12
Feb
2010

Tool: aviriaparser.rb

So a while back I downloaded and setup the Avira Professional Beta for linux, it is a really good product for finding malware. This product has two downsides 1) it does not work on powerpc and 2) the logs are in a lame text format. So I needed was a way to parse all the endless logs from the binaries I have collected to see if anything was interesting enough to go ahead and RE the malicious code. So here is a simple script that will parse the raw Avira logs and write the results to screen for easy viewing. The version I use in production is built into a rails app and to complex too post here. Sorry.


#!/usr/bin/env ruby
#Jacob Hammack
#http://www.hammackj.com
#Ruby parser for the output of the Avira Professional for linux results

#This script assumes filenames are the sha1 hash of the file
#to change this 

f = File.new(ARGV[0])

f.each { |line| 
        lines = line.split(':')

        date = lines[0]
        time = lines[1]
        time1 = lines[2]
  av = lines[3]
        type = lines[4]
        result = lines[5]
        results = Array.new

        printf "Date: %s:%s:%s\n", date, time, time1
        printf "AntiVirus: %s\n", av

        if type =~ /WARNING .*\/([0-9a-fA-F]{40})(.*)/
                type = $1
                result = $2
                result[0] = ' '
                result.strip!
                printf "Filename: %s\n", type
                printf "Result: %s\n", result
        elsif type =~ /ALERT .*\/([0-9a-fA-F]{40})/
                type = $1
                printf "filename: %s\n", type
                result.scan(/(.*);(.*);(.*)/) { |s, c, d|
                        printf "Shortname: %s\n", s
                        printf "Category: %s\n", c
                        printf "Description: %s\n", d                                
                }
        end

        puts "\n"
}

Example Usage


[hammackj@fajitas:~/Desktop]$ ./avguparser.rb filescan-20090615.log

Date: 2009-06-15 13:41:25 hoss avscan[21821]
AntiVirus:  AVGU

Date: 2009-06-15 13:41:40 hoss avscan[21821]
AntiVirus:  AVGU
filename: 00A66A90C0B2ECC0DEB975BE1F47526FD598D4A0
Shortname:  TR/Agent.225280.I 
Category:  trojan 
Description:  Is the Trojan horse TR/Agent.225280.I

Date: 2009-06-15 13:41:41 hoss avscan[21821]
AntiVirus:  AVGU
filename: 00B224187CE4C7E378E954DB76D1AF86DDF1403B
Shortname:  ADSPY/Mywebsearch.AN.2 
Category:  adware 
Description:  Contains detection pattern of the Ad- or Spyware ADSPY/Mywebsearch.AN.2

hammackj@fajitas:~/Desktop]$