How to install the latest clamav?

Question

There is a warning in my country that this trojan infected computers over a news site (The Trojans name is GOZI).

I used clamav but it says it is not the latest version.

How to install the latest version of clamav?

Answer 1

Uninstall clamav and clamtk repository version:

sudo apt-get purge clamav clamtk

First you will need some dependencies and build tools:

sudo apt-get install openssl build-essential libssl-dev checkinstall

Download this file, it will go to your /home:

wget https://www.clamav.net/downloads/production/clamav-0.99.1.tar.gz

Extract that file and change to the folder it created:

tar -xvzf ~/clamav-0.99.1.tar.gz
cd ~/clamav-0.99.1

Now run the following commands to build clamav 0.99.1:

./configure
make

Now build a package with

sudo checkinstall

checkinstall will guide you through the building of a .deb package and when it is done run

sudo dpkg -i ~/clamav-0.99.1/clamav_0.99.1-1_amd64.deb

Now it is installed but you may face errors about a config file, if you do run these commands (Thanks to user Terrance on this question for this, if you use it give him a vote)

sudo dpkg-reconfigure clamav-freshclam

Just keep pressing Enter to use default settings, then run

sudo rm -f /usr/local/etc/freshclam.conf
sudo ln -s /etc/clamav/freshclam.conf /usr/local/etc/freshclam.conf

Now you can run a

sudo clamscan -r /

To do a scan.

Tested on 15.10.

Answer 2

Excerpt from http://www.govcert.admin.ch/blog/21/20min.ch-malvertising-incident

The infection chain is as follows:

1. The swf file on 20min.ch contains an embedded Javascript which does a basic fingerprint using User Agent and Cookie. Based on this information a decision is made whether to redirect to the infection site or not.
2. Redirect to the exploit Kit where a VB Script is downloaded with another check which exploit would suit the target
3. Infect the device with Gozi in the form of a .dll that is made persistent via registry key (rundll) under HKEY\CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The dll resides in the %APPDATA% folder of the user.