Lets leverage time stamps within malware with Yara! I mean, who cares if the time stamp is accurate -- its probably not -- its a know point, often switches between versions or campaigns and can be point of detection. Let's look at some logic:
1. PE Time Stamp doesn't exist
2. PE Time Stamp outside of a certain date (the future, the past, etc.)
3. PE Time Stamp and Resource Time Stamps (same, different, one older/younger than the other)
Now, with those ideas in mind, let's play. Oh, and before I forget, Yara uses Unix time for its date matching. Keep that in mind.
Starting simple. How about just seeing if a timestamp exists.
import "pe"
rule Atimestamp {
condition:
pe.timestamp != 0
}
That's not quite useful, so let's add a bit more into it. How about an exact date.
import "pe"
rule Exacttimestamp {
condition:
pe.timestamp == 1150700835
}
Or, something in a range...
import "pe"
rule timestamprange{
condition:
pe.timestamp > 1150700835 and pe.timestamp < 1373882334
}
yara doesn't really have a concept of "now" that I know of, but you can cheat a bit. If you leverage its ability to import external variables, you can write your "now" value and then assign it at run time with the "-d" option of the command line tool.
Anyway, here's an example of a resource time stamp younger than the pe time stamp.
import "pe"
rule rsrc_tp_younger{
condition:
pe.resource_timestamp != 0 and
pe.resource_timestamp < pe.timestamp
}
Even better, how about any of the resources...that match a particular hash value...
import "pe"
import "hash"
rule all_rsrc_files {
condition:
for any i in (0..pe.number_of_resources - 1):
(hash.md5(pe.resources[i].offset, pe.resources[i].length) == "49f68a5c8493ec2c0bf489821c21fc3b"
and pe.resource_timestamp < pe.timestamp)
}
While we are at it, how about we check for entropy of a resource and a time stamp...
import "pe"
import "math"
rule rsrc_entropy_timestamp {
condition:
for any i in (0..pe.number_of_resources - 1):
((math.entropy(pe.resources[i].offset, pe.resources[i].length) > 6) and (pe.resource_timestamp != 0 and pe.resource_timestamp < pe.timestamp))
}
Or, perhaps a particularly high entropy section...
import "pe"
import "math"
rule text_entropy {
condition:
math.in_range(math.entropy(pe.sections[pe.section_index(".text")].raw_data_offset, pe.sections[pe.section_index(".text")].raw_data_size), 4.0, 5.0)
}
Your antidote to the cyber-twaddle that is spread about security and malware. Many people research malware and security and the impact of both. Some insights are valuable; others are insanely stupid. MalBabble exists because insisting that conclusions be drawn from data is a coherent idea; that conjecture isn't evidence; and because appealing to conspiracy to validate ideas is intellectually lazy.
Monday, August 24, 2015
Thursday, August 20, 2015
Okay, its been too long.
alright, I admit it. Its been way too long since I've posted. Telling myself I'm busy only goes so far.
Anyway, figured I might as well get back to talking about Yara. We dug into the PE header pretty pretty well but I did skip over what you can do with characteristics. This page on msdn can orient you to what I'm talking about. Or, if you use PeStudio from winitor (requires windows) you point it at your malware and get a good snapshot of the values. The point is you can grab characteristics of files, which is well and good if you are building a characteristics profile for family of malware. I'm not going to go through the complete list (you can find it here) but I am going to show you how to format a Yara rule to match on them. First, we'll just trap for some characteristics, say instances were debug information is stripped in the file and so are relocs as well. Don't forget to import "pe" or it will fail to run (obviously, we are using Yara 3.X...).
import "pe"
rule characteristics_simple {
condition
pe.characteristics & pe.RELOCS_STRIPPED and pe.characteristics & pe.EXECUTABLE_IMAGE
}
Trapping characteristics alone in a yara rule is best used for high level sorting. Still, it can be leveraged to be useful, say when you have small variances in the malware where the characteristics can play a role in more granular means of defining malware.
Let's grab some unique values and then add a few characteristics we are interested in as well.
rule characteristics_test {
strings:
$a1= "Ramdisk"
$a2= "Cache-Control:max-age"
$a3= "YYSSSSS"
$a4= "t4j SV3"
$a5= "Program started"
$a6= "Started already,"
$a7= "SoundMAX service agent" wide
condition:
(all of ($a*) and pe.characteristics & pe.DEBUG_STRIPPED and pe.characteristics & pe.RELOCS_STRIPPED)
}
Here we are looking for a few specific values and then our two characteristics of interest.
Now, the next example has nothing to do with the file header but it is something I've leveraged to be useful. That's employing the hash module to calculate hash values of or within the file. That's useful when you have a chunk of data in the file that's stable across a bunch of malware, even if the file hash differs. Say, when something gets appended to the end of a file. Or, in the middle. Whatever. Here's how to look at the last 512 bytes of a file
import "hash"
rule last512_test {
condition:
hash.md5(filesize - 512, 512)==“275876e34cf609db118f3d84b799a790”
}
Or, the front of the file.
import "hash"
rule first512_test {
condition:
hash.md5(0, 512)==“275876e34cf609db118f3d84b799a790”
}
If you don't like md5, switch it to sha1 or sha256; just use the same format and it works fine. I'll go into this more when I talk about the modules.
Anyway, figured I might as well get back to talking about Yara. We dug into the PE header pretty pretty well but I did skip over what you can do with characteristics. This page on msdn can orient you to what I'm talking about. Or, if you use PeStudio from winitor (requires windows) you point it at your malware and get a good snapshot of the values. The point is you can grab characteristics of files, which is well and good if you are building a characteristics profile for family of malware. I'm not going to go through the complete list (you can find it here) but I am going to show you how to format a Yara rule to match on them. First, we'll just trap for some characteristics, say instances were debug information is stripped in the file and so are relocs as well. Don't forget to import "pe" or it will fail to run (obviously, we are using Yara 3.X...).
import "pe"
rule characteristics_simple {
condition
pe.characteristics & pe.RELOCS_STRIPPED and pe.characteristics & pe.EXECUTABLE_IMAGE
}
Trapping characteristics alone in a yara rule is best used for high level sorting. Still, it can be leveraged to be useful, say when you have small variances in the malware where the characteristics can play a role in more granular means of defining malware.
Let's grab some unique values and then add a few characteristics we are interested in as well.
rule characteristics_test {
strings:
$a1= "Ramdisk"
$a2= "Cache-Control:max-age"
$a3= "YYSSSSS"
$a4= "t4j SV3"
$a5= "Program started"
$a6= "Started already,"
$a7= "SoundMAX service agent" wide
condition:
(all of ($a*) and pe.characteristics & pe.DEBUG_STRIPPED and pe.characteristics & pe.RELOCS_STRIPPED)
}
Here we are looking for a few specific values and then our two characteristics of interest.
Now, the next example has nothing to do with the file header but it is something I've leveraged to be useful. That's employing the hash module to calculate hash values of or within the file. That's useful when you have a chunk of data in the file that's stable across a bunch of malware, even if the file hash differs. Say, when something gets appended to the end of a file. Or, in the middle. Whatever. Here's how to look at the last 512 bytes of a file
import "hash"
rule last512_test {
condition:
hash.md5(filesize - 512, 512)==“275876e34cf609db118f3d84b799a790”
}
Or, the front of the file.
import "hash"
rule first512_test {
condition:
hash.md5(0, 512)==“275876e34cf609db118f3d84b799a790”
}
If you don't like md5, switch it to sha1 or sha256; just use the same format and it works fine. I'll go into this more when I talk about the modules.
Subscribe to:
Posts (Atom)