One of the key benefits ClamAV brings to YARA is leveraging ClamAV’s myriad file decomposition capabilities. This enables YARA rules to automatically match on malware residing in any of the compression, archive, document, or packer formats provided by ClamAV.

Using YARA rules with ClamAV is simple - just place your YARA rule files into the ClamAV virus database location. This is /usr/local/share/clamav by default. Alternatively, you can place them in other locations and reference them with the “–database” command line option for clamscan or the clamd.conf “DatabaseDirectory” parameter if you are using clamd and clamdscan.

Additionally in ClamAV 0.99, we have added regular expression support to ClamAV’s logical signatures. This will enable signature authors to more readily reuse regular expression constructs from the Snort rule collection, thus providing more powerful malware detection for ClamAV.

Regular expressions in both YARA rules and ClamAV logical signatures require the Perl Compatible Regular Expressions (PCRE) library. Please ensure PCRE is installed on your system when configuring ClamAV. ClamAV configuration will automatically look for PCRE in /usr/lib and /usr/local/lib. If you have PCRE installed in a different location, use ‘./configure –with-pcre=DIR’ to specify the resident PCRE directory.

There are currently a few limitations of YARA rules within ClamAV 0.99 beta1, due either to nonexistent ClamAV capabilities or to YARA features that did not fit well into the ClamAV processing model. We hope to further evaluate and include as much of this functionality as possible in subsequent releases. YARA rules using any of the following features will be flagged in error, and the respective rules will be disabled:

• Single byte YARA string components – currently in the ClamAV matcher, all strings, as well as components of strings delimited by wild cards, must be at least two bytes in length
• External variables – variables referenced in YARA conditions whose value may be set using the ‘yara –d’ command line option.
• Private rules – YARA rules which do not trigger by themselves. They are intended to match only when referenced by other YARA rules. These use the private keyword.
• Global rules – YARA rules whose conditions are intended to be in effect for all other YARA rules. These use the global keyword.
• Modules – A YARA feature intended to provide modular extensions to the YARA core. Modules are normally activated using the import keyword.
• Rules precompiled with the YARA compiler – ClamAV only reads YARA rules in the original source form.
• Rule tags – intended to provide a results filtering mechanism by specifying tag names on YARA rules and then using the ‘yara –t’ command to name the matching rule tags of interest.
• References to other rules – intended to use the results from other YARA rules in a YARA condition.
• YARA rules containing only a YARA condition – YARA rules in ClamAV currently must contain at least one string.

So, give it a try, we would love to get your comments and feedback! Please download ClamAV 0.99 “beta 1” from http://sourceforge.net/projects/clamav/files/beta/0.99-beta1/. Some YARA rules may be found at http://yararules.com/.

Lurker is going End of Life

For years, we've had a system named "Lurker" that displayed the archives for our mailing lists, well, we are actually keeping the archives for the mailing lists in two places.  On Lurker, and on mailman itself.  So, we've decided to End of Life the lurker machine, in favor of the mailman system.

The most common place that links to lurker directly is inside of the notification emails that are sent to malware submitters when coverage is written as well as the clamav-virusdb list when the db updates are pushed.

We plan on brining lurker down and changing the links in the alert emails on Friday, May 22, 2015.

Please be patient with us as we remove this system from the ClamAV network.

Create your own ClamAV signatures with CASC!

The ClamAV community is growing and we are receiving more user-generated ClamAV signatures through our community signatures mailing list. Thanks to all who have contributed! For those who find the task of writing your own signatures daunting, we have created something you may be interested in.

To aid users in developing better ClamAV signatures faster, I've created the ClamAV Signature Creator (CASC), an IDA Pro plug-in. A quick and easy installation into IDA Pro 6.7 or higher (reduced feature set for IDA Pro 6.6) will have you creating basic ClamAV ndb and ldb signatures in no time. CASC allows users to select aspects of a sample's disassembly, a function block, or a set of strings to create a sub-signature. Each sub-signature can contain user-defined notes to keep track of information contained within the sub-signature. Once you've selected enough sub-signatures to get the job done, or until your heart's content, a ClamAV signature can be created from one or more sub-signatures.

Check out this IDA Pro plug-in on Github and its wiki for documentation.

TeslaCrypt -- You can now decrypt it yourself!

TeslaCrypt, another malware family in the list of "lockers" that have come out (Cryptolocker, Cryptwall, etc) is being dropped constantly in several methods, infecting, and generally making people's lives terrible.

That being said, a couple of researchers here on the ClamAV team at Talos took a look at this malware, broke it down for an explanation, and even released a tool to decrypt TeslaCrypt locked drives yourselves.

We've released the tool on our blog post, to include the source code (Open Source, GPLv2), and will be placing the code on our Github page soon.

Please take a look at this blog post if you've been a victim of TeslaCrypt, and if you have comments please leave them on the blog post over on our Talos blog!

Thanks!

ClamAV 0.98.7 has been released!

ClamAV 0.98.7 is here! This release contains new scanning features
and bug fixes.

    - Improvements to PDF processing: decryption, escape sequence
      handling, and file property collection.
    - Scanning/analysis of additional Microsoft Office 2003 XML format.
    - Fix infinite loop condition on crafted y0da cryptor file. Identified
      and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
    - Fix crash on crafted petite packed file. Reported and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
    - Fix false negatives on files within iso9660 containers. This issue
      was reported by Minzhuan Gong.
    - Fix a couple crashes on crafted upack packed file. Identified and
      patches supplied by Sebastian Andrzej Siewior.
    - Fix a crash during algorithmic detection on crafted PE file.
      Identified and patch supplied by Sebastian Andrzej Siewior.
    - Fix an infinite loop condition on a crafted "xz" archive file.
      This was reported by Dimitri Kirchner and Goulven Guiheux.
      CVE-2015-2668.
    - Fix compilation error after ./configure --disable-pthreads.
      Reported and fix suggested by John E. Krokes.
    - Apply upstream patch for possible heap overflow in Henry Spencer's
      regex library. CVE-2015-2305.
    - Fix crash in upx decoder with crafted file. Discovered and patch
      supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
    - Fix segfault scanning certain HTML files. Reported with sample by
      Kai Risku.
    - Improve detections within xar/pkg files.

As always, we appreciate contributions of bug reports, code fixes,
and sample submissions from the ClamAV community members:

Sebastian Andrzej Siewior
Minzhaun Gong
Dimitri Kirchner
Goulven Guiheux
John E. Krokes
Kai Risku

ClamAV 0.98.7 is always available from ClamAV.net on the downloads page.

What to do with MD5 checksums of files provided as an Indicator of Compromise?

I spotted this blog article over on thepcn3rd blog, with a really simple blog article on how to generate ClamAV detection quickly given an md5 for a malicious file.

As I have researched malware and the indicators of compromise an MD5 checksum of the files are provided so that you can detect them in your environment. I am not sure about your anti-virus but I am not able to plug-in an MD5 and have it search for them across the enterprise as it does it's scan.

The blog highlights a great point about ClamAV and Open Source, the ability to generate your own detection!

Take a look at the blog here.

ClamAV wins the "Community Choice" award for February!

We are honored to announce to our community that ClamAV was chosen for the "Community Choice" award on Sourceforge for the month of February!

A big thanks goes out to all of our users for voting for us, and we look forward to many new innovations in upcoming releases!

An excerpt:

For our February “Community Choice” Project of the Month, the community elected ClamAV, a GPL antivirus toolkit for UNIX that integrates with mail servers. The ClamAV team shared their thoughts about the project’s history, purpose, and direction.

Read our interview over on Sourceforge's webpage for our answers!

ClamAV 0.98.6 has been released!

ClamAV 0.98.6 is a bug fix release correcting the following:

• library shared object revisions.
• installation issues on some Mac OS X and FreeBSD platforms.
• includes a patch from Sebastian Andrzej Siewior making ClamAV pid files compatible with systemd.
• Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team.
• Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team.
• Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab.
• Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. CVE-2014-9328.
• Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior.

Thanks to the following ClamAV community members for code submissions
and bug reporting included in ClamAV 0.98.6:

Sebastian Andrzej Siewior
Felix Groebert
Kevin Szkudlapski
Mark Pizzolato
Daniel J. Luke

Please download the latest release of ClamAV from 0.98.6 from our download page.

Detection and Prevention of malware upload in Gravity Forms with ClamAV

A nice article over on Kris Chase's blog about the Detection and Prevention of malware uploaded into Gravity Forms with ClamAV.

One of the best and most widely used form building plugins for WordPress is gravity forms.  If you’ve ever needed to allow users to upload files to your site, but you want to make sure those files are not harmful, the following tutorial will help you with just that!

Check out the blog post.