Decode signatures with Sigtool

When you are scanning malware example ClamAV or Maldet from files in server and get positive hit, you may difficult find where has injected code in the file. For decoding signature you can use ClamAV sigtool command line tool. This will help you find the right position from infected file and remove malware code.

Positive malware hit with ClamAV

root@malware.expert:~$ clamscan * -r

Output

already.run.php: {HEX}Malware.Expert.already.run.0.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6386901
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 17.813 sec (0 m 17 s)

Find signature with Sigtool

root@malware.expert:~$ sigtool --find-sigs Malware.Expert.already.run

Output

[malware.expert.ndb] {HEX}Malware.Expert.already.run.0:0:*:6966202821646566696e65642827414c52454144595f52554e5f31626332396233366633343261383261616636363538373835333536373138272929

Decode signature with Sigtool

root@malware.expert:~$ sigtool --find-sigs Malware.Expert.already.run | sigtool --decode-sigs

Output

VIRUS NAME: {HEX}Malware.Expert.already.run.0
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))

Now there is DECODED SIGNATURE: human readable text, which you try to find it with a text editor with source code and remove malware code or whole file.

Wildcard’s in signatures

sometimes signatures may include wildcard in hex pattern:

{HEX}Malware.Expert.wildcard.example.0:0:*:3c3f706870*69662028....

This wildcard (*) show decode-sigs like this:

{WILDCARD_ANY_STRING}

Final Words

Use Malware Expert – Signatures to get a better detection rate of malware from files for FREE!

You can use our tutorial Detect Malware and Remove it from source code.