tag:blogger.com,1999:blog-9518042.post7294238427436733132..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Got your YARA??Unknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-9518042.post-55990619391092688242009-01-19T07:04:00.000-05:002009-01-19T07:04:00.000-05:00I'm glad to see some discussion about YARA here :)...I'm glad to see some discussion about YARA here :)<BR/><BR/>Regarding to the topic of packer detection, one thing that I have in mind is to port PEiD's public database to YARA. It would be very easy to do, let's see if I manage to make some time.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-12285714434582779152009-01-10T09:05:00.000-05:002009-01-10T09:05:00.000-05:00Anonymous,Can I call you "Anonymous"? There's rea...Anonymous,<BR/><BR/>Can I call you "Anonymous"? <BR/><BR/>There's really so much more to it than that. If you understand the PE file format, there are other things, too. What about Entry Point Analysis, such as what's done w/ PeID, as Jamie mentioned?<BR/><BR/>The more checks you have, the fewer false positives you have. Sure, you can search for compressed EXEs using section names like UPX0 and UPX1. But you can also weed out legitimate code using things like entry point analysis, etc.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-37770825620454487422009-01-10T08:44:00.000-05:002009-01-10T08:44:00.000-05:00Yes Harlan, but exactly what kind of rules? There...Yes Harlan, but exactly what kind of rules? There are obviously far more legitimate files than malicious, so I would think you'd have your work cut out for you. That is unless there was something unique to good files. The only thing I can think of is searching for files with strings like:<BR/><BR/>CompanyName<BR/>Microsoft Corporation<BR/><BR/>Is that what you had in mind, or is there some other efficient (and perhaps more reliable) way to detect known good files with YARA? Or are you going to save that for your WFA2. :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-87713188499755534372009-01-10T08:27:00.000-05:002009-01-10T08:27:00.000-05:00Jamie,The only issue I see with this type of appro...Jamie,<BR/><BR/>The only issue I see with this type of approach is, who writes and maintains rules? How do you know how valid the rules are? I'm not saying that there should be on main repository...I'm saying that this could become an issue where there are rules posted that do not have...shall we say, the "rigor" put into their development and they've ineffective. Ineffective tools can quickly end up gathering dust on the shelf.<BR/><BR/>In a lot of ways, I see this going something like this...some consultant company has a handful of consultants that use the tool, and one or two folks who maintain the signatures. They stay plugged into the community so that some information is shared but no one shares 100%. Every now and then, someone may see what tools the consultant is using, think, "oh, cool" and give it a shot themselves...but beyond that, I'm afraid that a lot of very useful tools end up not being deployed where they need to be due to that initial knowledge hurdle.<BR/><BR/>We can work to make it NOT happen, though...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-86150546413967818742009-01-10T08:13:00.000-05:002009-01-10T08:13:00.000-05:00How would you determine known good programs using ...<I>How would you determine known good programs using YARA?</I><BR/><BR/>The same way you would to find the bad stuff...write rules.<BR/><BR/><I>I'd be interested in knowing if an exe is packed, considering how common it is for malware, while at the same time it doesn't seem to be too common for legitimate software.</I><BR/><BR/>That's pretty easy, in a number of ways. This is described in Chapter 6, <I>Executable File Analysis</I>, of my book, "Windows Forensic Analysis".H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53260935476137462362009-01-09T20:43:00.000-05:002009-01-09T20:43:00.000-05:00How would you determine known good programs using ...How would you determine known good programs using YARA? I'd be interested in knowing if an exe is packed, considering how common it is for malware, while at the same time it doesn't seem to be too common for legitimate software.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-32753802024059948392009-01-09T13:52:00.000-05:002009-01-09T13:52:00.000-05:00Harlan,Are you reading my email again?I agree with...Harlan,<BR/><BR/>Are you reading my email again?<BR/><BR/>I agree with you on using Snort-like rules for classification. We need faster ways to filter/classify all the data. <BR/><BR/>Peter has been doing some work in this area for several months. Our first goal is to classify something in memory as good or bad. To do this, we are leveraging what people already know how to use. For example, when classifying certain parts of a file we use PEiD's public database. When it comes to memory, we are going to release a tool at Blackhat DC to use Snort signatures as a filter for strings in memory. You can read about that here: http://blog.mandiant.com/archives/133<BR/><BR/>Now I am going to go change all my passwords. ;-)Jamie Butlerhttps://www.blogger.com/profile/14804311854971869225noreply@blogger.com