Yara to spellcheck’em all

November 24, 2019 in Tips & Tricks, Trivia

This is a trivial yara rule stub. It picks up binaries with mispeleleleled words. I have started putting it together only yesterday when I noticed that many of popular (and often signed) binaries include lots of these. This suggests the coders are non-native speakers. The more far-fetching scenarios could include automatic checks against APT for popular misspellings to quickly highlight a possible attribution hints or… a false flag 🙂

Improve at your own risk 🙂

rule mispel
        $s1 = "appling" ascii wide
        $s2 = "runing" ascii wide
        $s3 = "youre" ascii wide
        $s4 = "faild" ascii wide
        $s5 = "suces" ascii wide
        $s6 = "seting" ascii wide
        $s7 = "opend" ascii wide
        $s8 = "seqence" ascii wide

        (1 of ($s*))

The curious case of svcpack1.dll

November 22, 2019 in Living off the land, LOLBins

When you disassemble/decompile code produced by popular vendors you usually (blindly) assume that they got it right. I know of typical vulnerabilities, I know of business logic bugs, but somehow… I always feel that all the actions of programmers are either justified, or at least, reasonable within a scope of a particular operation…

This is why the case of svcpack1.dll is puzzling me.

Imagine a signed .exe from Microsoft literally injecting a remote thread into winlogon.exe. Imagine this thread doing nothing, but loading a library called `svcpack1.dll`. Okay. It’s a legacy code. It’s from a Service Pack Update executable, but still….

This is an interesting opportunity.

As I have said may times before… re-usigned binaries are probably a future of malicious activities. Signed, with a great reputation score, yet… given specific circumstances… possibly… really bad….