Instead of having to remember each of the PE packers that crosses my desk, and which sections of data the malicious code lives, I chose to automate this process.
pe-sig, a tool written in Ruby, uses the PE parsing and signature library from within Metasploit 3, automatically generates PE section signatures for known PE packers appropriate for loading into ClamAV.
When I process a file using pe-sig that was packed via pklite, pe-sig gives the following output:
16384:39ae378e47f13ceecca20d06201d0cc1:SIGNATURE__.pklstb__PKLITE32v1.1 [535]
Note, this is very similar to a signature that was released in mid-2008:
16384:39ae378e47f13ceecca20d06201d0cc1:Trojan.Downloader
When processing PE files that might not be packed, or are from a packer we currently do not have signatures for, the output shown is all of the sections of the PE file:
157105664:8d85afc534f0b55fde3781a34ee8d995:UNKNOWN__.rsrc 34304:ae582babaad5a738c32ad1c074e1f3e2:UNKNOWN__.text 1024:730893b14fc930a187215e7fb53bc0a5:UNKNOWN__.data
Based on my knowledge of the file being processed via pe-sig, I know the packed data exists in .rsrc. My immediate work would be to find an appropriate signature for the packing portion fo the executable, add it to my signature list, specifying that .rsrc is the location of the packed data. Then next time I run across this packer, I won't have to remember what it is, or where its data is stored. The work will have already been done for me.
Doesn't this increase the risk of flase positives?
ReplyDeleteThis process does not increase the likelihood of having false positives because the files that are run through this process has already been checked to see if they are "good" or "bad". The analysis is done either statically of dynamically. Pe-sig is used when a researcher comes to the conclusion that a file is malware, that a signature needs to be written for it...yet it is packed with a packer not handled by ClamAV. Pe-sig can recognize the packer in question and generate a signature based on the packed code for the executable.
ReplyDeletecode is missing from the vrt site...
ReplyDeleteApologies for the broken links, we moved a few things around with the snort.org redesign. Links are now fixed in the post and it's here for convenience:
ReplyDeletehttp://dl.snort.org/pe-sig/pe-sig.tgz
hi.
ReplyDeletei retrieve a python error but not understood..
./pe-sig /home/henry/virus/cartao-3.scr
./pe-sig:44: undefined method `sigs' for #Rex::PeScan::Analyze::Fingerprint:0xb7d1ac38> (NoMethodError)
from ./pe-sig:33:in `each'
from ./pe-sig:33
./pe-sig /home/henry/virus/cart8979.scr
Error parsing file /home/henry/virus/cart8979.scr : Offset 313604 outside of section
./pe-sig /home/henry/virus/virtualcard.scr
./pe-sig:44: undefined method `sigs' for #Rex::PeScan::Analyze::Fingerprint:0xb7b86c00> (NoMethodError)
from ./pe-sig:33:in `each'
from ./pe-sig:33
my ./pe-sig this configuration:
head -n15 ./pe-sig
#!/usr/bin/ruby -I/usr/src/framework-3.2/lib
#-I/path/to/metasploit-src/framework3/trunk/lib
#
# Generate PE signatures for Clam AV
#
require 'digest/md5'
require 'rex/peparsey'
require 'rex/pescan'
# location of your local signatures
local_sigs = 'signatures.txt'
# location of your metasploit 3 src tree
msf_base = '/usr/src/framework-3.2'
what is wrong?
regards,
Henry
Hello.
ReplyDeletei'm using gentoo linux.
do somebody know instruction or menual about pe-sig?
after emergy metasploit, enter keyword "ruby pe-sig", there is an error
"pe-sig:7:in `require': no such file to load -- rex/peparsey (LoadError)
from pe-sig:7"