Overview
Write Snort rules for the command and control (C2) traffic used by Predator the Thief (commodity infostealer malware)

Proposal
Write Snort rules (likely two) for Predator the Thief C2 traffic. For more info, see:

• https://www.fortinet.com/blog/threat-research/predator-the-thief-recent-versions
• https://github.com/silence-is-best/c2db#predator-the-thief

Expected Difficulty
Beginner/Easy - The C2 protocol is very basic, write-ups exist that detail the purpose of the protocol data, etc.

Technical Info

predator-4c18b806dd10733f6e4d1376e769d94b.pcap.zip (password: infected)

Overview
Analyze the Houdini / H-Worm VBScript and write a ClamAV signature that detects it

Proposal
The Houdini / H-Worm VBScript is a fairly simple RAT written in VBScript. It is documented in detail at:
https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html

We've seen new variants surface as Windows Executables created by VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS.

Technologies Involved

• VBScript

Expected Difficulty

• Beginner/Easy - Can be accomplished with basic RE, there is little to no obfuscation involved, there are less than 200 lines of code to analyze, and write-ups exist that walk through reversing this malware

Technical Info
PEs containing the VBScript:

437c82a99f51664157b26a17ec5cf50e1090e41d31bc51cd490b9b46a0defc2d
5284908fbd95d51512f2a7e716de73a8e2ff8ffa3192a0718f67504e0ad62756
7ff87433d61252f3b8660946e42cc2ca9c2eb73d668565c81ea49afba36ae7a8
9409d75ac21ce39c66fc64f621c70dfafc5ff143899c23a5bdbe2ac5624c8699
a73056c1e6f5b38fc5785d3ec5b71dedd2d22582650cd0e891cab2d655ebc85b
be19bcffbc608d6d1039d08dff5b8730886413121ee569654c81e00ad5d835f8
d77f6c30ca497858d9639f5b49d82ed301d3caf69987151d39eb2f6445010b5d
faf226f245e59507ef84d2f8c52e0718ff9a147a37008c88d1dab005ec100479
fd5ad7560ebcec8df84511da5fbe5eaf9b8965f288a547432351709ee28af605

Use clamscan --debug --leave-temps <sample dir> 2>&1 | grep "bytecode: scanning extracted file" to extract.

All samples can be downloaded from malshare.com

Overview
Analyze the ZZNet Worm and write a ClamAV signature that detects it

Proposal
The VBScript has ASCII art that says "ZZNet Worm", and I couldn't find any prior reporting on it. It appears to facilitate infection by registering a debugger for several processes, and appears to spread itself to USB devices.

This is from a binary created with VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS (so, we need a signature on the script contents itself).

Technologies Involved

• VBScript

Expected Difficulty

• Beginner/Easy - Can be accomplished with basic RE, there is little to no obfuscation involved, there are less than 200 lines of code to analyze, and write-ups exist that walk through reversing this malware

Technical Info
PEs containing the VBScript:

7ae3b394c5aed4f4ba9b60db668b2e0ad6ba7e91fa298a9847cfd6e8a96e0d7f

Use clamscan --debug --leave-temps <sample dir> 2>&1 | grep "bytecode: scanning extracted file" to extract.

Link to download the sample:
https://malshare.com/sample.php?action=detail&hash=b3bf11613c07eb87df9ecb8a259058d5

Overview
Analyze this generic malware and write a ClamAV signature that detects it

Proposal
This malware does generic malware stuff - changes the homepage, downloades follow-on malware via BITS, schedules tasks to run periodically, etc..

This is from a binary created with VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS (so, we need a signature on the script contents itself).

Technologies Involved

• VBScript

Expected Difficulty

• Beginner/Easy - Can be accomplished with basic RE, there is little to no obfuscation involved, there are less than 200 lines of code to analyze, etc.

Technical Info
PE containing the VBScript:

57dc49dbc6775376902c4a3244d82fcca96b49dc67d5aa6e54e184de4514165d

Use clamscan --debug --leave-temps <sample dir> 2>&1 | grep "bytecode: scanning extracted file" to extract.

Link to download the sample:
https://malshare.com/sample.php?action=detail&hash=4a0fe17bc7e99daaf569de19f1222eed

Note, there is an existing hash-based sig for this sample (Win.Malware.Agent-6401248-0), but we'd like to replace it with a better signature

Overview
Write Snort rules for traffic related to PonyStealer (commodity infostealer malware) exfiltrating collecting data

Proposal
Write Snort rules for PonyStealer exfil traffic. For more info, see:

• https://resources.infosecinstitute.com/a-case-study-of-information-stealers-part-ii/

Expected Difficulty

• Beginner/Easy - The C2 protocol is very basic, write-ups exist that detail the purpose of the protocol data, etc.

Technical Info
ponystealer-pcap.zip (password: infected)

Overview
Write Snort rules for the command and control (C2) traffic used by TVRat (a remote access trojan leveraging the legitimate TeamViewer application)

Proposal
Write Snort rules (likely two) for Predator the Thief C2 traffic. For more info, see:

• https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy
• https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/

Expected Difficulty
Beginner/Easy - The C2 protocol is very basic, write-ups exist that detail the purpose of the protocol data, etc.

Technical Info
https://app.any.run/tasks/686989ed-f442-4463-afe5-2b547bf17485/
https://app.any.run/tasks/859c1d99-72d7-4d5e-a9fb-5ad157fa73b4/
tvrat-pcaps.zip (password: infected)

Overview
ClamAV can be used to extract AutoIt scripts from compiled EXEs, but in testing against 10,000 samples from VirusTotal, there are some cases where it fails. Some of this appears to be caused by certain script operators not being recognized by ClamAV.

Proposal
Investigate what AutoIt script operators are not supported and then update the ClamAV code to support them.

Skillsets Involved

• Linux SW development in C
• SW Reverse Engineering

Expected Difficulty

• Beginner/Easy – Shouldn’t require an existing understanding of AutoIt or too much knowledge of the ClamAV codebase, and the fixes will likely be fairly easy to implement

Technical Info

• An example of ClamAV being used for AutoIt script extraction: https://twitter.com/SmugYeti/status/1089919472444624896
• An example of doing AutoIt script extraction via other means: https://0xffff0800.blogspot.com/2019/01/defeating-au3-obfusticated-malware.html
• Getting started with ClamAV development: https://github.com/Cisco-Talos/clamav-faq/blob/master/manual/UserManual/development.md

I found and fixed one of these locally, but haven't committed the fix. The error ClamAV gave when scanning 77e123e86f43095f4e33a5cadce0fed4bdd9060f78088b3195ca41455e802f71 is as follows:

clamscan --debug --verbose --leave-temps 77e123e86f43095f4e33a5cadce0fed4bdd9060f78088b3195ca41455e802f71
...
LibClamAV debug: autoit: found unknown op (57)
LibClamAV debug: autoit: decompilation aborted - partial script may exist
LibClamAV debug: autoit: script extracted to /tmp/clamav-238b9ca9e2f2440cba18c150e382a87f.tmp/autoit.001

After comparing the output from autoit.001 to the output from the Exe2Aut decompiler output for the same file, it looked like ClamAV didn't support extracting the ternary operators ('?' and ':'). The fix is:

diff --git a/libclamav/autoit.c b/libclamav/autoit.c
index 8d9da58e0..82288fe0b 100644
--- a/libclamav/autoit.c
+++ b/libclamav/autoit.c
@@ -503,7 +503,7 @@ static int ea06(cli_ctx *ctx, const uint8_t *base, char *tmpd) {
   unsigned int files=0;
   char tempfile[1024];
   const char prefixes[] = { '\0', '\0', '@', '$', '\0', '.', '"', '#' };
-  const char *opers[] = { ",", "=", ">", "<", "<>", ">=", "<=", "(", ")", "+", "-", "/", "*", "&", "[", "]", "==", "^", "+=", "-=", "/=", "*=", "&=" };
+  const char *opers[] = { ",", "=", ">", "<", "<>", ">=", "<=", "(", ")", "+", "-", "/", "*", "&", "[", "]", "==", "^", "+=", "-=", "/=", "*=", "&=", "?", ":" };
   struct UNP UNP;
   fmap_t *map = *ctx->fmap;
 
@@ -856,6 +856,8 @@ static int ea06(cli_ctx *ctx, const uint8_t *base, char *tmpd) {
        case 0x54: /* /= */
        case 0x55: /* *= */
        case 0x56: /* &= */
+       case 0x57: /* ? */
+       case 0x58: /* : */
          if (UNP.cur_output+4 >= UNP.csize) {
            uint8_t *newout;
            UNP.csize += 512;

From analyzing with 10,000 scripts from VirusTotal there are more of these that we need to investigate and support:

found unknown op (0)
found unknown op (84)
found unknown op (a5)
found unknown op (63)
found unknown op (1)