Wednesday, March 1, 2017

ClamAV & detection of a pcap file

I had bunch of pcap files that I created last year. I gave digital forensics students an assignment based on the data contained in the pcaps. ClamAV flagged a file as malicious.

The lab had ClamAV setup with schedule scanning enabled. It scans at night. The lab machines were also used to do the forensics exercise. I woke up the next day and got bunch of alerts from ClamAV (ClamWin to be specific) about one of my pcap file. I knew I had used metasploit when generating the pcap file but I wanted to know why it got detected.

This post investigates that. None of the techniques used in the post are new. AV signature creation about ClamAV nicely documented.

My setup: I am using Kali linux with ClamAV installed.

My first step is to figure out what malware ClamAV marks this file as.
I updated my ClamAV on Kali then scanned the file.
It’s labeled as Win.Exploit.Fnstenv_mov-1. This has to do with metasploit payload. I used metasploit during the creation of this pcap.

Now I need to look at the signature for Win.Exploit.Fnstenv_mov-1.
ClamAV stores signatures in /var/lib/clamav. The files have extension of .cvd.
I copied main.cvd and used the sigtool (this tool has been documented here to unpack it then looked for Win.Exploit.Fnstenv_mov-1.

To understand what “Win.Exploit.Fnstenv_mov-1:0:*:d9eed97424f45b817313{4}83ebfce2f4” means, I looked up how ClamAV signatures are created. I came across this blog post: "Create Your Own Anti-Virus Signatures with ClamAV"

This is the format according to the blog post: “Name:Type:Offset:malware hex output”
Name: Win.Exploit.Fnstenv_mov-1
Type: 0 = Any file
Offset: * = Any
Hex: d9eed97424f45b817313

Next step was to search for the hex in Wireshark.

I don’t know how to get the payload. If anyone knows plz help me learn. I think I would need to look at the vulnerability again and figure out how metasploit sent the payload.

After googling D9EED97424F45B817313 I found this
It’s part of encoding routine that metasploit uses (?) I popped it into ODA ( and it showed the assembly instructions used

If there are errors in this post, let me know. I should be sleeping right now.