[nsp-sec] [OT] New feed - ClamAV signatures

Stephen Gill gillsr at cymru.com
Mon Jan 28 11:46:28 EST 2008 

Sure thing!

You can read all about it here:

https://www.cymru.com/nsp-sec/malwareflow/

More specifically, you'll need to retrieve this feed daily and cross
reference the files by hash:

https://www.cymru.com/nsp-sec/malwareflow/avlist.txt

I would suggest a database for long term storage of the daily diffs.

Cheers,
Steve, Team Cymru.

On 1/28/08 4:03 AM, "Dimitrios Kalogeras" <D.Kalogeras at noc.ntua.gr> wrote:

> ----------- nsp-security Confidential --------

Hi  Rob,


Thanks for the nice
> service.

We did a short of comparison with the respect to our daily channel.
> It
is nice that we find differences and that there is a hit in the scanning

> feed which in different case, it would have gone unnoticed. Is there
a
> correspondence between the signature feed and the viruses /trojan names
> ?

Regards,
Dimitris

Segment of the comparison follows :

-
> Νormal
/artifacts/binaries/0f8f00b9bb264ea4c7129fbfc4ada24d:
> OK
/artifacts/binaries/1cd42b27c7ea9c5f43e1e2de1dad25a8:
> OK
/artifacts/binaries/21e0e2bb5d7c0c0b5342de6229cb49f8:
> OK
/artifacts/binaries/29f0569b6b287b09a0a296e8eb616566:
> OK
/artifacts/binaries/45fc0e9e1285e77456fead2cf2f02820:
> OK
/artifacts/binaries/4f64d8c58fc352c308d946546adcb547:
> Trojan.Agent-8231
FOUND
/artifacts/binaries/5ae700c1dffb00cef492844a4db6cd69:
> Worm.Blaster.A FOUND
/artifacts/binaries/6b58d96801ee561e9b9e2204811caefd:
> OK
/artifacts/binaries/8caaebe038838614d51f852f75918d68:
> OK
/artifacts/binaries/8e0975e55e29ad1a85d47e80ab00e2bc:
> Trojan.SdBot-7769
FOUND
/artifacts/binaries/ad410dbfeaeea4ed9c253a2140d1004b:
> OK
/artifacts/binaries/c2204a662150d482795816ca7b0699c6:
> OK
/artifacts/binaries/cb032b12af742555e60124f6d7d2d2ea:
> OK
/artifacts/binaries/e92a8302b8fab21cdc8b7f191a584f06: W32.Virut.ci
> FOUND
/artifacts/binaries/ecaea72984c74bc57f9221d506bc55d5:
> OK
/artifacts/binaries/f89c3a4394bd82d3aaf68fa4513008cc: OK

- 0
> day
/artifacts/binaries/0f8f00b9bb264ea4c7129fbfc4ada24d: DETECT_25.00
> FOUND
/artifacts/binaries/1cd42b27c7ea9c5f43e1e2de1dad25a8: DETECT_11.11
> FOUND
/artifacts/binaries/21e0e2bb5d7c0c0b5342de6229cb49f8: DETECT_19.44
> FOUND
/artifacts/binaries/29f0569b6b287b09a0a296e8eb616566: DETECT_28.57
> FOUND
/artifacts/binaries/45fc0e9e1285e77456fead2cf2f02820: DETECT_17.14
> FOUND
/artifacts/binaries/4f64d8c58fc352c308d946546adcb547: DETECT_32.26
> FOUND
/artifacts/binaries/5ae700c1dffb00cef492844a4db6cd69: Worm.Blaster.A
> FOUND
/artifacts/binaries/6b58d96801ee561e9b9e2204811caefd: DETECT_37.14
> FOUND
/artifacts/binaries/8caaebe038838614d51f852f75918d68: DETECT_77.78
> FOUND
/artifacts/binaries/8e0975e55e29ad1a85d47e80ab00e2bc:
> Trojan.SdBot-7769
FOUND
/artifacts/binaries/ad410dbfeaeea4ed9c253a2140d1004b:
> DETECT_41.67 FOUND
/artifacts/binaries/c2204a662150d482795816ca7b0699c6:
> DETECT_31.43 FOUND
/artifacts/binaries/cb032b12af742555e60124f6d7d2d2ea:
> DETECT_65.71 FOUND
/artifacts/binaries/e92a8302b8fab21cdc8b7f191a584f06:
> W32.Virut.ci FOUND
/artifacts/binaries/ecaea72984c74bc57f9221d506bc55d5:
> DETECT_31.43 FOUND
/artifacts/binaries/f89c3a4394bd82d3aaf68fa4513008cc:
> DETECT_11.43 FOUND

Rob Thomas wrote:
> ----------- nsp-security Confidential
> --------
> 
> Hi, team.
> 
> We are pleased to announce that our ClamAV
> signatures project is now  
> ready for release.  We base our signatures on
> our large malware  
> menagerie.  Each sample we collect is scrutinized by 33+
> anti-virus  
> packages and several sandboxes.  The resulting analysis
> determines if  
> the sample is malware.  We then generate ClamAV signatures
> for those  
> samples that are tagged as malware by our malware analysis
> process.   
> We're processing circa 15K new malware samples per day, so this
> is a  
> significant amount.
> 
> Many of you are likely already familiar with
> ClamAV, which runs on a  
> wide variety of platforms.  You can read a bit
> about ClamAV and all  
> about our ClamAV Signatures Project at the following
> URL:
> 
>     URL:   <https://clamsigs.cymru.com/avsigs/>
>     Login:
> tcsigs
>     Pass:  klams1gz
> 
> Please do take the time to read the verbiage
> regarding installation.   
> Our thanks to Larry Lidz for providing a handy
> Unix-based download  
> shell script, which you'll find referenced on the main
> page.
> 
> The actual signature files can be found at the following  
>
> authenticated URL.  Please use your nsp-sec mailing list login and  
>
> password to access the download section of our ClamAV Signatures  
> Project
> page.
> 
>     URL:   <https://clamsigs.cymru.com/avsigs/downloads/>
> 
> If
> you have forgotten or need to reset your nsp-sec mailing list  
> login and
> password, you'll find a handy reset tool at the bottom of  
> the following
> page:
> 
>     URL:
> <https://puck.nether.net/mailman/listinfo/nsp-security>
> 
> We do not intend
> to make this fully public, but instead will confine  
> it to vetted
> communities such as nsp-sec and FIRST.  You may freely  
> use these
> signatures on any platform capable of running ClamAV.  You  
> may
> redistribute the signatures within your organization.  These  
> signatures
> are for non-commercial use ONLY.  If you are interested in  
> redistributing
> these signatures in your products or through your  
> customer services, you
> MUST obtain our written permission to do so.   
> We don't want to spend time
> debugging flash-crowd DDoS.  :)
> 
> Please remember that this is a *FREE*
> service and we provide no  
> warranties or guarantees.  We strive for high
> quality in all of our  
> feeds, but there exists the possibility that these
> signatures will  
> generate false positives, impact the performance of
> ClamAV, or  
> increase the carbon footprint of Al Gore's mansion.  Use at
> your own  
> risk.
> 
> We remain keenly interested in any and all
> suggestions, feedback, and  
> reports of false positives.  Please send those
> to <team- 
> cymru at cymru.com>.
> 
> Thanks!
>
> Rob.

_______________________________________________
nsp-security mailing
> list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp
> -security

Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
community. Confidentiality is essential for effective Internet
> security
counter-measures.
_______________________________________________


-
> - 
Dimitrios K. Kalogeras

Electrical Engineer, Ph.D.
Network
> Engineer
NTUA/GR-Net Network Management
> Center
_____________________________________
icq:   11887484
voice:
> +30-210-772 1863
fax:     +30-210-772 1866
e-mail: D.Kalogeras at noc.ntua.gr
pub
> 1024D/0E421B50 2007-01-17 [expires: 2008-01-17] Dimitrios
Kalogeras (dkalo)
> <D.Kalogeras at noc.ntua.gr>
       Key fingerprint = F8C8 7B67 74A4 1F82 CDDF
> 8554 E1EF 7FAE 0E42 1B50
PGP-KEY:
> http://ajax.noc.ntua.gr/~dkalo/dkalo_pgp.txt


_______________________________
> ________________
nsp-security mailing
> list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp
> -security

Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
community. Confidentiality is essential for effective Internet
> security counter-measures.
_______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com

More information about the nsp-security mailing list