Obsolete Releases > SME 8.x Contribs

Ransomware/CTB-Locker ClamAV signature

(1/5) > >>

Knuddi:
I have made two ClamAV signatures which can be very helpful preventing you from being reached by the CTB-Locker. The signatures will let Clam reject an email if it contains an executable in a compressed archive (exe within zip, rar, etc.) and also if there should be a compressed archive within a compressed archive (zip inside zip). I have seen both being used to carry CTB-Locker at ScanMailX and though I would share.

This is obviously not a guarantee for anything but will help a little.

The signatures should be placed in the /var/clamav directory and clam will find them at next reload (force reload with clamdscan --reload)

The signatures can be downloaded here: http://sme.swerts-knudsen.dk/downloads/ClamAV/ScanMailX.cdb

You can read up on the CTB-Locker here: https://heimdalsecurity.com/blog/ctb-locker-ransomware/

Enjoy,
Jesper

 

guest22:
Thanks Knuddi, every bit helps!

CharlieBrady:
Shouldn't those signatures arrive via clamav? I presume you have submitted them there.

Knuddi:
These signatures do not reject an individuel piece of code as most other signatures do. It reject a set of filetypes and does therefore not apply to standard clamav distribution.

CharlieBrady:
I see the patterns are:

ScanMailX.Blocked.Zip_exe:*:*:\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$:*:*:*:*:*:*
ScanMailX.Blocked.Zip_zip:*:*:\.(zip|tar|tgz|taz|z|gz|rar)$:*:*:*:*:*:*

I suspect that the latter pattern would cause some disruption of "normal" traffic. I don't think this is really a "signature" of Ransomware/CTB-Locker.

Navigation

[0] Message Index

[#] Next page