Friday, March 6, 2009

Generating Virus Signatures - The Automated Way

A common characteristic of malware distributed as an executable is to use a PE packer, such as UPX or Petite, to compress and obfuscate the malicious content. Once a file has been determined to be malware by our analysts and is using a PE packer that ClamAV does not currently unpack, a common virus writing technique is to write a signature of the packed data section of the PE file.

Instead of having to remember each of the PE packers that crosses my desk, and which sections of data the malicious code lives, I chose to automate this process.

pe-sig, a tool written in Ruby, uses the PE parsing and signature library from within Metasploit 3, automatically generates PE section signatures for known PE packers appropriate for loading into ClamAV.

When I process a file using pe-sig that was packed via pklite, pe-sig gives the following output:
16384:39ae378e47f13ceecca20d06201d0cc1:SIGNATURE__.pklstb__PKLITE32v1.1 [535]

Note, this is very similar to a signature that was released in mid-2008:
16384:39ae378e47f13ceecca20d06201d0cc1:Trojan.Downloader

When processing PE files that might not be packed, or are from a packer we currently do not have signatures for, the output shown is all of the sections of the PE file:
157105664:8d85afc534f0b55fde3781a34ee8d995:UNKNOWN__.rsrc
34304:ae582babaad5a738c32ad1c074e1f3e2:UNKNOWN__.text
1024:730893b14fc930a187215e7fb53bc0a5:UNKNOWN__.data

Based on my knowledge of the file being processed via pe-sig, I know the packed data exists in .rsrc. My immediate work would be to find an appropriate signature for the packing portion fo the executable, add it to my signature list, specifying that .rsrc is the location of the packed data. Then next time I run across this packer, I won't have to remember what it is, or where its data is stored. The work will have already been done for me.

6 comments:

  1. Doesn't this increase the risk of flase positives?

    ReplyDelete
  2. This process does not increase the likelihood of having false positives because the files that are run through this process has already been checked to see if they are "good" or "bad". The analysis is done either statically of dynamically. Pe-sig is used when a researcher comes to the conclusion that a file is malware, that a signature needs to be written for it...yet it is packed with a packer not handled by ClamAV. Pe-sig can recognize the packer in question and generate a signature based on the packed code for the executable.

    ReplyDelete
  3. code is missing from the vrt site...

    ReplyDelete
  4. Apologies for the broken links, we moved a few things around with the snort.org redesign. Links are now fixed in the post and it's here for convenience:

    http://dl.snort.org/pe-sig/pe-sig.tgz

    ReplyDelete
  5. hi.
    i retrieve a python error but not understood..

    ./pe-sig /home/henry/virus/cartao-3.scr
    ./pe-sig:44: undefined method `sigs' for #Rex::PeScan::Analyze::Fingerprint:0xb7d1ac38> (NoMethodError)
    from ./pe-sig:33:in `each'
    from ./pe-sig:33

    ./pe-sig /home/henry/virus/cart8979.scr
    Error parsing file /home/henry/virus/cart8979.scr : Offset 313604 outside of section

    ./pe-sig /home/henry/virus/virtualcard.scr
    ./pe-sig:44: undefined method `sigs' for #Rex::PeScan::Analyze::Fingerprint:0xb7b86c00> (NoMethodError)
    from ./pe-sig:33:in `each'
    from ./pe-sig:33


    my ./pe-sig this configuration:

    head -n15 ./pe-sig

    #!/usr/bin/ruby -I/usr/src/framework-3.2/lib
    #-I/path/to/metasploit-src/framework3/trunk/lib
    #
    # Generate PE signatures for Clam AV
    #

    require 'digest/md5'
    require 'rex/peparsey'
    require 'rex/pescan'

    # location of your local signatures
    local_sigs = 'signatures.txt'

    # location of your metasploit 3 src tree
    msf_base = '/usr/src/framework-3.2'

    what is wrong?
    regards,
    Henry

    ReplyDelete
  6. Hello.

    i'm using gentoo linux.

    do somebody know instruction or menual about pe-sig?

    after emergy metasploit, enter keyword "ruby pe-sig", there is an error
    "pe-sig:7:in `require': no such file to load -- rex/peparsey (LoadError)
    from pe-sig:7"

    ReplyDelete

Post a Comment