Topic: Ransomware/CTB-Locker ClamAV signature

[Knuddi]

I have made two ClamAV signatures which can be very helpful preventing you from being reached by the CTB-Locker. The signatures will let Clam reject an email if it contains an executable in a compressed archive (exe within zip, rar, etc.) and also if there should be a compressed archive within a compressed archive (zip inside zip). I have seen both being used to carry CTB-Locker at ScanMailX and though I would share.

This is obviously not a guarantee for anything but will help a little.

The signatures should be placed in the /var/clamav directory and clam will find them at next reload (force reload with clamdscan --reload)

The signatures can be downloaded here: http://sme.swerts-knudsen.dk/downloads/ClamAV/ScanMailX.cdb

You can read up on the CTB-Locker here: https://heimdalsecurity.com/blog/ctb-locker-ransomware/

Enjoy,
Jesper

 

[guest22]

Thanks Knuddi, every bit helps!

[CharlieBrady]

Shouldn't those signatures arrive via clamav? I presume you have submitted them there.

[Knuddi]

These signatures do not reject an individuel piece of code as most other signatures do. It reject a set of filetypes and does therefore not apply to standard clamav distribution.

[CharlieBrady]

I see the patterns are:

ScanMailX.Blocked.Zip_exe:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$:*:*:*:*:*:*
ScanMailX.Blocked.Zip_zip:*:*:\.(zip|tar|tgz|taz|z|gz|rar)$:*:*:*:*:*:*

I suspect that the latter pattern would cause some disruption of "normal" traffic. I don't think this is really a "signature" of Ransomware/CTB-Locker.

[Knuddi]

You can be right that its not specific to CTB-Locker, men when we analyzed mails that carried CTB, then 99% of them came through these containers and were not caught at the time of arrival.

So, it might cause some disruption of normal traffic if compressed files in compressed folders are normal - I do know that some backup systems use that.

I all cases, you are correct, it's not a dedicated signature and should be used with this knowledge and caution.

[Stefano]

Shouldn't those signatures arrive via clamav? I presume you have submitted them there.

there are also unofficial clamav signatures, most of them are used to limit spam..
see http://blog.redbranch.net/2010/09/24/enhancing-clamav-with-extra-signatures/

they are available also in rpm package.. I'm using clamav-unofficial-sigs on my server and other 3..

[Stefano]

I see the patterns are:

ScanMailX.Blocked.Zip_exe:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$:*:*:*:*:*:*
ScanMailX.Blocked.Zip_zip:*:*:\.(zip|tar|tgz|taz|z|gz|rar)$:*:*:*:*:*:*

I suspect that the latter pattern would cause some disruption of "normal" traffic. I don't think this is really a "signature" of Ransomware/CTB-Locker.

I had a ctb-locker as a .cab attachment (windows handles that kind of packages out of the box)

[Knuddi]

This signature also handles .cab files.

ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ, CL_TYPE_CAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR,
CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC) or * to match any of the container types listed here

[Knuddi]

I have discovered that one of the container models (CL_TYPE_MAIL) actually in some cases would reject mails if there was a compressed item directly in an mail and not the intended compressed in compressed.

I have therefore updated the signatures and suggest you get them again.

The signatures can be downloaded here: http://sme.swerts-knudsen.dk/downloads/ClamAV/ScanMailX.cdb

[brianr]

there are also unofficial clamav signatures, most of them are used to limit spam..
see http://blog.redbranch.net/2010/09/24/enhancing-clamav-with-extra-signatures/

they are available also in rpm package.. I'm using clamav-unofficial-sigs on my server and other 3..

Can you give me a link to get that RPM?

[guest22]

Can you give me a link to get that RPM?

It's available from the epel repository (For SME Server 9 at least)

yum install  clamav-unofficial-sigs --enablerepo=epel

[brianr]

It's available from the epel repository (For SME Server 9 at least)

yum install  clamav-unofficial-sigs --enablerepo=epel

thanks - and there for SME8 as well...

[Knuddi]

Any good reasons not to use the script which was made/modified for the SME?

http://wiki.contribs.org/Virus:Additional_Signatures

@brianr,
Which other sources of signatures do you use?

[Stefano]

It's available from the epel repository (For SME Server 9 at least)

yum install  clamav-unofficial-sigs --enablerepo=epel

yes.. sorry for the delay

you have to manually edit .conf file in /etc/clamav-unofficial-sigs (IIRC)

I'll post my conf asap

@all: please be aware that some rules are very aggressive.. after you enable them, you should keep an open eye on your qpsmtpd log

[guest22]

yes.. sorry for the delay

you have to manually edit .conf file in /etc/clamav-unofficial-sigs (IIRC)

I think you are right. The RPM is being installed, but you have to incorporate various things into the config file to make the new data effective. That's all I could see.

[Stefano]

ok..

first of all let's create a copy of the original .conf file

Code: [Select]

cd /etc/clamav-unofficial-sigs
cp clamav-unofficial-sigs.conf clamav-unofficial-sigs.orig


in the same directory, create a clamav-unofficial-sigs.conf.patch file with:

Code: [Select]

nano clamav-unofficial-sigs.conf.patch

and fill it with the following content:

Code: [Select]

diff -Nur old/clamav-unofficial-sigs.conf new/clamav-unofficial-sigs.conf
--- old/clamav-unofficial-sigs.conf   2015-02-24 15:32:56.182269840 +0100
+++ new/clamav-unofficial-sigs.conf   2015-02-24 15:33:06.193721634 +0100
@@ -37,15 +37,15 @@
 # Set the appropriate ClamD user and group accounts for your system.
 # If you do not want the script to set user and group permissions on
 # files and directories, comment the next two variables.
-clam_user="clam"
-clam_group="clam"
+clam_user="clamav"
+clam_group="clamav"
 
 # Set path to ClamAV database files location.  If unsure, check
 # your clamd.conf file for the "DatabaseDirectory" path setting.
-clam_dbs="/var/lib/clamav"
+clam_dbs="/var/clamav"
 
 # Set path to clamd.pid file (see clamd.conf for path location).
-clamd_pid="/var/run/clamav/clamd.pid"
+#clamd_pid="/var/run/clamav/clamd.pid"
 
 # To enable "ham" (non-spam) directory scanning and removal of
 # signatures that trigger on ham messages, uncomment the following
@@ -54,7 +54,7 @@
 
 # If you would like to reload the clamd databases after an update,
 # change the following variable to "yes".
-reload_dbs="no"
+reload_dbs="yes"
 
 # Set the reload or restart option if the "reload_dbs" variable above
 # is set to "yes" (only select 'ONE' of the following variables or the
@@ -76,7 +76,7 @@
 # the script will still run).  You will also need to set the correct
 # path to your clamd socket file (if unsure of the path, check the
 # "LocalSocket" setting in your clamd.conf file for socket location).
-#clamd_socket="/var/run/clamd.socket"
+clamd_socket="/var/clamav/clamd.socket"
 
 # If you would like to attempt to restart ClamD if detected not running,
 # uncomment the next 2 lines.  Confirm the path to the "clamd_lock" file

save and exit, then

Code: [Select]

cd /etc/clamav-unofficial-sigs
patch clamav-unofficial-sigs.conf clamav-unofficial-sigs.conf.patch

done

I tested a bit the patch, and it's working for me.. YMMV

take a look in /var/log/clamav-unofficial-sigs dir if everything is working fine

[brianr]

@brianr,
Which other sources of signatures do you use?

No others (yet!)

[swany]

I want block all listed file mask in mail attachment, i add to /var/clamav/my_base.cdb

ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.js:CL_TYPE_MAIL:*?i)\.js$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.exe:CL_TYPE_MAIL:*?i)\.exe$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.dll:CL_TYPE_MAIL:*?i)\.dll$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.vbs:CL_TYPE_MAIL:*?i)\.vbs$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.pif:CL_TYPE_MAIL:*?i)\.pif$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files.CL_TYPE_MAIL.com:CL_TYPE_MAIL:*?i)\.com$:*:*:*:*:*:*
ScanMailX.Blocked.Attached_Files:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|js|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|)$:*:*:*:*:*:*

If i sent
АА file_name.js
it's BLOCKED

But if i sent
АА file_name.xlsx_ .js
it's OK

АА - non unicode simbols

Did someone help me?

[Daniel B.]

Please open a new topic

[Stefano]

Please open a new topic

and please don't delete post's content!

[guest22]

And please do not cross post.

[Stefano]

And please do not cross post.

he was requested to open a new topic, so no cross post IMO.. am I missing anything?

TIA

[guest22]

You are correct. He did open a new topic, which I mistakingly held for a cross post.