Wednesday, March 1, 2017

ClamAV & detection of a pcap file

Introduction
I had bunch of pcap files that I created last year. I gave digital forensics students an assignment based on the data contained in the pcaps. ClamAV flagged a file as malicious.

The lab had ClamAV setup with schedule scanning enabled. It scans at night. The lab machines were also used to do the forensics exercise. I woke up the next day and got bunch of alerts from ClamAV (ClamWin to be specific) about one of my pcap file. I knew I had used metasploit when generating the pcap file but I wanted to know why it got detected.

This post investigates that. None of the techniques used in the post are new. AV signature creation about ClamAV nicely documented.

Analysis
My setup: I am using Kali linux with ClamAV installed.

My first step is to figure out what malware ClamAV marks this file as.
I updated my ClamAV on Kali then scanned the file.
It’s labeled as Win.Exploit.Fnstenv_mov-1. This has to do with metasploit payload. I used metasploit during the creation of this pcap.

Now I need to look at the signature for Win.Exploit.Fnstenv_mov-1.
ClamAV stores signatures in /var/lib/clamav. The files have extension of .cvd.
I copied main.cvd and used the sigtool (this tool has been documented here https://linux.die.net/man/1/sigtool) to unpack it then looked for Win.Exploit.Fnstenv_mov-1.

To understand what “Win.Exploit.Fnstenv_mov-1:0:*:d9eed97424f45b817313{4}83ebfce2f4” means, I looked up how ClamAV signatures are created. I came across this blog post: "Create Your Own Anti-Virus Signatures with ClamAV" http://blog.adamsweet.org/?p=250

This is the format according to the blog post: “Name:Type:Offset:malware hex output”
Name: Win.Exploit.Fnstenv_mov-1
Type: 0 = Any file
Offset: * = Any
Hex: d9eed97424f45b817313


Next step was to search for the hex in Wireshark.

I don’t know how to get the payload. If anyone knows plz help me learn. I think I would need to look at the vulnerability again and figure out how metasploit sent the payload.

After googling D9EED97424F45B817313 I found this https://github.com/dzzie/pdfstreamdumper/blob/master/libemu/encoders.txt.
It’s part of encoding routine that metasploit uses (?) I popped it into ODA (https://www.onlinedisassembler.com) and it showed the assembly instructions used


If there are errors in this post, let me know. I should be sleeping right now.

2 comments:

  1. Hello Everyone !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
    Replies
    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      fixitrogers@gmail.com

      Delete