Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Automatic tool for static analysis

Chong-Kuan Chen
Chong-Kuan Chen

This document discusses tools for static analysis of files, including ClamAV and YARA. ClamAV is an open-source antivirus engine that uses signatures to detect malware. Signatures can include strings, hashes, and byte patterns. YARA allows for more flexible identification of malware through rules that can detect strings, regular expressions, and byte patterns. Examples of ClamAV and YARA signatures are provided.

1 of 33
Automa'c Tool for Sta'c Analysis 2014.09.27 C.K.Chen
Outline • ClamAV • YARA
Signature-­‐based Analysis • Most of current an'virus are based on signatures to detect malware
ClamAV • ClamAV is an open source an'virus engine – Fast and flexible framework for detec'ng malicious code – Write signatures and scan a broad range of content without wri'ng specific parsers
Func'onali'es of ClamAV • detec'on databases in ClamAV – MD5 hashes of known malicious binaries (stored in .hdb) – MD5 hashes of PE sec'ons (stored in .mdb) – Hexadecimal signatures (stored in .ndb) – Archive metadata signatures (stored in .zmd or .rmd) – White list database of known good files (stored in .fp) – Matching signatures (stored in .ldb) – Icon signatures (stored in .ldb) – PE metadata strings (stored in .ldb or .ndb) – Container metadata (stored in .cdb)
Database • ClamAV signatures exist in – /usr/local/share/clamav – /usr/lib/clamav • Database – The main.cld file contains the primary base of signatures – daily.cld contains incremental daily updates
Signature • SigName:Target:Offset:HexadecimalSignature • SigName field is a unique, descrip've name for your signature • Target – 0 = Any file type – 1 = Windows PE – 2 = OLE (e.g. Office, VBA) – 3 = Normalized HTML – 4 = E-­‐mail file (e.g. RFC822 message, TNEF) – 5 = Image files (e.g. jpeg, png) – 6 = ELF – 7 = Normalized ASCII file – 8 = Unused – 9 = Mach-­‐O binaries (new in v0.96)
SigTool • Sigtool – -­‐-­‐hex-­‐dump: convert data from string to hex – -­‐-­‐md5: generate md5 cheksum in signature format – -­‐-­‐mdb: generate .mdb signature – -­‐u: Unpack a CVD/CLD signature
XF.Sic.E Signature • daily.ndb:XF.Sic.E:2:*: – 2a2a536574204f75722056616c75657320616e64 2050 – 617468732a2a??00002a2a416464204e657720576f726b626f 6f6b – 2c20496e66642049742c205361766520497420417320426f6f – 312e • Detect a string in a file – **Set Our Values and Paths**???**Add New Workbook, Infd It, Save It As Boo1.
Wildcards • ?? -­‐ Match any byte • * -­‐ Match any number of bytes. • {n} – Match n bytes. • {-­‐n} – Match n or less bytes. • {n-­‐} – Match n or more bytes. • (a|b) – Match a and b (you Can Use More Alternate characters)
Use Your own database • clamscan –d <your database> target_file
Prace'ce • Write signature for file containing helloworld – If hello world is in 200~300 byte ?
Conficker Signature • Unpack database – Sigtool –u main.cvd • Grep for conficker
Byte Signature • ShellcodeXOR:0:*:33c966b9????80340a?? b2??eb
Logical Signatures • Recent versions of ClamAV is capable to understand complex signatures based on logical expressions – SigName;Target;Expression;Sig0;Sig1;….;SigN – The field consists of a logical expression where each signature is represented by its index value – Operators OR (|) and AND (&). – =,< ,> , you can control the number of occurrences of each signature that must be found in a file before producing an alert.
DLL Injec'on Signature
Sec'on Signature • Use sec'on informa'on to construct signature – More robust than all file checksum
MD5 Signature • sigtool –md5 test.exe > test.hdb • Cat to see signature format
Type of Database
Prac'ce • Develop signature for bot.exe – String – MD5 – Hash of Sec'on – Else …..
Yara • Flexible iden'fica'on and classifica'on engine – rules that detect strings, instruc'on sequences, regular expressions, byte paxerns, and so on – scan files using the command-­‐line u'lity – C or Python tools with YARA’s API
What yara signature looks like? • Clam AV signature • Yara Signature
The other example • Any file contain $a or $b or $is recognize as silent_banker
Reserva'on Words
Condi'on Sec'on • Condi'on block must be exists
Prac'ce • rule dummy { condi'on: true } • yara my_rule any_file
String Sec'on • The strings defini'on sec'on can be omixed if the rule doesn’t rely on any string • The strings defini'on sec'on is where the strings that will be part of the rule are defined. • Each string has an iden'fier consis'ng in a $
Regular expressions • Regular expression is supported
String offsets or virtual addresse • We are willing to know if the associated string is anywhere within the file or process memory
Executable entry poin • If file is a Portable Executable (PE) or Executable and Linkable Format (ELF), this variable holds the raw offset of the exectutable’s entry point • If we are scanning a running process entrypoint will hold the virtual address of the main executable’s entry point. • A typical use of this variable is to look for some paxern at the entry point to detect packers or simple file infectors
VM Detect Rule •
Compa'ble • ClamAV to yara • Peid to yara
Prace'ce • Write the rule for bot.exe

More Related Content

Automatic tool for static analysis

  • 1. Automa'c Tool for Sta'c Analysis 2014.09.27 C.K.Chen
  • 3. Signature-­‐based Analysis • Most of current an'virus are based on signatures to detect malware
  • 4. ClamAV • ClamAV is an open source an'virus engine – Fast and flexible framework for detec'ng malicious code – Write signatures and scan a broad range of content without wri'ng specific parsers
  • 5. Func'onali'es of ClamAV • detec'on databases in ClamAV – MD5 hashes of known malicious binaries (stored in .hdb) – MD5 hashes of PE sec'ons (stored in .mdb) – Hexadecimal signatures (stored in .ndb) – Archive metadata signatures (stored in .zmd or .rmd) – White list database of known good files (stored in .fp) – Matching signatures (stored in .ldb) – Icon signatures (stored in .ldb) – PE metadata strings (stored in .ldb or .ndb) – Container metadata (stored in .cdb)
  • 6. Database • ClamAV signatures exist in – /usr/local/share/clamav – /usr/lib/clamav • Database – The main.cld file contains the primary base of signatures – daily.cld contains incremental daily updates
  • 7. Signature • SigName:Target:Offset:HexadecimalSignature • SigName field is a unique, descrip've name for your signature • Target – 0 = Any file type – 1 = Windows PE – 2 = OLE (e.g. Office, VBA) – 3 = Normalized HTML – 4 = E-­‐mail file (e.g. RFC822 message, TNEF) – 5 = Image files (e.g. jpeg, png) – 6 = ELF – 7 = Normalized ASCII file – 8 = Unused – 9 = Mach-­‐O binaries (new in v0.96)
  • 8. SigTool • Sigtool – -­‐-­‐hex-­‐dump: convert data from string to hex – -­‐-­‐md5: generate md5 cheksum in signature format – -­‐-­‐mdb: generate .mdb signature – -­‐u: Unpack a CVD/CLD signature
  • 9. XF.Sic.E Signature • daily.ndb:XF.Sic.E:2:*: – 2a2a536574204f75722056616c75657320616e64 2050 – 617468732a2a??00002a2a416464204e657720576f726b626f 6f6b – 2c20496e66642049742c205361766520497420417320426f6f – 312e • Detect a string in a file – **Set Our Values and Paths**???**Add New Workbook, Infd It, Save It As Boo1.
  • 10. Wildcards • ?? -­‐ Match any byte • * -­‐ Match any number of bytes. • {n} – Match n bytes. • {-­‐n} – Match n or less bytes. • {n-­‐} – Match n or more bytes. • (a|b) – Match a and b (you Can Use More Alternate characters)
  • 11. Use Your own database • clamscan –d <your database> target_file
  • 12. Prace'ce • Write signature for file containing helloworld – If hello world is in 200~300 byte ?
  • 13. Conficker Signature • Unpack database – Sigtool –u main.cvd • Grep for conficker
  • 14. Byte Signature • ShellcodeXOR:0:*:33c966b9????80340a?? b2??eb
  • 15. Logical Signatures • Recent versions of ClamAV is capable to understand complex signatures based on logical expressions – SigName;Target;Expression;Sig0;Sig1;….;SigN – The field consists of a logical expression where each signature is represented by its index value – Operators OR (|) and AND (&). – =,< ,> , you can control the number of occurrences of each signature that must be found in a file before producing an alert.
  • 17. Sec'on Signature • Use sec'on informa'on to construct signature – More robust than all file checksum
  • 18. MD5 Signature • sigtool –md5 test.exe > test.hdb • Cat to see signature format
  • 20. Prac'ce • Develop signature for bot.exe – String – MD5 – Hash of Sec'on – Else …..
  • 21. Yara • Flexible iden'fica'on and classifica'on engine – rules that detect strings, instruc'on sequences, regular expressions, byte paxerns, and so on – scan files using the command-­‐line u'lity – C or Python tools with YARA’s API
  • 22. What yara signature looks like? • Clam AV signature • Yara Signature
  • 23. The other example • Any file contain $a or $b or $is recognize as silent_banker
  • 25. Condi'on Sec'on • Condi'on block must be exists
  • 26. Prac'ce • rule dummy { condi'on: true } • yara my_rule any_file
  • 27. String Sec'on • The strings defini'on sec'on can be omixed if the rule doesn’t rely on any string • The strings defini'on sec'on is where the strings that will be part of the rule are defined. • Each string has an iden'fier consis'ng in a $
  • 28. Regular expressions • Regular expression is supported
  • 29. String offsets or virtual addresse • We are willing to know if the associated string is anywhere within the file or process memory
  • 30. Executable entry poin • If file is a Portable Executable (PE) or Executable and Linkable Format (ELF), this variable holds the raw offset of the exectutable’s entry point • If we are scanning a running process entrypoint will hold the virtual address of the main executable’s entry point. • A typical use of this variable is to look for some paxern at the entry point to detect packers or simple file infectors
  • 32. Compa'ble • ClamAV to yara • Peid to yara
  • 33. Prace'ce • Write the rule for bot.exe