aLt's Security Blog

Exploit Microsoft Windows 2000 IIS 5.0 IPP ISAPI Vulnerability Click Here  To Download 

Step1: To Install YARA on Ubuntu we need the PCRE and some libraries first:   sudo apt-get install libpcre3 libpcre3-dev   Then we start downloading the YARA source code: $ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz  $ wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz Step2:  Compile and install yara on your linux box.   a) cd yara-1.4     chmod +x -R /root/Desktop/yara-1.4/*    ./configure     make     make check     make install  b) cd ..     cd yara-python-1.4     python setup.py install Step 3: C onvert clamav database to yara http://code.google.com/p/malwarecookbook/source/browse/trunk/3/3/clamav_to_yara.py?r=5 sigtool -u /var/lib/clamav/main.cvd                                     // decompress the database python clamav_to_yara.py -f main.ndb -o clamav.yara    // convert clamav to yara Step 4: For packing signature(PEID tool uses these signature to detect type of packing) go to this site and copy pa

Install Clamav And Create Signatures   Step1: Install clamav in ubuntu by following simple steps given below: Edit /etc/apt/sources.list and add a line like this to it: deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free Then run apt-get update &&  apt-get install clamav If you need clamd, you may also want to run   apt-get install clamav-daemon Step2: CVD (ClamAV Virus Database) is a digitally signed container that includes signature databases in various text formats. The header of the container is a 512 bytes long string with colon separated fields: ClamAV-VDB:build time:version:number of signatures:functionalitylevel required:MD5 checksum:digital signature:builder name:build time (sec) sigtool --info displays detailed information about a given CVD file: Signature formats: MD5 The easiest way to create signatures for ClamAV is to use MD5 checksums, however this method can be only used against static malware. MD5, PE section b