Eitest Cleanup part 2- using ClamAV and custom Yara Rules

So I’ve worked on around 10-15 eitest incident response and cleanups so far and we have been able to do that thus far by using the bash script my associate Mark Cunnungham wrote up to watch for the connections the malware was making to the sinkhole IP at CBL. You can see the details of this over at part 1. Now I’ve been able to grab good samples of the malware in around 10 of the cases thus far. (Up to 13 now)

I have been analyzing the injections and found that a fair amount of the can be located by an existing yara rule written back in 2016 by Vlad-s on github in the main yara rule repo. This seemed to trigger on about half of the infections I found. After taking a look at the ones undetected, I looked for some patterns to create some new yara rules for, and with 2 additional yara rules added these 3 have been quite effective today in aiding eitest detection in additional to the script from the prior post.

You can find the yara rules in my repo here: https://github.com/Hestat/lw-yara

I was trying to create a hook into maldet for scanning with it, but having some trouble getting those two to play nice, I’ll have to spend some more time testing that. But in the mean time ClamAV plays nice with yara rules.

You can easily get clam via linux packages

apt-get install clamav

 

yum install clamav

Or even install via the WHM interface on cpanel servers.

Once installed grab the github repo:

root@host [~]# git clone https://github.com/Hestat/lw-yara.git

And begin running your scan (example based on cpanel server file paths):

clamscan -ir -d /root/lw-yara/lw-rules-combined.yar /home/*/public_html/

The -i flag will only report hits -r will scan recursively and -d allows you to pick custom signatures, in this case the yara rules for eitest.

Once you get hits you should see something like this:

[root@host ~]# clamscan -ir -d /root/lw-yara/lw-rules-combined.yar /home/example/public_html/ 
/home/example/public_html/footer.php: YARA.eitest_injection_1.UNOFFICIAL FOUND
/home/example/public_html/wp-comments-post.php: YARA.eitest_injection_1.UNOFFICIAL FOUND
/home/example/public_html/ex_footer.php: YARA.eitest_injection_0.UNOFFICIAL FOUND
/home/example/public_html/cached.php: YARA.eitest_injection_1.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8
Engine version: 0.99.4
Scanned directories: 1049
Scanned files: 4628
Infected files: 4
Data scanned: 18.83 MB
Data read: 9.89 MB (ratio 1.90:1)
Time: 1.766 sec (0 m 1 s)

Give it a shot in parallel with the script from part 1, let me know success stories, or report any failures, or injections the rules don’t catch and I can look to update these. Find me on twitter @laskow26.

 

Good hunting!