ditekshen / detection Goto Github PK

I compiled a pretty basic AHK script into an EXE using MPRESS compression, and Virus Total was having a fit over it.
https://www.virustotal.com/gui/file/70daa541f025d0cf534c7ffa3f69c11e73f283cb3ccf6de60d722bb53c37289c/detection/f-70daa541f025d0cf534c7ffa3f69c11e73f283cb3ccf6de60d722bb53c37289c-1673376163

Thankfully, the staff over at the website that used VirusTotal scans were kind enough to approve it anyway, but I thought I'd still mention it.

Virustotal is flagging an executable we created, due to this rule:

rule INDICATOR_KB_CERT_033ed5eda065d1b8c91dfcf92a6c9bd8 {
    meta:
         author = "ditekSHen"
         description = "Detects executables signed with stolen, revoked or invalid certificate"
         thumbprint = "c91dcecb3a92a17b063059200b20f5ce251b5a95"
    condition:
        uint16(0) == 0x5a4d and
        for any i in (0..pe.number_of_signatures): (
            pe.signatures[i].subject contains "Python Software Foundation" and
            pe.signatures[i].serial == "03:3e:d5:ed:a0:65:d1:b8:c9:1d:fc:f9:2a:6c:9b:d8"
        )
}

There seems to be no indication as to the reason that the PSF certificate 033ed5eda065d1b8c91dfcf92a6c9bd8 is declared to be "stolen, revoked or invalid".... (I also can't find anywhere else reporting it to be such).

Is this detection rule correct?

After scanning our Electron based application on virus total, we got that it's matching this crowdsourced rule: INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets

The issue here is huge since many regular applications like Slack, Figma, etc. are based on Electron as well, so this rule should exclude $app35 = "Electron" nocase ascii wide since it is not the same as the next line ElectrumLTC which actually is Litecoin client: https://electrum-ltc.org/

Hi,

I'm the developer behind Akeo Consulting, and I am very surprised to see the credentials I use to sign my software in your list of "stolen, revoked or invalid certificates":

Can you please indicate how you came to that conclusion?

My credentials reside on a single password protected YubiKey, that I have here with me, and therefore I find it hard to believe that they could be reported as stolen (and I have certainly not had any reports of any issue with those credentials, which I would expect that anybody who presented such an issue to you would also have had the decency to present to me as the owner). And Windows does not report the certificate as revoked or invalid when running a digitally signed application.

So I would really like to know how you came to classify my certificate as "stolen, revoked or invalid".

If there is information that you feel should not be shared publicly about this, you can also reach me at: [email protected]

https://www.virustotal.com/gui/file/da2e8cf03c593ab8442273c3573685abbcf71041816760fc32db9a85f4f38651

I just notice my app triggers "INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL"; I don't know if that's good or bad, I can tell you I have no bad intentions, but I've just headed over to git.io to get a shorter link, and one that is not detected by this rule. 👍

various note taking apps cause this https://www.virustotal.com/gui/file/4a0d5b5f180685b1f37dd0d289b3eb3fd5dbc19806a4fda4142b2fe4e735b97b/detection

Hi there, some AV software using your ruleset is wrongly reporting our wallet as a Trojan/Virus.

Could you please assist?

https://github.com/ConcealNetwork/conceal-desktop

https://www.virustotal.com/gui/file/65aa9266c675e9e9ed55d4eb315a7a27804c24329c6ed7c908c504403317b12d

Thank you

petikvx-ressources/yara/malware.yar(4119): error: syntax error, unexpected identifier, expecting '('

Matches any certs by "NVIDIA Corporation".

https://github.com/ditekshen/detection/blob/2ce6878bd7e3f1614c2d21fd7b38c76bd3a4995e/yara/indicator_knownbad_certs.yar#L4713..L4725

I was randomly browsing your malware rules when my eyes landed on MALWARE_Linux_RansomExx condition. It says 5 of ($s*) or 6 of ($s*) which does not make sense to me. From the context I would guess it should be something like: 5 of ($s*) or 6 of ($c*). I would make a PR, but I'm not really sure if I'm guessing right.

Hello,

I would like to report that Videolan still uses the certificate with serial number 0x0407ABB64E9990180789EACB81F5F914 (matching the yara rule rule INDICATOR_KB_CERT_0407abb64e9990180789eacb81f5f914) on the lastest versions of vlc.exe.

Moreover an OCSP request for this certificate returns a valid status.

openssl ocsp -issuer DigiCertSHA2AssuredIDCodeSigningCA.crt.pem -serial 0x0407ABB64E9990180789EACB81F5F914 -url http://ocsp.digicert.com/
WARNING: no nonce in response
Response verify OK
0x0407ABB64E9990180789EACB81F5F914: good
    This Update: Oct 17 10:33:01 2022 GMT
    Next Update: Oct 24 09:48:01 2022 GMT

Is there any evidence that the cert was "stolen, revoked or invalid"?

If you have such evidence I think you should immediately communicated it to Videolan to make them stop using the certififcate

Thank you so much for your kind atention.

rule MALWARE_Win_Warezov {
meta:
author = "ditekSHen"
description = "Detects Warezov worm/downloader"
strings:
$s1 = "ft\Windows\CurrentVersion\Run" wide
$s2 = "DIR%SOFTWARE\Microsoft\Windows\CurrentVersion\Run" wide
$s3 = "%WINDIR%\sqhos32.wmf" wide
$s4 = "Accept: /" fullword ascii
$s5 = "Range: bytes=" fullword ascii
$s6 = "module.exe" fullword ascii
$s7 = { 25 73 25 73 2e 25 73 ?? ?? 22 22 26 6c 79 79 56 00 00 00 00 25 73 25 30 34 64 25 30 32 64 25 30 32 64 00 }
condition:
uint16(0) == 0x5a4d and 4 of them
}
I got error on $s5 = "Range: bytes=" fullword ascii malware.yar

Invalid file name pe.number_of_signatures on Windows
Error compiling YARA rule from C:\Users\victim\Desktop\Antivirus\YARA\Bartblaze.yar: C:\Users\victim\Desktop\Antivirus\YARA\Bartblaze.yar(2808): invalid field name "number_of_signatures"
Error compiling YARA rule from C:\Users\victim\Desktop\Antivirus\YARA\Blackberry_index.yar: C:\Users\victim\Desktop\Antivirus\YARA\Blackberry_index.yar(303): invalid field name "number_of_signatures"
Error compiling YARA rule from C:\Users\victim\Desktop\Antivirus\YARA\ditekshen.yar: C:\Users\victim\Desktop\Antivirus\YARA\ditekshen.yar(11623): invalid field name "number_of_signatures"
Error compiling YARA rule from C:\Users\victim\Desktop\Antivirus\YARA\ESET.yar: C:\Users\victim\Desktop\Antivirus\YARA\ESET.yar(3899): invalid field name "number_of_signatures"
How can I fix that?

https://www.virustotal.com/gui/file/a3f2adc3d135f181a6771a9f3f92ee7f73ca63138d26b50308eec94c9d13e492/detection
https://www.virustotal.com/gui/file/6041d1ab7e7aab2ac11e104c6f5785e71f2d3c8a25aa56c1c3d47ccabdf95036/detection

Source https://sourceforge.net/projects/bitcointrader

I've recently run to this indicator:

The check is not (or no longer) an appropriate one. The indicator is expected for PE files compiled with recent Windows 10 SDKs.
See this discussion:
https://devblogs.microsoft.com/oldnewthing/20180103-00/?p=97705

One of the fields in the Portable Executable (PE) header is called TimeDateStamp. It’s a 32-bit value representing the time the file was created, in the form of seconds since January 1, 1970 UTC. But starting in Windows 10, those timestamps are all nonsense.

Testing database: '/clamav/tmp.832b29def2/clamav-fb303f0944c421493aec366ccf3ea20f.tmp-indicator_rmm.ldb' ...
WARNING: [LibClamAV] cli_add_content_match_pattern: Problem adding signature (3).
WARNING: [LibClamAV] cli_loadldb: failed to parse subsignature 0 in ditekSHen.INDICATOR.Win.RMM.SplashtopStreamer
WARNING: [LibClamAV] Problem parsing database at line 12
WARNING: [LibClamAV] Can't load /clamav/tmp.832b29def2/clamav-fb303f0944c421493aec366ccf3ea20f.tmp-indicator_rmm.ldb: Malformed database
ERROR: Failed to load new database: Malformed database
WARNING: Database load exited with "Test failed"
ERROR: Database test FAILED.
Unexpected error when attempting to update from custom database URL: https://raw.githubusercontent.com/ditekshen/detection/master/clamav/indicator_rmm.ldb
WARNING: fc_download_url_databases: fc_download_url_database failed: Test failed (8)
ERROR: Database update process failed: Test failed
ERROR: Update failed.

File: https://www.rarlab.com/rar/winrar-x64-611d.exe

VirusTotal: https://www.virustotal.com/gui/file/ebcb635257c85bb64d06aca82a2e6f51d0f4b968128822bb5a79275e40dce1a5/detection/f-ebcb635257c85bb64d06aca82a2e6f51d0f4b968128822bb5a79275e40dce1a5-1646871217

Matches rule INDICATOR_KB_CERT_731d40ae3f3a1fb2bc3d8395 by ditekSHen from ruleset indicator_knownbad_certs at https://github.com/ditekshen/detection
Detects executables signed with stolen, revoked or invalid certificate

Hello,

I've just got this on virustotal:

Matches rule INDICATOR_KB_CERT_3300000187721772155940c709000000000187 by ditekSHen from ruleset indicator_knownbad_certs at https://github.com/ditekshen/detection
Detects executables signed with stolen, revoked or invalid certificates

That's the msi of my app. At first I haven't heard that my cert is stolen or revoked and it is not invalid. The next interesting thing is that report for executable inside that msi has no that error.

Fortunately I see this error only when I signed in to virustotal, but I am not sure how and by who these rules are applied and how this may affect end users. To me it just looks like an unfounded accusation.

Hi,

I am the developer owning the Akeo Consulting signing credential, which is the one being used to sign the popular Rufus Windows application.

I was recently made aware that you recently decided to add the signing certificate as knownbad in commit 033a1d8 apparently on a report from https://capesandbox.com/analysis/444899/

From reading on that source report you used, whereas it appears that one did indeed tried to make it look like my signature was applied onto a malware executable, the report from said malware also states, when you click on the Digital Signature section and then look at the Microsoft Certificate Validation (Sign Tool) section:

CryptCATAdminCalcHashFromFileHandle returned error: 0x800700C1 AI}2 is not a valid Win32 application. SignTool Error: WinVerifyTrust returned error: 0x80096010 The digital signature of the object did not verify.

So, if my interpretation of the report is correct, the signature for the executable where my signature was found is invalid and therefore, the conclusion that my credentials have been stolen should be discounted and therefore, Akeo Consulting should be removed from knownbad.

I also see, from another commented section in knownbad, that this does not appear to be the first time where Akeo Consulting was added as a potentially stolen certificate, before it was removed...

For the record, the Akeo Consulting credential I am using for signing is an EV Authenticode credential, which, like all EV credentials, resides on a hardware security token (therefore, not something that can be stealthily duplicated) that I have right under my eyes aat the moment, and therefore that I can also confirm can not have been stolen.

So, I hope you can rectify your YARA rule and try not to add certificates that come from a source that also indicates that the digital signature of the malware failed to validate.

Thank you.