Create custom signatures for ClamAV

2022-10-10
admin

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. 

CVD (ClamAV Virus Database) is a digitally signed container that includes signature databases in various text formats.

Hash-based signatures

The easiest way to create signatures for ClamAV is to use MD5 checksums, however this method can be only used against static malware. To create a signature for test.exe use the --md5 option of sigtool:

sigtool --md5 test.exe > test.hdb

That’s it! The signature is ready to use:

clamscan -d test.hdb test.exe

You can change the name (by default sigtool uses the name of the file) and place it inside a *.hdb file. A single database file can include any number of signatures. To get them automatically loaded each time clamscan/clamd starts just copy the database file(s) into the local virus database directory (eg. /usr/local/share/clamav).

PE section based

You can create a hash signature for a specific section in a PE file. Such signatures shall be stored inside .mdb files in the following format:

PESectionSize:PESection:Malware

Body-based signatures

ClamAV stores all body-based signatures in a hexadecimal format. In this section by a hex-signature we mean a fragment of malware’s body converted into a hexadecimal string which can be additionally extended using various wildcards.

You can use sigtool --hex-dump to convert any data into a hex-string:

sigtool --hex-dump

We will be looking more into extended signature format.

The extended signature format allows for specification of additional information such as a target file type, virus offset or engine version, making the detection more reliable. The format is:

MalwareName:TargetType:Offset:Hex

Here is an example of one signature that we created:

alvosec_random175:3:*:6A6B656D70...

First is malware name (alvosec_random175), target type is 3 which stands for HTML files, 0 is for any, 10 is for PDF and so on. Next we have offset with value "*".

Offset is an asterisk or a decimal number n possibly combined with a special modifier:

  • * = any
  • n = absolute offset
  • EOF-n = end of file minus n bytes

Most of the time we are setting offset to any *.

Next we have hex signature (6A6B656D70313267406F322E706C), now if we convert that hex to text it will become: jkemp12g@o2.pl. Use this website to convert text to hex and vice versa.

Optional MinFL and MaxFL parameters can restrict the signature to specific engine releases. All signatures in the extended format must be placed inside *.ndb files.

Join our team

If you're interested in joining our team to assist in researching modern threats across web3, please don't hesitate to reach out to us.

Contact Us

Ready for Action?

Don’t hesitate to contact us if you need more information.
Let's Go!
ALVOSEC
BTC: bc1qnn4zfqqtexl4fkjk2vz6tk74sn92x326wwn0ph

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram