Malware Analysis: Classifying with ClamAV and YARA
On a daily basis,we are encountering thousands of new types of malware with unknown content. This malware can come from honeypots, infected websites or even be submitted by users.Analyzing all these binaries will take any malware analyst a long time. That’s why it’s critical to have an automated way to classify different types of malicious code.
Open source tools like ClamAV and YARA we can tell us if an unknown file has already been classified as malicious. If we have a fresh database with the latest signatures, we will not spend time analyzing binaries other researchers have already identified. That lets us spend our time analyzing other new or unique types of malware.
ClamAV is an open source (GPL) anti-virus toolkit, the AV tasks are handled by three processes:
- freshclam automatically update virus definitions by connecting to http://www.clamav.net/mirrors.html— the configuration file is located under/etc/freshclam.conf
- clamd is a multi-threaded antivirus daemon — the configuration file is located in /etc/clamd.conf
- clamscan a command line antivirus scanner.
We need to install the latest release of ClamAV or we will have a warning message about a reduced functionality and this mean that you may not be able to use all the available virus signatures.
The most recent version of ClamAV is available from http://www.clamav.net/download/sources/. But you can also use a package manager to install it. OnaUbuntu machine, type the following commands:
First you can start by updating ClamAV signatures:
Then you run a scan on any suspicious file to check if it is infected or not:
Scanning a folder with infected files