[clamav-users] ICON_HASH signature for PE files

Discussion:

Irshad

2018-11-09 09:00:23 UTC

Hi,

I have a bunch of PE files for which I need to create the ICON_HAHS based
signatures, In documentation, here
<https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/docs/UserManual/Signatures.md#icon-signatures-for-pe-files>,
it says

The ICON_HASH field can be obtained from the debug output of libclamav.

I have ran the clamscan on PE files with --debug flag but there is no field
named ICON_HASH in output.
I am also confused about the purpose of IconGroup1 or IconGroup2 and how I
need to define them in .idb file.

My apologies, if I am missing something obvious. I spent around 3 hours to
find an answer about this before sending this email.

Thank you all.

Regards,
Irshad Muhammad.

Steve Basford

2018-11-09 09:54:32 UTC

Permalink

Post by Irshad
Hi,
My apologies, if I am missing something obvious. I spent around 3 hours

Irshad

2018-11-09 11:45:05 UTC

Permalink

Hi Steve
This does not solve the problem, I don't know how to calculate the fuzzy
hash of icon that is used in the signature.

Post by Steve Basford

Post by Irshad
Hi,
My apologies, if I am missing something obvious. I spent around 3 hours

Hi Irshad
Not sure if this will help but there are a few icon based sigs I think in
the current daily.cvd
sigtool --unpack-current=daily
grep "IconG" daily.ldb
You can then see some examples on how they are used.
--
Cheers,
Steve
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

Micah Snyder (micasnyd)

2018-11-09 15:52:48 UTC

Permalink

Steve, Irshad,

I put this together from just a little research reading the documentation, examining the `clamscan --debug` output, and examining existing signatures in `daily.idb` and `daily.ldb`. Someone call me out if the details aren't 100% correct. I'm relatively inexperienced with writing signatures.

---

1. Scan your PE file with `clamscan --debug`, and redirect the output to a file so you can analyze it.

eg:
clamscan --debug ~/Downloads/iexplore.exe &> iexplore.log

2. Search the log for `IDB SIGNATURE`. There will probably be a bunch.

Example output from `iexplore.exe`:

LibClamAV debug: IDB SIGNATURE: ICON_NAME:GROUP1:GROUP2:20fe8160af66040ae550f010be00005fe00176760d0fff0000ff1503ff0008ef0f00ef0708ef00107f160f760e0b680b0211000036150737161735002e37
LibClamAV debug: cli_scanicon: Icongrp @e690 - 24x24x4 - (id=9b, rsvd=1, planes=16, palcnt=0, sz=1e8)
LibClamAV debug: parseicon: Bitmap - 24x24x4
LibClamAV debug: edge areas: 148@(16,12) 144@(10,9) 107@(10,16)
LibClamAV debug: noedge areas: 19@(0,0) 75@(13,0) 78@(0,6)
LibClamAV debug: color areas: 4072@(16,7) 3907@(3,7) 3793@(2,13)
LibClamAV debug: gray areas: 113@(0,0) 1470@(9,12) 2017@(9,4)
LibClamAV debug: bright areas: 255@(0,0) 255@(15,3) 255@(0,6)
LibClamAV debug: dark areas: 233@(11,0) 233@(5,6) 233@(0,12)
LibClamAV debug: color spread: 43,0,56 56%

3. Copy the "IDB SIGNATURE" content for the icons of interest into an `.idb` file. Choose a unique ICON_NAME for each line in the `.idb` file.

The naming for `GROUP1` and `GROUP2` are a little arbitrary. If you look in `daily.idb`, you'll note that `GROUP2` names appear to be used for related malware families, where `GROUP1` appear to be for file types. For both group names, you may specify "UNUSED" if you don't plan to use it.

Example IDB sigs based on `clamscan` debug output scanning `iexplore.exe`:

```
iexplore-1:IEXPLORE:UNUSED:18f931008ea2040cdbe040605500005f20a056e80006ff0000ff1000ff0c06e90902ec0308f8000e6c08026001115e01090800001b09111c101137022a38
iexplore-2:IEXPLORE:UNUSED:20fe8160af66040ae550f010be00005fe00176760d0fff0000ff1503ff0008ef0f00ef0708ef00107f160f760e0b680b0211000036150737161735002e37
iexplore-3:IEXPLORE:UNUSED:18fe81007f430307ed1020d07100005be090c7e10904ff0000ff0f03ff0006e90b00e90506e9000c94100c900a096b0a101300004b0d004e00062b003838
iexplore-4:IEXPLORE:UNUSED:10f530204f530209f0906010fe000075f07037f40608ff0000ff0400ff0903df0701df0305e7000999070a88070369030a2800003f040043000422004144
```

4. Finally, you need to write a Logical Signature (`.ldb`) that triggers on the `IconGroup#` you chose above.

Example LDB sig:

```
iexplore-example-sig;Engine:51-255,IconGroup1:IEXPLORE,Target:1;(0);4D5A900003000000
```

The LDB signature will alert if any of the `.idb` signatures matching the group name trigger. As a disclaimer, the example signature above is pretty lousy, because the sub-signature `4D5A900003000000` would trigger on any PE file. Take a look at signatures in `daily.ldb` that make use of `IconGroup1` or `IconGroup2` for production quality examples.

Regards,
-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Nov 9, 2018, at 6:45 AM, Irshad <***@gmail.com<mailto:***@gmail.com>> wrote:

Hi Steve
This does not solve the problem, I don't know how to calculate the fuzzy hash of icon that is used in the signature.

Post by Irshad
Hi,
My apologies, if I am missing something obvious. I spent around 3 hours

Hi Irshad

Not sure if this will help but there are a few icon based sigs I think in
the current daily.cvd

So unpack them and then grep for IconG, something like this:

sigtool --unpack-current=daily
grep "IconG" daily.ldb

You can then see some examples on how they are used.

--
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml