Using ClamAV to Prevent Malware and Data Loss

Maximizing the use of existing resources and bundling capabilities is becoming an increasingly common trend in information security. Using the applications and data sources that you have to their fullest capabilities and trying to limit the number of applications deployed in support of an information security program streamlines processes, reduces complexity and overhead, lowers cost, and ensures maximum return on investment for existing solutions. This concept can be extended to many products, from desktop security suites to log management software.

Kanbe Malware Toolkit

The Kanbe malware kit is a trove of attacker tools that I found after an attacker attempted to download a file from it to our honeypot. The host site looked like an ftp server that had an easily guessable username and password that was captured in the honeypot logs. Browsing the site I found 90 different tools and a couple of directories. Unfortunately I don't have time to analyze all of the tools so I'm attaching them to this blog post as one big archive (see below). I did look at some of the tools and found some very interesting items.

Identifying Malicious Scripts by User Agent

I noticed an interesting phenomena today while reviewing my web server logs. I track requests to URL's that include patterns indicative of directory traversal attacks. The most common of these is an attempt to include the file "/proc/self/environ" which can be used for a remote code execution attack (as described in When is LFI Really ACE?). Most of these hits are probably automated scripts that are trolling around the internet, looking for servers vulnerable to specific exploits.

Decrypting Zipped Base 64 Encoded PHP Malware

Recently during an incident response I encountered a common piece of PHP used to provide an attacker with a user friendly interface. This PHP was effectively obscured by base 64 encoding the PHP, then zipping it.

Flash 0-day

Security Focus ( is reporting a new, as of yet patched, exploit that targets Adobe Flash, are circulating. Apparently a Chinese malware package (MPack exploit kit) now includes attacks against Flash. The trouble thing about the report is that there are few details, and the software in question cannot be patched to prevent exploit (a so-called zero day, or 0day).

USB Malware

Remember the good old days when you traded C-64 games with your friends by carrying your floppy drive over to his or her house to copy disks? Back in those days very few people had the two drives you needed to copy a disk so the entire process was a bit clunky. The first sneakernet. Remember how, even in those days, people would warn you about virus infected disks? Yeah, the good old days. Well, those days may be back thanks to those handy USB keys that we all carry around.

botHunter Released

I've been reading about botHunter, which is a recently announced free bot net detection utility. botHunter is a new system designed by researchers at the Georgia Institute of Technology and the Computer Science Laboratory of SRI International. It is an interesting approach to detecting bot infection in local networks. Designed to be deployed at the perimeter of a network, botHunter looks for patterns in dialogues between computers in search of well known sequences that indicate bot activity. Whereas typical bot detection is carried out by virus/worm detection tools like host based virus scanners and network intrusion detection tools using signature analysis, botHunter uses an analysis distributed over time rather than packets or files. The main advantage of botHunter, as I see it, is that it can extremely accurately identify hosts that conform to it's predefined behavior patterns.

Latest Virus Making the Rounds

In case "You've received an ecard from a family member" recently you should be aware that this is a fairly insidious piece of virus/malware now making the rounds.

PHP Malware C99 Shell

The c99 shell is a somewhat notorious piece of PHP malware. C99 shell is often uploaded to a compromised web application to provide an interface to an attacker. The c99 shell allows an attacker to hijack the web server process, allowing the attacker to issue commands on the server as the account under which PHP is running.

Free AntiVirus for Windows

ClamWin is one of several free antivirus programs availabe for Windows. What makes ClamWin unique is that it is GPL software. This means that it is free, and open source. ClamWin runs in your system tray, and can perform regularly scheduled system scans in addition to scanning Microsoft Outlook e-mail, and allowing you to right click any file and select 'Scan with ClamWin Free Antivirus'.