Topic: Ransomware/CTB-Locker ClamAV signature

[Knuddi]

I have made two ClamAV signatures which can be very helpful preventing you from being reached by the CTB-Locker. The signatures will let Clam reject an email if it contains an executable in a compressed archive (exe within zip, rar, etc.) and also if there should be a compressed archive within a compressed archive (zip inside zip). I have seen both being used to carry CTB-Locker at ScanMailX and though I would share.

This is obviously not a guarantee for anything but will help a little.

The signatures should be placed in the /var/clamav directory and clam will find them at next reload (force reload with clamdscan --reload)

The signatures can be downloaded here: http://sme.swerts-knudsen.dk/downloads/ClamAV/ScanMailX.cdb

You can read up on the CTB-Locker here: https://heimdalsecurity.com/blog/ctb-locker-ransomware/

Enjoy,
Jesper

 

[guest22]

Thanks Knuddi, every bit helps!

[CharlieBrady]

Shouldn't those signatures arrive via clamav? I presume you have submitted them there.

[Knuddi]

These signatures do not reject an individuel piece of code as most other signatures do. It reject a set of filetypes and does therefore not apply to standard clamav distribution.

[CharlieBrady]

I see the patterns are:

ScanMailX.Blocked.Zip_exe:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$:*:*:*:*:*:*
ScanMailX.Blocked.Zip_zip:*:*:\.(zip|tar|tgz|taz|z|gz|rar)$:*:*:*:*:*:*

I suspect that the latter pattern would cause some disruption of "normal" traffic. I don't think this is really a "signature" of Ransomware/CTB-Locker.

[Knuddi]

You can be right that its not specific to CTB-Locker, men when we analyzed mails that carried CTB, then 99% of them came through these containers and were not caught at the time of arrival.

So, it might cause some disruption of normal traffic if compressed files in compressed folders are normal - I do know that some backup systems use that.

I all cases, you are correct, it's not a dedicated signature and should be used with this knowledge and caution.

[Stefano]

Shouldn't those signatures arrive via clamav? I presume you have submitted them there.

there are also unofficial clamav signatures, most of them are used to limit spam..
see http://blog.redbranch.net/2010/09/24/enhancing-clamav-with-extra-signatures/

they are available also in rpm package.. I'm using clamav-unofficial-sigs on my server and other 3..

[Stefano]

I see the patterns are:

ScanMailX.Blocked.Zip_exe:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$:*:*:*:*:*:*
ScanMailX.Blocked.Zip_zip:*:*:\.(zip|tar|tgz|taz|z|gz|rar)$:*:*:*:*:*:*

I suspect that the latter pattern would cause some disruption of "normal" traffic. I don't think this is really a "signature" of Ransomware/CTB-Locker.

I had a ctb-locker as a .cab attachment (windows handles that kind of packages out of the box)

[Knuddi]

This signature also handles .cab files.

ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ, CL_TYPE_CAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR,
CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC) or * to match any of the container types listed here

[Knuddi]

I have discovered that one of the container models (CL_TYPE_MAIL) actually in some cases would reject mails if there was a compressed item directly in an mail and not the intended compressed in compressed.

I have therefore updated the signatures and suggest you get them again.

The signatures can be downloaded here: http://sme.swerts-knudsen.dk/downloads/ClamAV/ScanMailX.cdb

[brianr]

there are also unofficial clamav signatures, most of them are used to limit spam..
see http://blog.redbranch.net/2010/09/24/enhancing-clamav-with-extra-signatures/

they are available also in rpm package.. I'm using clamav-unofficial-sigs on my server and other 3..

Can you give me a link to get that RPM?

[guest22]

Can you give me a link to get that RPM?

It's available from the epel repository (For SME Server 9 at least)

yum install  clamav-unofficial-sigs --enablerepo=epel

[brianr]

It's available from the epel repository (For SME Server 9 at least)

yum install  clamav-unofficial-sigs --enablerepo=epel

thanks - and there for SME8 as well...

[Knuddi]

Any good reasons not to use the script which was made/modified for the SME?

http://wiki.contribs.org/Virus:Additional_Signatures

@brianr,
Which other sources of signatures do you use?

[Stefano]

It's available from the epel repository (For SME Server 9 at least)

yum install  clamav-unofficial-sigs --enablerepo=epel

yes.. sorry for the delay

you have to manually edit .conf file in /etc/clamav-unofficial-sigs (IIRC)

I'll post my conf asap

@all: please be aware that some rules are very aggressive.. after you enable them, you should keep an open eye on your qpsmtpd log