Mailing List Archive

By transmitted, do you mean by email? If so, what are you using to feed email messages to ClamAV?

Also, what platform and version are you running and what version of ClamAV?

Sent from my iPad

-Al-

On Sep 16, 2020, at 01:44, SG/SNUM/UNI/DETN/GMCD emis par AECK Cyril - SG/SNUM/UNI/DETN/GMCD via clamav-users <clamav-users@lists.clamav.net> wrote:
> Hello,
>
> Today, we transmitted a significant amount of Emotet files that were undetected by ClamAV,
> (verification done under VirusTotal).
>
> Is there a reason why the Emotet detection rate is very low for ClamAV?
>
> Thank you in advance.
>
> Best regards,
> ---
> Cyril AECK
>
> Service du numérique - SNum
> UNI/DETN
> Messagerie & conférences à distance
>
> Tel. 04 74 27 52 13
> Port. 06 63 16 23 32

Hi Cyril,

How did you transmitted the virus ? Via email? As attachments ? It was
compress or uncompressed ?

I know you might not agree with me but my suggestion is to block from
MTA sending executable file. (exe,bat,pif,scr,dll, etc). Most of the
MTAs are anyway directly rejecting when such attachment is seen. For
example google: https://support.google.com/mail/answer/6590?hl=en. I am
doing the same on my email systems. I know is proffered to know the
exact type of virus and rejecting it but now-days most of the executable
sent via email ( or even links posted in email) are viruses.

If you are talking about compressed files you have multiple choice to do
this as well:

1) use complicated MTA rules to unzip/untar/unrar/etc the archive and
check if executable is inside.

2) use foxhole unoficial clamav signatures (might not cover all the
situations)

3) write your own signatures like this. Please check before the manual:
https://www.clamav.net/documents/extended-signature-format

Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:*

Hope that is usefull

---
Best regards,
Iulian

On 2020-09-16 11:43, SG/SNUM/UNI/DETN/GMCD emis par AECK Cyril -
SG/SNUM/UNI/DETN/GMCD via clamav-users wrote:

> Hello,
>
> Today, we transmitted a significant amount of Emotet files that were undetected by ClamAV,
> (verification done under VirusTotal).
>
> Is there a reason why the Emotet detection rate is very low for ClamAV?
>
> Thank you in advance.
>
> Best regards,
>
> ---
> Cyril AECK
>
> Service du numérique - SNum
> UNI/DETN
> Messagerie & conférences à distance
>
> Tel. 04 74 27 52 13
> Port. 06 63 16 23 32
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi there,

On Wed, 16 Sep 2020, Cyril AECK via lists.clamav.net wrote:

> Is there a reason why the Emotet detection rate is very low for ClamAV?

The macro in the attachment is heavily disguised. See for example

https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/

It's very easy for the sender to change disguises in code. Some code
will even do it by itself, on the fly. Using a grossly oversimplified
example, I could write code like this:

void somefunc() { while(1) { something_new; } }
int abc=1; if(abc==1) { somefunc(); }

but the same effect can be achieved with different names everywhere:

void otherfunc() { while(2) { something_old; } }
int xyz=3; if(xyz==3) { otherfunc(); }

You really want to analyze the behaviour of the code but that's much
harder to do than making simple string comparisons which look for
words -- which is more or less all that signature matching does. You
need a signature for every disguise, which probably explains why there
are at the moment just shy of sixty thousand signatures in the 'daily'
database which have a name containing 'Emotet'.

On Wed, 16 Sep 2020, iulian stan via clamav-users wrote:

> If you are talking about compressed files you have multiple choice to do
> this as well:
> 1) use complicated MTA rules to unzip/untar/unrar/etc the archive and
> check if executable is inside.
> 2) use foxhole unoficial clamav signatures (might not cover all the
> situations)
> 3) write your own signatures like this. Please check before the manual:
> https://www.clamav.net/documents/extended-signature-format
> Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
> Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
> Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:*

Unfortunately none of these suggestions is likely to succeed against
the current Emotet threats. The malicious email generally contains a
disguised macro, not a Windows executable. The macro downloads and
runs a payload (maybe more than one), thus avoiding a scan or perhaps
without even writing it to a file which ClamAV will be able to scan.

The foxhole signatures, the ClamAV official signatures and a couple of
dozen other third-party signatures have all failed to detect threats
in mail recevied here in the past few days.

But the messages were obvious as soon as they appeared in the greylist
queue. They posed as replies to mail abuse reports which we had sent,
but the reports were sent many years ago.

Evidently our reports have been stolen from the poorly-secured systems
at the providers to whom we were reporting abuse at the time. A neat
trick, but not nearly neat enough. We don't run Windows boxes anyway. :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Can you provide the SHA256 hash of a couple of the files?

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com | https://www.snort.org

> On Sep 16, 2020, at 4:43 AM, clamav-users@lists.clamav.net wrote:
>
> Hello,
>
> Today, we transmitted a significant amount of Emotet files that were undetected by ClamAV,
> (verification done under VirusTotal).
>
> Is there a reason why the Emotet detection rate is very low for ClamAV?
>
> Thank you in advance.
>
> Best regards,
> ---
> Cyril AECK
>
> Service du numérique - SNum
> UNI/DETN
> Messagerie & conférences à distance
>
> Tel. 04 74 27 52 13
> Port. 06 63 16 23 32
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi there,

On Wed, 16 Sep 2020, Joel Esler (jesler) via clamav-users wrote:

> Can you provide the SHA256 hash of a couple of the files?

If you want something quickly I've already submitted examples in the
last couple of days.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi all,

Well, i didn't look what kind of virus is emotet and i supposed it's
spread trough executable file where the defenses presented should work.
For the emotet itself i am using the list provided by abuse.ch guys ( i
suggest trough all the defenses they have) but those two might/should
help:
https://feodotracker.abuse.ch/browse/ ||
https://feodotracker.abuse.ch/blocklist/
https://urlhaus.abuse.ch/browse/tag/emotet/ ( here you have also clamav
file signature urlhaus.ndb )

Bonus: https://paste.cryptolaemus.com/

The idea is to build either trough clamav(here we talk about clamav) or
spamassassin a way to defend yourself based in the input provided.

---
Best regards,
Iulian

On 2020-09-16 14:50, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 16 Sep 2020, Cyril AECK via lists.clamav.net wrote:
>
>> Is there a reason why the Emotet detection rate is very low for
>> ClamAV?
>
> The macro in the attachment is heavily disguised. See for example
>
> https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/
>
> It's very easy for the sender to change disguises in code. Some code
> will even do it by itself, on the fly. Using a grossly oversimplified
> example, I could write code like this:
>
> void somefunc() { while(1) { something_new; } }
> int abc=1; if(abc==1) { somefunc(); }
>
> but the same effect can be achieved with different names everywhere:
>
> void otherfunc() { while(2) { something_old; } }
> int xyz=3; if(xyz==3) { otherfunc(); }
>
> You really want to analyze the behaviour of the code but that's much
> harder to do than making simple string comparisons which look for
> words -- which is more or less all that signature matching does. You
> need a signature for every disguise, which probably explains why there
> are at the moment just shy of sixty thousand signatures in the 'daily'
> database which have a name containing 'Emotet'.
>
> On Wed, 16 Sep 2020, iulian stan via clamav-users wrote:
>
>> If you are talking about compressed files you have multiple choice to
>> do
>> this as well: 1) use complicated MTA rules to unzip/untar/unrar/etc
>> the archive and
>> check if executable is inside. 2) use foxhole unoficial clamav
>> signatures (might not cover all the
>> situations) 3) write your own signatures like this. Please check
>> before the manual:
>> https://www.clamav.net/documents/extended-signature-format
>> Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
>> Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
>> Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:*
>
> Unfortunately none of these suggestions is likely to succeed against
> the current Emotet threats. The malicious email generally contains a
> disguised macro, not a Windows executable. The macro downloads and
> runs a payload (maybe more than one), thus avoiding a scan or perhaps
> without even writing it to a file which ClamAV will be able to scan.
>
> The foxhole signatures, the ClamAV official signatures and a couple of
> dozen other third-party signatures have all failed to detect threats
> in mail recevied here in the past few days.
>
> But the messages were obvious as soon as they appeared in the greylist
> queue. They posed as replies to mail abuse reports which we had sent,
> but the reports were sent many years ago.
>
> Evidently our reports have been stolen from the poorly-secured systems
> at the providers to whom we were reporting abuse at the time. A neat
> trick, but not nearly neat enough. We don't run Windows boxes anyway.
> :)
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hiya

Did you submit to Sanesecurity too?
If not. Can you please consider submitting there too.

Please see:
https://sanesecurity.com/contact-us/

Many thanks
Regards
Brent

On 2020/09/16 15:04, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 16 Sep 2020, Joel Esler (jesler) via clamav-users wrote:
>
>> Can you provide the SHA256 hash of a couple of the files?
>
> If you want something quickly I've already submitted examples in the
> last couple of days.
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Wed, 16 Sep 2020, Brent Clark via clamav-users wrote:

> Did you submit to Sanesecurity too?
> If not. Can you please consider submitting there too.

Our automated system routinely submits to Sansecurity. Unfortunately
this outbreak occurred while we're in the throes of big modifications
to the system - basically making the user interface browser-based - so
it's been offline for a little while.

I'll check on development (the office next door:) and if it's going to
take a lot longer to get it back online I'll make a manual submission.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hiya

Thanks so much.

I know the community and the internet as a whole, stands to gain from
your efforts / work.

Regards
Brent

On 2020/09/16 15:45, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 16 Sep 2020, Brent Clark via clamav-users wrote:
>
>> Did you submit to Sanesecurity too?
>> If not. Can you please consider submitting there too.
>
> Our automated system routinely submits to Sansecurity.  Unfortunately
> this outbreak occurred while we're in the throes of big modifications
> to the system - basically making the user interface browser-based - so
> it's been offline for a little while.
>
> I'll check on development (the office next door:) and if it's going to
> take a lot longer to get it back online I'll make a manual submission.
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

"Vaccine for Emotet Malware" at "Schneier on Security":

https://www.schneier.com/crypto-gram/archives/2020/0915.html#cg2



On Wed, 16 Sep 2020 16:27:45 +0200
Brent Clark via clamav-users <clamav-users@lists.clamav.net> wrote:

> Hiya
>
> Thanks so much.
>
> I know the community and the internet as a whole, stands to gain from
> your efforts / work.
>
> Regards
> Brent

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml