'Re: [clamav-users] Scanning image files with embedded malware'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    Re: [clamav-users] Scanning image files with embedded malware
From:       "Maarten Broekman" <mbroekman () maileig ! com>
Date:       2012-08-14 14:03:21
Message-ID: 74B851F9F6DEF84CAB034690ABB54B1204CD69 () exchange4 ! bizland-inc ! com
[Download RAW message or body]

> -----Original Message-----
> From: clamav-users-bounces@lists.clamav.net [mailto:clamav-users-
> bounces@lists.clamav.net] On Behalf Of David Raynor
> 
> On Mon, Aug 13, 2012 at 4:28 PM, Maarten Broekman
> <mbroekman@maileig.com>wrote:
> 
> > All,
> >                 I have a PHP.Remoteadmin-3 php script.  I have
> another
> > file with the EXACT same PHP code in it but it starts with a GIF89a;
> > header.  Running clamscan against the bare PHP.Remoteadmin-3 file
> > yields the following debug output:
> >
> > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
> > LibClamAV debug: cache_check: 6dc368b3d0b9f8e714dd910b7bcdb602 is
> > negative
> > LibClamAV debug: Recognized ASCII text
> > LibClamAV debug: Matched signature for file type HTML data at 0
> > LibClamAV debug: in cli_scanhtml()
> > LibClamAV debug: cli_scanhtml: using tempdir
> > /tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b
> > LibClamAV debug: JS-Norm: cli_js_init() done
> > LibClamAV debug: JS-Norm: in cli_js_parse_done()
> > LibClamAV debug: JS-Norm: dumped/appended normalized script to:
> > /tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b/javascript
> > LibClamAV debug: JS-Norm: cli_js_destroy() done
> > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> > LibClamAV debug: FP SIGNATURE:
> > 6dc368b3d0b9f8e714dd910b7bcdb602:22187:PHP.Remoteadmin-3
> > LibClamAV debug: cli_magic_scandesc: returning 1  at line 2350
> > tmp.php: PHP.Remoteadmin-3 FOUND
> >
> >                 Running clamscan on the file with the GIF header
> > yields the following output:
> >
> > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
> > LibClamAV debug: cache_check: 91aea7e046e095e8f17791189436f860 is
> > negative
> > LibClamAV debug: Recognized GIF file
> > LibClamAV debug: in cli_check_jpeg_exploit()
> > LibClamAV debug: Matched signature for file type HTML data at 9
> > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> > LibClamAV debug: cache_add: 91aea7e046e095e8f17791189436f860 (level
> 0)
> > LibClamAV debug: cli_magic_scandesc: returning 0  at line 2422
> > leone.php.pjpeg-20120813131847: OK
> >
> >                 In the original file, after matching the signature
> for
> > an HTML file, clamscan enters 'cli_scanhtml()'.  In the GIF headed
> > file, it sees the GIF file, checks for exploits, then sees the HTML
> > data but never enters cli_scanhtml().
> >
> >                 Is this fixed by the commits for BB#5409?  Or should
I
> > submit a new bugzilla report?
> >
> >                 For now, I've added an MD5 checksum to my hdb file
to
> > catch this specific instance, but I'd really like to get this
resolved
> > so that file type transitions don't cause the scan to bail out.
> >
> > --Maarten
> >
> >
> 
> The signature in question (PHP.Remoteadmin-3) is an older one inside
> main.cvd. It searches for a specific sequence anywhere in the file but
> that signature is specifically marked for HTML files only. What you
are
> seeing in the debug log is the ClamAV matcher reporting that it found
> the sequence within the GIF file and also reports the signature type
> [in this case, HTML]. ClamAV is not treating the GIF file content
after
> the header as HTML content. It would be normalizing it and scanning
for
> scripts and other follow-up steps if it were. I don't think it would
be
> efficient to treat all graphics files as archives and scan the binary
> content. If there is a related exploit, then a new or updated
signature
> will need to be written.
> 
> If you are seeing this file as a part of a malware attack, then please
> go to http://www.clamav.net/ and submit this as a malware sample. An
> analyst may want to contact you about more details.
> 
> Dave R.
> 

Thanks Dave.  I took the normalized signature from the main.cvd and
found the same content in the gif file and created a new,
non-normalized, signature to match it instead of using the MD5 checksum.
As I found the gif file in one of the directories where a customer had
WordPress installed, it does look like a malware attack.  Running the
gif file through the php cli yielded all the HTML code to render a
remote admin interface in a browser.  I'll send in the file as a malware
sample.

--Maarten
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic