[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: Re: [clamav-users] Scanning image files with embedded malware
From: "Maarten Broekman" <mbroekman () maileig ! com>
Date: 2012-08-14 14:03:21
Message-ID: 74B851F9F6DEF84CAB034690ABB54B1204CD69 () exchange4 ! bizland-inc ! com
[Download RAW message or body]
> -----Original Message-----
> From: clamav-users-bounces@lists.clamav.net [mailto:clamav-users-
> bounces@lists.clamav.net] On Behalf Of David Raynor
>
> On Mon, Aug 13, 2012 at 4:28 PM, Maarten Broekman
> <mbroekman@maileig.com>wrote:
>
> > All,
> > I have a PHP.Remoteadmin-3 php script. I have
> another
> > file with the EXACT same PHP code in it but it starts with a GIF89a;
> > header. Running clamscan against the bare PHP.Remoteadmin-3 file
> > yields the following debug output:
> >
> > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
> > LibClamAV debug: cache_check: 6dc368b3d0b9f8e714dd910b7bcdb602 is
> > negative
> > LibClamAV debug: Recognized ASCII text
> > LibClamAV debug: Matched signature for file type HTML data at 0
> > LibClamAV debug: in cli_scanhtml()
> > LibClamAV debug: cli_scanhtml: using tempdir
> > /tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b
> > LibClamAV debug: JS-Norm: cli_js_init() done
> > LibClamAV debug: JS-Norm: in cli_js_parse_done()
> > LibClamAV debug: JS-Norm: dumped/appended normalized script to:
> > /tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b/javascript
> > LibClamAV debug: JS-Norm: cli_js_destroy() done
> > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> > LibClamAV debug: FP SIGNATURE:
> > 6dc368b3d0b9f8e714dd910b7bcdb602:22187:PHP.Remoteadmin-3
> > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2350
> > tmp.php: PHP.Remoteadmin-3 FOUND
> >
> > Running clamscan on the file with the GIF header
> > yields the following output:
> >
> > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
> > LibClamAV debug: cache_check: 91aea7e046e095e8f17791189436f860 is
> > negative
> > LibClamAV debug: Recognized GIF file
> > LibClamAV debug: in cli_check_jpeg_exploit()
> > LibClamAV debug: Matched signature for file type HTML data at 9
> > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> > LibClamAV debug: cache_add: 91aea7e046e095e8f17791189436f860 (level
> 0)
> > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2422
> > leone.php.pjpeg-20120813131847: OK
> >
> > In the original file, after matching the signature
> for
> > an HTML file, clamscan enters 'cli_scanhtml()'. In the GIF headed
> > file, it sees the GIF file, checks for exploits, then sees the HTML
> > data but never enters cli_scanhtml().
> >
> > Is this fixed by the commits for BB#5409? Or should
I
> > submit a new bugzilla report?
> >
> > For now, I've added an MD5 checksum to my hdb file
to
> > catch this specific instance, but I'd really like to get this
resolved
> > so that file type transitions don't cause the scan to bail out.
> >
> > --Maarten
> >
> >
>
> The signature in question (PHP.Remoteadmin-3) is an older one inside
> main.cvd. It searches for a specific sequence anywhere in the file but
> that signature is specifically marked for HTML files only. What you
are
> seeing in the debug log is the ClamAV matcher reporting that it found
> the sequence within the GIF file and also reports the signature type
> [in this case, HTML]. ClamAV is not treating the GIF file content
after
> the header as HTML content. It would be normalizing it and scanning
for
> scripts and other follow-up steps if it were. I don't think it would
be
> efficient to treat all graphics files as archives and scan the binary
> content. If there is a related exploit, then a new or updated
signature
> will need to be written.
>
> If you are seeing this file as a part of a malware attack, then please
> go to http://www.clamav.net/ and submit this as a malware sample. An
> analyst may want to contact you about more details.
>
> Dave R.
>
Thanks Dave. I took the normalized signature from the main.cvd and
found the same content in the gif file and created a new,
non-normalized, signature to match it instead of using the MD5 checksum.
As I found the gif file in one of the directories where a customer had
WordPress installed, it does look like a malware attack. Running the
gif file through the php cli yielded all the HTML code to render a
remote admin interface in a browser. I'll send in the file as a malware
sample.
--Maarten
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic