ClamAV: Creating Signatures with Sigtool
ClamAV is an open-source antivirus tool that provides many functionalities that traditional antivirus solutions do not. In my latest lab at Utica College, I used the sigtool utility that comes packaged with ClamAV to create signatures for files that previously went undetected.
The exercise started when I downloaded ClamAV and used it to scan a directory containing just over a hundred malicious files. The results of this scan can be seen in Figure 1. In this scan ClamAV was used with the default ruleset to scan the ~ /Documents/malware/ directory.
The commands I used to generate the first report file were:
#Download ClamAV sudo apt install clamav #Update ClamAV to use the latest signatures sudo freshclam #scan the entire directory and output to a report file sudo clamscan -v > report-1.txt
(Figure 1: Using ClamAV to scan directory with malware.)
In the previous scan ClamAV showed that it did not have signatures for the majority of the files. In order to create signatures, I used sigtool and sent the output to NewVirus.hdb. sigtool was used with the --md5 switch signifying that it would create signatures for the md5's of each file presented, and a * was used to signify all files in the malware directory were to be sent to sigtool. Finally, I piped the output of this command to NewVirus.hdb using a bash redirect This NewVirus.hdb file is in a format that ClamAV can use in future scans. My sigtool command can be seen in Figure 2. Additionally, the last ten lines of NewVirus.hdb can be seen in Figure 2.
The syntax used was:
sigtool --md5 * > NewVirus.hdb
(Figure 2: Creation of NewVirus.hdb via sigtool.)
Once NewVirus.hdb was created, it needed to be moved to the directory ClamAV utilizes. The command I used to move NewVirus.hdb can be seen in Figure 3. Once the new signature file was moved to /var/lib/clamav/ I then printed out the contents of that directory.
I did this using the following commands:
sudo mv NewVirus.hdb /var/lib/clamav/ ls /var/lib/clamav/
(Figure 3: Moving New Virus.hdb to the directory used by ClamAV. )
Once the NewVirus.hdb signature file was located in the correct directory, I then used ClamAV to rescan the directory and I sent the output to a second report file named report-2.txt. This action can be seen being completed in Figure 4. Once the malware directory was rescanned with the updated ruleset, ClamAV determined that 105 files in the directory were malicious. These results can be seen outlined in red in Figure 4.
I completed this using the following commands:
clamscan -v > report-2.txt tail report-2.txt
(ClamAV scanning ~ /Document/malware/ with updated ruleset.)
So this was a quick exercise in using sigtool to create signatures for ClamAV. I scanned files and showed that there weren't any signatures currently in the ClamAV ruleset. Then I used sigtool to create a database file containing signatures for the MD5 hash values of each file in the ~ /Documents/malware/ directory. Finally, I used ClamAV with an updated ruleset to scan the directory. This time 105 files matched ClamAV signatures.
I encourage you to fire up your favorite Linux machine, download ClamAV, and try writing a signature with sigtool.