Didier Stevens

Wednesday 15 February 2017

Quickpost: ClamAV and ZIP File Decryption

Filed under: Malware,Quickpost — Didier Stevens @ 0:00

While reading-up on ClamAV and YARA, I came across something I wanted to try for some time: have ClamAV decrypt and scan a password protected ZIP file.

It can be done by creating a .pwdb password signature file, as explained in section 3.12 of Creating signatures for ClamAV.

I created one signature for password “infected”:

ZipPasswordInfected;Engine:81-255;0;infected

ZipPasswordInfected is the name I gave to the signature.

Engine:81-255 defines the required functionality level of the ClamAV engine. If I’m not mistaken, 81 is version 0.99.

0 indicates that the password is in ASCII.

infected is the password to attempt ZIP decryption.

And then I can pass the password signature file to clamscan with option -d. Or I can put the password signature file in the database directory.

In this example, notepad.exe is stored in a password protected ZIP file (password infected), and is_pe_file.yara is a YARA rule to detect PE files.

clamscan.exe -d is_pe_file.yara -d passwords.pwdb notepad.exe.zip
notepad.exe.zip: YARA.is_PE_File.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.21 MB
Data read: 0.14 MB (ratio 1.50:1)
Time: 0.063 sec (0 m 0 s)

Quickpost info


Tuesday 14 February 2017

Overview of Content Published In January

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in January:

Blog posts:

SANS ISC Diary entries:

NVISO Labs blog posts:

Blog at WordPress.com.