Up until ClamAV 0.93, the following formats have been used the most to write signatures to detect malware:
SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;Subsig1;Subsig2;...
Logical signatures should be stored in .ldb files.
Let us illustrate how logical signatures can be used by analyzing a mass-mailer worm. The code for this sample is in Visual Basic Script (VBS) and so is easily readable. Right away we can see that the worm can loosely be classified in the category "AV Killer" as well since it attempts to identify the presence of various AV tools in order to disable them.
After normalization, we can create 4 signatures to detect each attempt to disable AV tools as follows:
Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro (0): 66696c656578697374732028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
{-100}2e64656c65746566696c652028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
Antiviral Toolkit Pro (1): 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028
{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f
AVPersonal (2): 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c
Trend PC-cillin 98 (3): 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{-100}2e64656c65746566696c652028
{-25}202620225c7472656e642070632d63696c6c696e
Another very important characteristic of this script is that this worm tries to use Outlook MAPI to send itself to the first 8000 contacts found in the address book.
A signature to detect this portion of the file could be (4):
666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464
{-100}696620{-10}203e20{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{-150}2e73656e64
With ClamAV 0.94 and the addition of logical signatures, we write this highly flexible signature:
Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4)
With a successful match, this signature will return the malware name "Worm.Godog". A match will occur when signature (4) is detected as well as either signature (0), (1), (2) or (3). The signature will look like the signature below in a .ldb file:
Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
{-100}2e64656c65746566696c652028{-25}
202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c;66696c6565786973747328
{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028
{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f;66696c656578697374732028
{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c;66696c656578697374732028
{-25}202620225c7472656e642070632d63696c6c696e{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e;666f7220
{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20
{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{-150}2e73656e64
In previous versions of ClamAV up to 0.93 included, one would have to write many signatures in order to match the flexibility of the signature above. In this malware sample, 3 different AV tools are disabled the worm tried to spread to the first 8,000 contacts of your Outlook address book. However, a variant could disable just one of the AV tools and still try to spread over the network. To detect the variant that just disables Kaspersky AV, a pre-0.94 signature would look like:
Worm.Godog:0:*:(0){-750}(4)
To detect the variant that just disables Antiviral Toolkit Pro, a pre-0.94 signature would look like:
Worm.Godog:0:*:(1){-700}(4)
More signatures can be written for the other cases.
This simple example shows how logical signatures can be very powerful in reducing the number of signatures written to detect variants within a malware famill. Logical signatures can also help detect malware samples that were previously tough to detect and reduce the number of false positive detections.