Mailing List Archive: [clamav-users] Reference a normalized variable name without hardcoding a specific one?

[clamav-users] Reference a normalized variable name without hardcoding a specific one?

Mar 5, 2024, 2:14 PM

Post #1 of 3 (69 views)

So, I've been creating local signatures for a variety of obfuscated
Javascript for a while.

But I've been missing a way to more precisely target malicious actions
based on surrounding variables.

With my latest sample, I want to match "[variable].[htmldomstuff]",
"function([variable])", across several nearby substrings.

But I *don't* want to hardcode any one specific normalized variable name
- this particular sample has n007, but with very little fiddling it
could well end up as n003 or n024. What I want is a metareference of
some kind to use across the substrings that will only match the same
normalized variable name in all of them.

In PCRE I would just do something like:

/(n\d+).htmldomstuff;function(\1);/

Do any of Clam's signature types support something like this? Logical
signatures or Yara rules seem likely, but I've had trouble getting some
more complex signature concepts to actually work with either.

-kgd
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Reference a normalized variable name without hardcoding a specific one? [ In reply to ]

clamav-users at lists

Mar 5, 2024, 11:00 PM

Post #2 of 3 (68 views)

Permalink

Hello Kris,

[...]
> /(n\d+).htmldomstuff;function(\1);/
>
> Do any of Clam's signature types support something like this?

I use :

6e3?3?3?

that matches n000, n003, n024, n781 ...

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Writing signatures for ClamAV antivirus since 2006
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Reference a normalized variable name without hardcoding a specific one? [ In reply to ]

clamav-users at lists

Mar 6, 2024, 7:17 AM

Post #3 of 3 (68 views)

Permalink

Arnaud Jacques via clamav-users wrote:
> Hello Kris,
>
> [...]
> > /(n\d+).htmldomstuff;function(\1);/
> >
> > Do any of Clam's signature types support something like this?
>
> I use :
>
> 6e3?3?3?
>
> that matches n000, n003, n024, n781 ...

Right, and I've used that in cases where tracking a particular
normalized variable isn't as important, but there are two problems:

1) You can't start or end the overall pattern with this

2) It's not matching "this specific normalized variable, for immediate
local values of this specific normalized variable", it's matching "any
normalized variable".

As I said in my original message, the specific sample at hand just now
came out with n007 for the specific variable.... but variations in the
scam could make that normalize to n003 or n024 or something else. I
only want to match that particular variable - irrespective of what
n\d\d\d value it normalizes *to* in any specific sample file. Which is
why I want to capture the first case, and backreference it for further
instances of it later in the pattern.

-kgd
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat