Tuesday, December 3, 2013

A quick tutorial on ClamAV detection: Win.Adware.Bprotector

Bprotector is a fairly popular yet unexceptional family of adware. The thing that distinguishes it from other families is its prevalence. A specific sample, first seen in October 2013, has consistently been on top for detection rates on our FireAMP and Immunet products. The following is the simple strategy that I used for creating the ClamAV signature.

For ClamAV coverage I targeted strings that were shared commonly between the samples that I had on hand. The goal is always to choose content that is generic enough to cover variants but unique enough to not false positive. Targeting the strings is extremely effective in this case because these samples are not obfuscated. This detection, based off of 4 samples, ended up covering more than 90.

The LDB signature can be seen here:

Win.Adware.BProtector;Engine:51-255,Target:1;(0&1&2&3&4);6200500072006F0074006500630074002E00650078006500;6200500072006F0074006500630074002E00730065007400740069006E0067007300;700072006F0074006500630074006F0072002E0064006C006C00;500052004F0054004500430054004F0052005F0044004C004C005F004E0041004D004500;5C004D006F007A0069006C006C0061005C00460069007200650066006F0078005C00500072006F00660069006C00650073002E0069006E006900
 

Decoded with sigtool --decode-sigs:

VIRUS NAME: Win.Adware.BProtector
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: (0&1&2&3&4)
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
bProtect.exe
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
bProtect.settings
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
protector.dll
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
PROTECTOR_DLL_NAME
 * SUBSIG ID 4
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
\Mozilla\Firefox\Profiles.ini


For the obligatory MD5 dump, here are the majority of samples that the signature alerted on:

96009E8A9CE4285305AFBB61DB1079AC
4DE9A05A6BCFCD1A3D0FCE79F79C3F3D
E7BFA025CBBDB414A15F22562E948B56
D474B4DD44329253157E866BB2E8E460
76C348D6C05CFB877CE4C57193A615D7
EAB502723A6CB047F447D2A9FF1BA994
D620AADEA9E4D177535571E7BAB86063
FE1481B7D9AF4F02A8C4D8070452B7F9
2843847375BB1B97AE7883242A0E8431
1A67C23252952AD0E35F4E2E77B64369
4FC6464E3CE7C68A4971E8E0EB076299
3E8D43DE575690DE1079C6F9D0A585DE
ABF46DEFF38160C42DCF76F754D7CD47
36D2E04FA937C97E5E0990B4D8A3DFFE
26B9F2798692698D333169220F00C604
5D8820244C37CB26E92001C41BF559D8
7537F941ADD2AD9513F4EE93640369C7
C57E74F17A81F4120728E1E9EC89974A
0DFC013E5220A5E04F227F26FB4CBDCB
BF55ADBAFB776827C77CDC039DB4A289
E167C50E69261A944AEED01BE899F5B6
47BF121DC7AF57BA1A93F9F72848E9BC
5EB4E02485A85FFA2D308377567D0DD8
45ACFF26233B3B46BC5B2B5453DCB417
16B9773ACBD0EE27F63B0708F403BE09
F253E8405C2D3A73120525B46F84F6F6
5D89FC0BAD2091434ACB753105C4FE44
00B74003300FD5800017089F396541B3
B0709680A86BDD99F968752C9449B809
E66E725E10B9CB8A6F5C74D7CA9E98A9
08627677F0B8E6DC45F20E694A56F959
4704AB98EA625318627CC140EA0A64B0
BE8B003258597F7EEFD8F71D34C8F3C9
9BE809CCE1B19D28B6D446F2462F32E8
6511F0082583111615F49727A4EDF92B
F86BBEA440AEE38F212EEFDA817FB4CC
9E00E3C8092A84A8FA56B628EAD29197
C6DA8EC968AD35AF5352D3ED6D50DD1D
E7639363693106FC37B19AA428BDD9E6
5D5D71DC91BA566D2E5689CB732E415E
BBE8F648B627F828F11B559D14C0840C
F6686D4589E352BEB2BCAF7EB82A59E8
CF4A3843CC55257D7A6EA2F0302861ED
E5DF7143D56C463DBBD6B6DAD0199748
D82F4BE13B9176477EEECF8D679BA55F
C62D6B9F68A19E7FCED9DACE97ADD11A
77EB5B3D855B6A81A55A72432803CB67
A77849BEA22B7A534963CA85AAF82FC8
D658542AEB3A7E304DA20FD820518645
F56AFA89461D23BA9010CB6D87D094B7
E82279E12A338B4873E6EBE574C12169
9463DD2D5AF40B07718C3E10DCB5F975
CE120870DCB4A6E7B6B71D9C2D15302B
85F4E36EB16FF998881A18B12779175E
8200F536D57C98CACABB51B56DE7AFB3
7DEECBA357A412F6FA7A3E4F78E723CB
867D609BBA4CE0F489956F0B4EB408A7
0B403BDC26FF08A62CEFB4CA13A90C23
22DC493C1376810FD641E1047CEC4C74
057B060105B32F76DEC9E0104FA44D20
B8EA863D5058214DE53E3927A8EA6A2F
D57D8DCA47572B7E75226202C96BCA12
27DB483F92ED1C60648948B3015F6662
F5EBF33C3F8B1C0BF6BC40935EB150B8
2403010C49C5CF46BE3A7D9F11E6C7C3
E782B3FF0987095995AF63A6C8681798
9A22211132C5CA3201A4CF2EE28B5352
70920727A2E104A6367AA557F3CCEEF9
6314E99350AEB8E61EB46025C3A21F05
3F6DB3A4E5565D2355115E54EEF78757
D88018E7E59732416A8295D3E5C58723
0F8DBC492E31B568AC5F713E29BFB996
A38555B76113A3A8D7CB871C1E3EC071
FAFAC7F1057B45EAF0B7D08EBC9CC251
3FC0367D23420C4285C3E23D61F310C2
898E19C222E4D0A069C0B0CE0CED82FF
1AA1654F7D8150CEB95FF3247A395658
B60EC08912ADC27717029DC7BB1DA9F5
B2FE30198633E997AC0434085A634EA4
A2A2ED4FA691F37E71ED3668209A0223
F6A711A44BAA3CE203D6E5D853207821
D8C76AFC1A8BD39E0DA3A8DBE2F1DD90
05A7DE0EF9CCBF085C8FECCF46D194AF
788BB0287D7427E617F37E58F7A6305D
0039BD936A34B4443F2C476212680238

No comments:

Post a Comment