Permalink
Browse files

Major update to the authenticode plugin.

* Manalyze checks for known binaries in the Windows security catalog.
* Homographs used to detect a few famous companies are now detected.
* Multiple fixes for alerts raised when binaries should be signed.
* The linux version of the plugin now used the latter heuristic.
  • Loading branch information...
JusticeRage committed Jul 4, 2017
1 parent 2cf10bb commit 8efc1e61b6c1ef4b6d3cc0e9fd39a6b1e7c8f542
View
@@ -59,6 +59,10 @@ include_directories(
${PROJECT_SOURCE_DIR}/plugins
${Boost_INCLUDE_DIRS}
)
# Explicitly add OpenSSL include directories if it has been found.
if(OPENSSL_FOUND)
include_directories(${OPENSSL_INCLUDE_DIR})
endif()
add_definitions(-DWITH_MANACOMMONS) # Use functions from manacommons.
add_library(manape SHARED manape/pe.cpp manape/nt_values.cpp manape/utils.cpp manape/imports.cpp manape/resources.cpp manape/section.cpp manape/imported_library.cpp)
@@ -84,7 +88,8 @@ if (WIN32)
add_definitions(-DBOOST_ALL_NO_LIB -DNOMINMAX) # Problems with autolink and MSVC + don't hide std::min and std::max.
# Windows only plugins:
add_library(plugin_authenticode SHARED plugins/plugin_authenticode.cpp)
add_library(plugin_authenticode SHARED plugins/plugin_authenticode/plugin_authenticode.cpp
plugins/plugin_authenticode/plugin_authenticode_commons.cpp)
target_link_libraries(plugin_authenticode manape hash-library manacommons yara ${Boost_LIBRARIES})
else()
string (REGEX MATCH "BSD" IS_BSD ${CMAKE_SYSTEM_NAME}) # Detect if we are compiling on a BSD system.
@@ -105,7 +110,8 @@ else()
# Compile the *nix authenticode plugin if OpenSSL was found.
if (OPENSSL_FOUND)
add_library(plugin_authenticode SHARED plugins/plugin_authenticode_openssl.cpp)
add_library(plugin_authenticode SHARED plugins/plugin_authenticode/plugin_authenticode_openssl.cpp
plugins/plugin_authenticode/plugin_authenticode_commons.cpp)
target_link_libraries(plugin_authenticode ${OPENSSL_LIBRARIES})
endif()
endif()
@@ -21,9 +21,11 @@ rule CompanyNames
description = "Contains the names of famous IT companies"
author = "Ivan Kwiatkowski (@JusticeRage)"
strings:
$adobe = "adobe" nocase wide ascii
$ms = "microsoft" nocase wide ascii
// Not checking for Microsoft, because many MS binaries are verified through the
// security catalog and do not embed a digital signature.
$adobe = "adobe" nocase wide ascii
$google = "google" nocase wide ascii
$firefox = "firefox" nocase wide ascii
$intel = "intel" nocase wide ascii
$amd = "advanced micro devices" nocase wide ascii
$amd2 = "amd" nocase wide ascii fullword
@@ -44,3 +46,23 @@ rule CompanyNames
condition:
any of them
}
rule CompanyNamesHomographs
{
meta:
description = "Tries to impersonate a famous IT company with homographs"
author = "Ivan Kwiatkowski (@JusticeRage)"
type = "homograph"
strings:
$adobe = "adobe" nocase wide ascii
$adobe_homograph = { (41 00 | 10 04 | 91 03 | 21 FF) (64 00 | 01 05 | 7E 21 | 44 FF) (6F 00 | BF 03 | 3E 04 | 4F FF) (62 00 | 2C 04 | 42 FF) (65 00 | 35 04 | 45 FF) }
$microsoft = "microsoft" nocase wide ascii
$microsoft_homograph = { (4D 00 | 9C 03 | 1C 04 | 6F 21 | 2D FF) (69 00 | 56 04 | 70 21 | 49 FF) (63 00 | F2 03 | 41 04 | 7D 21 | 43 FF) (72 00 | 52 FF) (6F 00 | BF 03 | 3E 04 | 4F FF) (73 00 | 55 04 | 53 FF) (6F 00 | BF 03 | 3E 04 | 4F FF) (66 00 | 46 FF) (74 00 | 54 FF) }
$google = "google" nocase wide ascii
$google_homograph = { (47 00 | 0C 05 | 27 FF) (6F 00 | BF 03 | 3E 04 | 4F FF) (6F 00 | BF 03 | 3E 04 | 4F FF) (67 00 | 47 FF) (6C 00 | 7C 21 | 4C FF) (65 00 | 35 04 | 45 FF) }
condition:
// Do not match on the original strings, as that will have been caught above.
($adobe_homograph and not $adobe) or
($google_homograph and not $google) or
($microsoft_homograph and not $microsoft)
}
Oops, something went wrong.

0 comments on commit 8efc1e6

Please sign in to comment.