ClamAV Sigs for Storm Christmas Campaign Lures
by Jose NazarioI took the list of domain names seen in the new Peacomm lure runs - the Christmas and New Year’s campaign - and written a ClamAV signature generator for them. This is based on the signature generation techniques described by the ClamAV docs. Basically what it does is look for the “newline” “storm URL” pattern in emails. The following Python code will generate a set of signatures you can use to block, tag, or bin these emails.
#!/usr/bin/env python
URLS = ['familypostcards2008.com',
'freshcards2008.com',
'happy2008toyou.com',
'happycards2008.com',
'happysantacards.com',
'hellosanta2008.com',
'hohoho2008.com',
'merrychristmasdude.com',
'newyearcards2008.com',
'newyearwithlove.com',
'parentscards.com',
'postcards-2008.com',
'santapcards.com',
'santawishes2008.com',
'uhavepostcard.com',]
for u in URLS:
r = ’0a’
s = ’http://%s/’ % u
for i in s: r += ’%02x’ % ord(i)
d = len(s)
print ’Worm.Peacomm.Christmas.08010100:4:*:%s’ % r
Save this is a file like “clamsigs.py” or something.
Usage of this is pretty simple:
$ python ./clamsigs.py > storm.nbd
The .ndb extension is important, ClamAV uses the same trick as Windows to guess what to do with a file and bases it on the extension. Now you can install this .nbd file to be used by ClamAV, or you can test with it. To test directly with it, run a mail spool containing some of the Storm Worm lures (ie a spam inbox) over it:
$ formail -s clamscan -d /tmp/storm.ndb - < storm_mailbox.mbox
You should see alerts like this:
----------- SCAN SUMMARY -----------
Known viruses: 15
Engine version: 0.88.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Time: 0.007 sec (0 m 0 s)
stdin: Worm.Peacomm.Christmas.08010100 FOUND
That means it worked. You can install it to be used by ClamAV in the same place you would store any other extra rulesets. In my case it’s:
/usr/local/share/clamav
But your installation may be different. It should live alongside the mirrors.dat file and the daily.inc directory.
I’ve tested these signatures against a few inputs, including a true negative mailbox, a true positive mailbox, and what should be a false positive mailbox. This should work OK and provide reliable alerts, and let people talk about these domains without throwing an alert (provided they quote or otherwise alter the original message format). If the URL starts the line, you’ll see an alert.
If you can improve on these, that would be great to see. In theory this should work for any new named URL Storm Worm campaign.
0