2015 State of Application Security: Closing the Gap

Although published in mid 2015, SANS “2015 State of Application Security: Closing the Gap” provides interesting insights into:

  • Application Security Standards in Use
  • Overlap Between Development and Security Focus
  • Popular Languages and Their Perceived Risks
  • Top Challenges for Builders and Defenders
  • Defenders’ Emphasis for Application Security Management Resources
  • Useful Security Practices for Application Defenders




Windows PUP: Creating a custom ClamAV signature for windowpromo.exe

I was recently looking into a PUP that seems to get installed  with a freeware called Emotiplus that allows users to use fancy emoticons in Skype.

While nothing too bad beyond unwanted requests to dozens of contacts as well as unwanted add-on installation was observed in my test lab, I did see a stream of callbacks to a host: windowpromo.azurewebsites.net


The response looked like the screenshot below:


None of the AntiVirus solutions that I had access to were detecting this particular sample. So I took a stab at creating a ClamAV custom signature for this executable – turned out to be quite simple (though the approach I used is quick and dirty and not the most robust way to identify all variants).

Here is what I did:

Step 1: Run a ClamAV scan on the executable to confirm that the file is not detected as malicious.


Step 2: Run strings on the executable to obtain “signature” string that can be used to create the custom signature for in ClamAV.

Step 3: The results from “strings” was not very helpful, so I decided to use the string “windowpromo.azurewebsites.net” as my signature string. The fact that the installed PUP calls out to this site host makes me reasonably confident that the sample can be detected based on a signature created using this string.

Step 4: I created the hex output for “windowpromo.azurewebsites.net” using the sigtool utility.


Step 5: Created a signature in the following format that ClamAV understands:


The file is saved as “test.ndb”. Two things to note:

  • 0 – it is for ClamAv to check for the any file type as target
  • “0a” at the end of the hext string has to be removed

This signature us stored in the custom signature database for ClamAV and when running a scan that needs to reference this custom database, the –d switch must be used in Step 6

Step 6: Run clamscan again using the newly created signature


The “.UNOFFICIAL” extension that ClamAV seem to have added is due to the fact that the signature database that we used for this scan is not part of the ClamAV’s project signature database.