When you are scanning malware example ClamAV or Maldet from files in server and get positive hit, you may difficult find where has injected code in the file. For decoding signature you can use ClamAV sigtool command line tool. This will help you find the right position from infected file and remove malware code.
Positive malware hit with ClamAV
root@malware.expert:~$ clamscan * -r
Output
already.run.php: {HEX}Malware.Expert.already.run.0.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6386901
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 17.813 sec (0 m 17 s)
Find signature with Sigtool
root@malware.expert:~$ sigtool --find-sigs Malware.Expert.already.run
Output
[malware.expert.ndb] {HEX}Malware.Expert.already.run.0:0:*:6966202821646566696e65642827414c52454144595f52554e5f31626332396233366633343261383261616636363538373835333536373138272929
Decode signature with Sigtool
root@malware.expert:~$ sigtool --find-sigs Malware.Expert.already.run | sigtool --decode-sigs
Output
VIRUS NAME: {HEX}Malware.Expert.already.run.0
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))
Now there is DECODED SIGNATURE: human readable text, which you try to find it with a text editor with source code and remove malware code or whole file.
Wildcard’s in signatures
sometimes signatures may include wildcard in hex pattern:
{HEX}Malware.Expert.wildcard.example.0:0:*:3c3f706870*69662028....
This wildcard (*) show decode-sigs like this:
{WILDCARD_ANY_STRING}
Final Words
Use Malware Expert – Signatures to get a better detection rate of malware from files for FREE!
You can use our tutorial Detect Malware and Remove it from source code.