Malware Analysis

• ClamAV
  • Installation
  • Usage

Endpoint detection and response (EDR)

https://www.exploit-db.com/papers/12939/ autorun.inf magic. Just change it from 20 to 40 after inf.

bypass antivirus

https://github.com/fireeye/flare-vm

https://any.run

http://contagiodump.blogspot.com

https://bazaar.abuse.ch

“Step One: Turn off phone. Step Two: Turn it back on.” https://abcnews.go.com/Lifestyle/wireStory/turn-off-turn-simple-step-thwart-top-phone-79115491 This is likely because it at least stops some RAM viruses.

I made the mistake of having clamscan not delete temp. Now I have literally millions of file in /tmp.

I did df -h and found it took up many, many gigs.

I did rm /tmp/clamav-* and it said bash: /bin/rm: Argument list too long

The way around it was: find . -name ‘spam-*’

xargs rm -rf

cd /tmp This does it one by one, slower but better than nothing.

Qakbot, banking malware

ClamAV

Installation

brew install clamav

#Example

# /usr/local/etc/clamav/freshclam.conf
DatabaseMirror database.clamav.net

freshclam -v

# /usr/local/etc/clamav/clamd.conf
LocalSocket /usr/local/var/run/clamav/clamd.sock

mkdir /usr/local/var/run/clamav
clamd

or

/usr/local/sbin/clamd

Usage

clamscan -r --bell --log=scan_output.txt /

• -i only infected files
• -v for verbosity

“Is there any value in using ClamAV to scan the entire filesystem and/or run as root?” https://www.reddit.com/r/linuxadmin/comments/b3gvgj/is_there_any_value_in_using_clamav_to_scan_the/ Never ever run clamav-daemon as root.

“The clamd.conf manpage gives dire warnings about “severe damage to the system” if MaxScanSize and MaxFileSize are disabled or set too high.” https://mailing.unix.clam-users.narkive.com/nAl6A0yi/clamav-users-maxscansize-and-maxfilesize

Why does ClamAV have a file size limit? “–max-filesize=#n Extract and scan at most #n kilobytes from each archive. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 25 MB, max: <4 GB)” “ClamAV is mainly oriented at mail servers, automatically scanning attachments. It has a max filesize limit in order to prevent an attacker sending a ton of big attachments and grind the mail server to a halt as clamav slowly scans the files.”