Sign your name across my heart; vendor… use one name only…
June 29, 2019 in threat hunting
I have been looking at a data stored by vendors inside the VERSIONINFO structure for quite some time now. The TODO bit is one issue I described previously, but there are more.
One of the most annoying things is a crazy number of names that vendors use in a CompanyName field. This is of course kinda understandable – large companies have many departments and coding teams scattered across the whole world. It certainly looks like an impossible task to ensure all of them go through a single, bureaucratic office that will double-check if all of them use the very same vendor name. And perhaps there are other reasons too – I don’t know laws of all the countries of course, there could be a genuine need in some places to always use an official name of the company in that field(?). I really dunno.
In any case… From a threat hunting perspective, it complicates our life. For example, when you want to whitelist some of these vendor names you will always end up with a never-ending whack-a-mole game. In my experience, for every entry I add per vendor, there are another 1-5 out there that are very similar, and which I will add some time in the future. I don’t think there is any good solution for this today.
To demonstrate the issue, let’s have a look at common vendor names one can encounter…:
HP:
- Hewlett Packard
- Hewlett Packard Enterprise Company
- Hewlett-Packard
- Hewlett-Packard Company
Intel:
- Intel Corporation
- Intel Corporation – Business Client Platform Division
- Intel Corporation – Client Components Group
- Intel Corporation – Client Connectivity Division
- Intel Corporation – Embedded Subsystems and IP Blocks Group
- Intel Corporation – Intel® Management Engine Firmware
- Intel Corporation – Intel® Rapid Storage Technology
- Intel Corporation – Mobile Wireless Group
- Intel Corporation – pGFX
- Intel Corporation – Rapid Storage Technology
- Intel Corporation – Software and Firmware Products
- Intel Corporation ? Non-Volatile Memory Solutions Group
- Intel Corporation-Mobile Wireless Group
- Intel Corporation-Wireless Connectivity Solutions
- Intel MCG PIV Tablet Validation
- Intel Technology Sdn. Bhd.
- Intel Wireless Display
- Intel(R) Baytrail Wintablet
- Intel(R) CherryTrail Windows
- Intel(R) CISD Software
- Intel(R) Client Connectivity Division SW
- Intel(R) CN
- Intel(R) Embedded Subsystems and IP Blocks Group
- Intel(R) Intel Network Drivers
- Intel(R) Intel_ICG
- Intel(R) INTELND1617
- Intel(R) INTELND1617S2
- Intel(R) INTELNPG1
- Intel(R) Network Platform Group
- Intel(R) NVMe Windows Driver
- Intel(R) OWR
- Intel(R) pGFX
- Intel(R) Rapid Storage Technology
- Intel(R) Rapid Storage Technology enterprise
- Intel(R) Smart Connect software
- Intel(R) Smart Sound Technology
- Intel(R) Software
- Intel(R) Software (Pre-release)
- Intel(R) Software and Firmware Products
- Intel(R) Software Development Products
- Intel(R) Software Products
- Intel(R) Update Manager
- Intel(R) USB eXtensible Host Controller Drivers
- Intel(R) Wireless Connectivity Solutions
- Intel(R) Wireless Display
- Intel® Identity Protection Technology Software
- Intel® Rapid Storage Technology
Lenovo:
- LENOVO
- Lenovo (Beijing) Limited
- Lenovo (Beijing) Ltd.
- Lenovo (Japan) Ltd
- Lenovo (Japan) Ltd.
- Lenovo Group Limited
- Lenovo Information Products (Shenzhen) Co.
- Lenovo Japan
- Lenovo(Japan)Ltd.
- Lenovo.Ltd
- LenovoEMC Products USA
Microsoft:
- Microsoft Corporation
- Microsoft Corporation (Europe)
- Microsoft Dynamic Code Publisher
- Microsoft Mobile Device Privileged Component Update Publisher
- Microsoft Windows
- Microsoft Windows 2000 Publisher
- Microsoft Windows 2000 Publisher (Europe)
- Microsoft Windows Component Publisher
- Microsoft Windows Hardware Compatibility Publisher
- Microsoft Windows Publisher
- Microsoft Windows XP Publisher
Apple:
- Apple Computer
- Apple Inc.
Google:
- Google Inc
Dell:
- Dell Computer Corporation
- Dell Inc
- Dell Inc.
- Dell Incorporated
Alcor Mirco:
- Alcor Micro
- AlcorMicro
Baidu:
- Baidu (China) Co.
- Baidu Online Network Technology (Beijing) Co.
- Beijing baidu Netcom science and technology co.ltd
- BeiJing Baidu Netcom Science Technology Co.
ASIX Electronics:
- ASIX Electronics Corp.
- ASIX Electronics Corp.<blank character>
IBM:
- IBM
- IBM (China) Investment Company Limited
- IBM Corporation
- IBM Japan
- IBM UK Ltd
- IBM United Kingdom Limited
- IBMUK Ltd
Wacom:
- Wacom Co.
- Wacom Technology Corp.
- Wacom Technology Corporation
As we can see, lots of typos, single letter differences – a full stop, a hyphen, a blank character, lots of cosmetic issues, etc.
Whack-a-mole is the name of the game.
Comments are closed.