mirror of https://github.com/Cisco-Talos/clamav
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
486 lines
11 KiB
486 lines
11 KiB
/*
|
|
* Copyright (C) 2007-2008 Sourcefire, Inc.
|
|
*
|
|
* Authors: Trog, Török Edvin
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
* MA 02110-1301, USA.
|
|
*/
|
|
|
|
#if HAVE_CONFIG_H
|
|
#include "clamav-config.h"
|
|
#endif
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
#ifdef HAVE_UNISTD_H
|
|
#include <unistd.h>
|
|
#endif
|
|
#include <string.h>
|
|
#include <ctype.h>
|
|
#ifndef _WIN32
|
|
#include <netinet/in.h>
|
|
#endif
|
|
#include "clamav.h"
|
|
#include "others.h"
|
|
#include "cltypes.h"
|
|
#include "special.h"
|
|
#include "matcher.h"
|
|
|
|
/* NOTE: Photoshop stores data in BIG ENDIAN format, this is the opposite
|
|
to virtually everything else */
|
|
|
|
#define special_endian_convert_16(v) be16_to_host(v)
|
|
#define special_endian_convert_32(v) be32_to_host(v)
|
|
|
|
int cli_check_mydoom_log(cli_ctx *ctx)
|
|
{
|
|
const uint32_t *record;
|
|
uint32_t check, key;
|
|
fmap_t *map = *ctx->fmap;
|
|
unsigned int blocks = map->len / (8*4);
|
|
|
|
cli_dbgmsg("in cli_check_mydoom_log()\n");
|
|
if(blocks<2)
|
|
return CL_CLEAN;
|
|
if(blocks>5)
|
|
blocks = 5;
|
|
|
|
record = fmap_need_off_once(map, 0, 8*4*blocks);
|
|
if(!record)
|
|
return CL_CLEAN;
|
|
while(blocks) { /* This wasn't probably intended but that's what the current code does anyway */
|
|
if(record[--blocks] == 0xffffffff)
|
|
return CL_CLEAN;
|
|
}
|
|
|
|
key = ~be32_to_host(record[0]);
|
|
check = (be32_to_host(record[1])^key) +
|
|
(be32_to_host(record[2])^key) +
|
|
(be32_to_host(record[3])^key) +
|
|
(be32_to_host(record[4])^key) +
|
|
(be32_to_host(record[5])^key) +
|
|
(be32_to_host(record[6])^key) +
|
|
(be32_to_host(record[7])^key);
|
|
if ((~check) != key)
|
|
return CL_CLEAN;
|
|
|
|
key = ~be32_to_host(record[8]);
|
|
check = (be32_to_host(record[9])^key) +
|
|
(be32_to_host(record[10])^key) +
|
|
(be32_to_host(record[11])^key) +
|
|
(be32_to_host(record[12])^key) +
|
|
(be32_to_host(record[13])^key) +
|
|
(be32_to_host(record[14])^key) +
|
|
(be32_to_host(record[15])^key);
|
|
if ((~check) != key)
|
|
return CL_CLEAN;
|
|
|
|
cli_append_virus(ctx, "Heuristics.Worm.Mydoom.M.log");
|
|
return CL_VIRUS;
|
|
}
|
|
|
|
static int jpeg_check_photoshop_8bim(cli_ctx *ctx, off_t *off)
|
|
{
|
|
const unsigned char *buf;
|
|
uint16_t id, ntmp;
|
|
uint8_t nlength;
|
|
uint32_t size;
|
|
off_t offset = *off;
|
|
int retval;
|
|
fmap_t *map = *ctx->fmap;
|
|
|
|
if(!(buf = fmap_need_off_once(map, offset, 4 + 2 + 1))) {
|
|
cli_dbgmsg("read bim failed\n");
|
|
return -1;
|
|
}
|
|
if (memcmp(buf, "8BIM", 4) != 0) {
|
|
cli_dbgmsg("missed 8bim\n");
|
|
return -1;
|
|
}
|
|
|
|
id = (uint16_t)buf[4] | ((uint16_t)buf[5]<<8);
|
|
cli_dbgmsg("ID: 0x%.4x\n", id);
|
|
nlength = buf[6];
|
|
ntmp = nlength + ((((uint16_t)nlength)+1) & 0x01);
|
|
offset += 4 + 2 + 1 + ntmp;
|
|
|
|
if (fmap_readn(map, &size, offset, 4) != 4) {
|
|
return -1;
|
|
}
|
|
size = special_endian_convert_32(size);
|
|
if (size == 0) {
|
|
return -1;
|
|
}
|
|
if ((size & 0x01) == 1) {
|
|
size++;
|
|
}
|
|
|
|
*off = offset + 4 + size;
|
|
/* Is it a thumbnail image */
|
|
if ((id != 0x0409) && (id != 0x040c)) {
|
|
/* No - Seek past record */
|
|
return 0;
|
|
}
|
|
|
|
cli_dbgmsg("found thumbnail\n");
|
|
/* Jump past header */
|
|
offset += 4 + 28;
|
|
|
|
retval = cli_check_jpeg_exploit(ctx, offset);
|
|
if (retval == 1) {
|
|
cli_dbgmsg("Exploit found in thumbnail\n");
|
|
}
|
|
return retval;
|
|
}
|
|
|
|
static int jpeg_check_photoshop(cli_ctx *ctx, off_t offset)
|
|
{
|
|
int retval;
|
|
const unsigned char *buffer;
|
|
off_t old;
|
|
fmap_t *map = *ctx->fmap;
|
|
|
|
if(!(buffer = fmap_need_off_once(map, offset, 14))) {
|
|
return 0;
|
|
}
|
|
|
|
if (memcmp(buffer, "Photoshop 3.0", 14) != 0) {
|
|
return 0;
|
|
}
|
|
offset += 14;
|
|
|
|
cli_dbgmsg("Found Photoshop segment\n");
|
|
do {
|
|
old = offset;
|
|
retval = jpeg_check_photoshop_8bim(ctx, &offset);
|
|
if(offset <= old)
|
|
break;
|
|
} while (retval == 0);
|
|
|
|
if (retval == -1) {
|
|
retval = 0;
|
|
}
|
|
return retval;
|
|
}
|
|
|
|
int cli_check_jpeg_exploit(cli_ctx *ctx, off_t offset)
|
|
{
|
|
const unsigned char *buffer;
|
|
int retval;
|
|
fmap_t *map = *ctx->fmap;
|
|
|
|
cli_dbgmsg("in cli_check_jpeg_exploit()\n");
|
|
if(ctx->recursion > ctx->engine->maxreclevel)
|
|
return CL_EMAXREC;
|
|
|
|
if(!(buffer = fmap_need_off_once(map, offset, 2)))
|
|
return 0;
|
|
if ((buffer[0] != 0xff) || (buffer[1] != 0xd8)) {
|
|
return 0;
|
|
}
|
|
offset += 2;
|
|
for (;;) {
|
|
off_t new_off;
|
|
if(!(buffer = fmap_need_off_once(map, offset, 4))) {
|
|
return 0;
|
|
}
|
|
/* Check for multiple 0xFF values, we need to skip them */
|
|
if ((buffer[0] == 0xff) && (buffer[1] == 0xff)) {
|
|
offset++;
|
|
continue;
|
|
}
|
|
offset += 4;
|
|
if ((buffer[0] == 0xff) && (buffer[1] == 0xfe)) {
|
|
if (buffer[2] == 0x00) {
|
|
if ((buffer[3] == 0x00) || (buffer[3] == 0x01)) {
|
|
return 1;
|
|
}
|
|
}
|
|
}
|
|
if (buffer[0] != 0xff) {
|
|
return -1;
|
|
}
|
|
if (buffer[1] == 0xda) {
|
|
/* End of Image marker */
|
|
return 0;
|
|
}
|
|
|
|
new_off = ((unsigned int) buffer[2] << 8) + buffer[3];
|
|
if (new_off < 2) {
|
|
return -1;
|
|
}
|
|
new_off -= 2;
|
|
new_off += offset;
|
|
|
|
if (buffer[1] == 0xed) {
|
|
/* Possible Photoshop file */
|
|
ctx->recursion++;
|
|
retval=jpeg_check_photoshop(ctx, offset);
|
|
ctx->recursion--;
|
|
if (retval != 0)
|
|
return retval;
|
|
}
|
|
offset = new_off;
|
|
}
|
|
}
|
|
|
|
static uint32_t riff_endian_convert_32(uint32_t value, int big_endian)
|
|
{
|
|
if (big_endian)
|
|
return be32_to_host(value);
|
|
else
|
|
return le32_to_host(value);
|
|
}
|
|
|
|
static int riff_read_chunk(fmap_t *map, off_t *offset, int big_endian, int rec_level)
|
|
{
|
|
const uint32_t *buf;
|
|
uint32_t chunk_size;
|
|
off_t cur_offset = *offset;
|
|
|
|
if (rec_level > 1000) {
|
|
cli_dbgmsg("riff_read_chunk: recursion level exceeded\n");
|
|
return 0;
|
|
}
|
|
|
|
if(!(buf = fmap_need_off_once(map, cur_offset, 4*2)))
|
|
return 0;
|
|
cur_offset += 4*2;
|
|
chunk_size = riff_endian_convert_32(buf[1], big_endian);
|
|
|
|
if(!memcmp(buf, "anih", 4) && chunk_size != 36)
|
|
return 2;
|
|
|
|
if (memcmp(buf, "RIFF", 4) == 0) {
|
|
return 0;
|
|
} else if (memcmp(buf, "RIFX", 4) == 0) {
|
|
return 0;
|
|
}
|
|
|
|
if ((memcmp(buf, "LIST", 4) == 0) ||
|
|
(memcmp(buf, "PROP", 4) == 0) ||
|
|
(memcmp(buf, "FORM", 4) == 0) ||
|
|
(memcmp(buf, "CAT ", 4) == 0)) {
|
|
if (!fmap_need_ptr_once(map, buf+2, 4)) {
|
|
cli_dbgmsg("riff_read_chunk: read list type failed\n");
|
|
return 0;
|
|
}
|
|
*offset = cur_offset+4;
|
|
return riff_read_chunk(map, offset, big_endian, ++rec_level);
|
|
}
|
|
|
|
*offset = cur_offset + chunk_size + (chunk_size&1);
|
|
if (*offset < cur_offset) {
|
|
return 0;
|
|
}
|
|
/* FIXME: WTF!?
|
|
if (lseek(fd, offset, SEEK_SET) != offset) {
|
|
return 2;
|
|
}
|
|
*/
|
|
return 1;
|
|
}
|
|
|
|
int cli_check_riff_exploit(cli_ctx *ctx)
|
|
{
|
|
const uint32_t *buf;
|
|
int big_endian, retval;
|
|
off_t offset;
|
|
fmap_t *map = *ctx->fmap;
|
|
|
|
cli_dbgmsg("in cli_check_riff_exploit()\n");
|
|
|
|
if(!(buf = fmap_need_off_once(map, 0, 4*3)))
|
|
return 0;
|
|
|
|
if (memcmp(buf, "RIFF", 4) == 0) {
|
|
big_endian = FALSE;
|
|
} else if (memcmp(buf, "RIFX", 4) == 0) {
|
|
big_endian = TRUE;
|
|
} else {
|
|
/* Not a RIFF file */
|
|
return 0;
|
|
}
|
|
|
|
if (memcmp(&buf[2], "ACON", 4) != 0) {
|
|
/* Only scan MS animated icon files */
|
|
/* There is a *lot* of broken software out there that produces bad RIFF files */
|
|
return 0;
|
|
}
|
|
|
|
offset = 4*3;
|
|
do {
|
|
retval = riff_read_chunk(map, &offset, big_endian, 1);
|
|
} while (retval == 1);
|
|
|
|
return retval;
|
|
}
|
|
|
|
static inline int swizz_j48(const uint16_t n[])
|
|
{
|
|
cli_dbgmsg("swizz_j48: %u, %u, %u\n",n[0],n[1],n[2]);
|
|
/* rules based on J48 tree */
|
|
if (n[0] <= 961 || !n[1])
|
|
return 0;
|
|
if (n[0] <= 1006)
|
|
return (n[2] > 0 && n[2] <= 6);
|
|
else
|
|
return n[1] <= 10 && n[2];
|
|
}
|
|
|
|
void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob)
|
|
{
|
|
unsigned char stri[4096];
|
|
uint32_t i, j = 0;
|
|
int bad = 0;
|
|
int lastalnum = 0;
|
|
uint8_t ngrams[17576];
|
|
uint16_t all=0;
|
|
uint16_t ngram_cnts[3];
|
|
uint16_t words = 0;
|
|
int ret;
|
|
|
|
stats->entries++;
|
|
for(i=0;i<len-1 && j < sizeof(stri)-2;i += 2) {
|
|
unsigned char c = str[i];
|
|
if (str[i+1] || !c) {
|
|
bad++;
|
|
continue;
|
|
}
|
|
if (!isalnum(c)) {
|
|
if (!lastalnum)
|
|
continue;
|
|
lastalnum = 0;
|
|
c = ' ';
|
|
} else {
|
|
lastalnum = 1;
|
|
if (isdigit(c))
|
|
continue;
|
|
}
|
|
stri[j++] = tolower(c);
|
|
}
|
|
stri[j++] = '\0';
|
|
if ((!blob && (bad >= 8)) || j < 4)
|
|
return;
|
|
memset(ngrams, 0, sizeof(ngrams));
|
|
memset(ngram_cnts, 0, sizeof(ngram_cnts));
|
|
for(i=0;i<j-2;i++) {
|
|
if (stri[i] != ' ' && stri[i+1] != ' ' && stri[i+2] != ' ') {
|
|
uint16_t idx = (stri[i] - 'a')*676 + (stri[i+1] - 'a')*26 + (stri[i+2] - 'a');
|
|
if (idx < sizeof(ngrams)) {
|
|
ngrams[idx]++;
|
|
stats->gngrams[idx]++;
|
|
}
|
|
} else if (stri[i] == ' ')
|
|
words++;
|
|
}
|
|
for(i=0;i<sizeof(ngrams);i++) {
|
|
uint8_t v = ngrams[i];
|
|
if (v > 3) v = 3;
|
|
if (v) {
|
|
ngram_cnts[v-1]++;
|
|
all++;
|
|
}
|
|
}
|
|
if (!all)
|
|
return;
|
|
cli_dbgmsg("cli_detect_swizz_str: %u, %u, %u\n",ngram_cnts[0],ngram_cnts[1],ngram_cnts[2]);
|
|
/* normalize */
|
|
for(i=0;i<sizeof(ngram_cnts)/sizeof(ngram_cnts[0]);i++) {
|
|
uint32_t v = ngram_cnts[i];
|
|
ngram_cnts[i] = (v<<10)/all;
|
|
}
|
|
ret = swizz_j48(ngram_cnts) ? CL_VIRUS : CL_CLEAN;
|
|
if (words < 3) ret = CL_CLEAN;
|
|
cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words);
|
|
if (ret == CL_VIRUS) {
|
|
stats->suspicious += j;
|
|
cli_dbgmsg("cli_detect_swizz_str: %s\n", stri);
|
|
}
|
|
stats->total += j;
|
|
}
|
|
|
|
static inline int swizz_j48_global(const uint32_t gn[])
|
|
{
|
|
if (gn[0] <= 24185) {
|
|
return gn[0] > 22980 && gn[8] > 0 && gn[8] <= 97;
|
|
}
|
|
if (!gn[8]) {
|
|
if (gn[4] <= 311) {
|
|
if (!gn[4]) {
|
|
return gn[1] > 0 &&
|
|
((gn[0] <= 26579 && gn[3] > 0) ||
|
|
(gn[0] > 28672 && gn[0] <= 30506));
|
|
}
|
|
if (gn[5] <= 616) {
|
|
if (gn[6] <= 104) {
|
|
return gn[9] <= 167;
|
|
}
|
|
return gn[6] <= 286;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
int cli_detect_swizz(struct swizz_stats *stats)
|
|
{
|
|
uint32_t gn[10];
|
|
uint32_t all = 0;
|
|
unsigned i;
|
|
int global_swizz = CL_CLEAN;
|
|
|
|
cli_dbgmsg("cli_detect_swizz: %lu/%lu, version:%d, manifest: %d \n",
|
|
(unsigned long)stats->suspicious, (unsigned long)stats->total,
|
|
stats->has_version, stats->has_manifest);
|
|
memset(gn, 0, sizeof(gn));
|
|
for(i=0;i<17576;i++) {
|
|
uint8_t v = stats->gngrams[i];
|
|
if (v > 10) v = 10;
|
|
if (v) {
|
|
gn[v-1]++;
|
|
all++;
|
|
}
|
|
}
|
|
if (all) {
|
|
/* normalize */
|
|
cli_dbgmsg("cli_detect_swizz: gn: ");
|
|
for(i=0;i<sizeof(gn)/sizeof(gn[0]);i++) {
|
|
uint32_t v = gn[i];
|
|
gn[i] = (v<<15)/all;
|
|
if (cli_debug_flag)
|
|
fprintf(stderr, "%lu, ", (unsigned long)gn[i]);
|
|
}
|
|
global_swizz = swizz_j48_global(gn) ? CL_VIRUS : CL_CLEAN;
|
|
if (cli_debug_flag) {
|
|
fprintf(stderr, "\n");
|
|
cli_dbgmsg("cli_detect_swizz: global: %s\n", global_swizz ? "suspicious" : "clean");
|
|
}
|
|
}
|
|
|
|
if (stats->errors > stats->entries || stats->errors >= SWIZZ_MAXERRORS) {
|
|
cli_dbgmsg("cli_detect_swizz: resources broken, ignoring\n");
|
|
return CL_CLEAN;
|
|
}
|
|
if (stats->total <= 337)
|
|
return CL_CLEAN;
|
|
if (stats->suspicious<<10 > 40*stats->total)
|
|
return CL_VIRUS;
|
|
if (!stats->suspicious)
|
|
return CL_CLEAN;
|
|
return global_swizz;
|
|
}
|
|
|