Yara to spellcheck’em all

November 24, 2019 in Tips & Tricks, Trivia

This is a trivial yara rule stub. It picks up binaries with mispeleleleled words. I have started putting it together only yesterday when I noticed that many of popular (and often signed) binaries include lots of these. This suggests the coders are non-native speakers. The more far-fetching scenarios could include automatic checks against APT for popular misspellings to quickly highlight a possible attribution hints or… a false flag 🙂

Improve at your own risk 🙂

rule mispel
{
    strings:
        $s1 = "appling" ascii wide
        $s2 = "runing" ascii wide
        $s3 = "youre" ascii wide
        $s4 = "faild" ascii wide
        $s5 = "suces" ascii wide
        $s6 = "seting" ascii wide
        $s7 = "opend" ascii wide
        $s8 = "seqence" ascii wide

    condition:
        (1 of ($s*))
}

Share this :)

Comments are closed.