I have been looking at a data stored by vendors inside the VERSIONINFO structure for quite some time now. The TODO bit is one issue I described previously, but there are more.

One of the most annoying things is a crazy number of names that vendors use in a CompanyName field. This is of course kinda understandable – large companies have many departments and coding teams scattered across the whole world. It certainly looks like an impossible task to ensure all of them go through a single, bureaucratic office that will double-check if all of them use the very same vendor name. And perhaps there are other reasons too – I don’t know laws of all the countries of course, there could be a genuine need in some places to always use an official name of the company in that field(?). I really dunno.

In any case… From a threat hunting perspective, it complicates our life. For example, when you want to whitelist some of these vendor names you will always end up with a never-ending whack-a-mole game. In my experience, for every entry I add per vendor, there are another 1-5 out there that are very similar, and which I will add some time in the future. I don’t think there is any good solution for this today.

To demonstrate the issue, let’s have a look at common vendor names one can encounter…:

HP:

• Hewlett Packard
• Hewlett Packard Enterprise Company
• Hewlett-Packard
• Hewlett-Packard Company

Intel:

• Intel Corporation
• Intel Corporation – Business Client Platform Division
• Intel Corporation – Client Components Group
• Intel Corporation – Client Connectivity Division
• Intel Corporation – Embedded Subsystems and IP Blocks Group
• Intel Corporation – Intel® Management Engine Firmware
• Intel Corporation – Intel® Rapid Storage Technology
• Intel Corporation – Mobile Wireless Group
• Intel Corporation – pGFX
• Intel Corporation – Rapid Storage Technology
• Intel Corporation – Software and Firmware Products
• Intel Corporation ? Non-Volatile Memory Solutions Group
• Intel Corporation-Mobile Wireless Group
• Intel Corporation-Wireless Connectivity Solutions
• Intel MCG PIV Tablet Validation
• Intel Technology Sdn. Bhd.
• Intel Wireless Display
• Intel(R) Baytrail Wintablet
• Intel(R) CherryTrail Windows
• Intel(R) CISD Software
• Intel(R) Client Connectivity Division SW
• Intel(R) CN
• Intel(R) Embedded Subsystems and IP Blocks Group
• Intel(R) Intel Network Drivers
• Intel(R) Intel_ICG
• Intel(R) INTELND1617
• Intel(R) INTELND1617S2
• Intel(R) INTELNPG1
• Intel(R) Network Platform Group
• Intel(R) NVMe Windows Driver
• Intel(R) OWR
• Intel(R) pGFX
• Intel(R) Rapid Storage Technology
• Intel(R) Rapid Storage Technology enterprise
• Intel(R) Smart Connect software
• Intel(R) Smart Sound Technology
• Intel(R) Software
• Intel(R) Software (Pre-release)
• Intel(R) Software and Firmware Products
• Intel(R) Software Development Products
• Intel(R) Software Products
• Intel(R) Update Manager
• Intel(R) USB eXtensible Host Controller Drivers
• Intel(R) Wireless Connectivity Solutions
• Intel(R) Wireless Display
• Intel® Identity Protection Technology Software
• Intel® Rapid Storage Technology

Lenovo:

• LENOVO
• Lenovo (Beijing) Limited
• Lenovo (Beijing) Ltd.
• Lenovo (Japan) Ltd
• Lenovo (Japan) Ltd.
• Lenovo Group Limited
• Lenovo Information Products (Shenzhen) Co.
• Lenovo Japan
• Lenovo(Japan)Ltd.
• Lenovo.Ltd
• LenovoEMC Products USA

Microsoft:

• Microsoft Corporation
• Microsoft Corporation (Europe)
• Microsoft Dynamic Code Publisher
• Microsoft Mobile Device Privileged Component Update Publisher
• Microsoft Windows
• Microsoft Windows 2000 Publisher
• Microsoft Windows 2000 Publisher (Europe)
• Microsoft Windows Component Publisher
• Microsoft Windows Hardware Compatibility Publisher
• Microsoft Windows Publisher
• Microsoft Windows XP Publisher

Apple:

• Apple Computer
• Apple Inc.

Google:

• Google
• Google Inc

Dell:

• Dell Computer Corporation
• Dell Inc
• Dell Inc.
• Dell Incorporated

Alcor Mirco:

• Alcor Micro
• AlcorMicro

Baidu:

• Baidu (China) Co.
• Baidu Online Network Technology (Beijing) Co.
• Beijing baidu Netcom science and technology co.ltd
• BeiJing Baidu Netcom Science Technology Co.

ASIX Electronics:

• ASIX Electronics Corp.
• ASIX Electronics Corp.<blank character>

IBM:

• IBM
• IBM (China) Investment Company Limited
• IBM Corporation
• IBM Japan
• IBM UK Ltd
• IBM United Kingdom Limited
• IBMUK Ltd

Wacom:

• Wacom Co.
• Wacom Technology Corp.
• Wacom Technology Corporation

As we can see, lots of typos, single letter differences – a full stop, a hyphen, a blank character, lots of cosmetic issues, etc.

Whack-a-mole is the name of the game.