Password as a (Yara) Service

In a recent Twitter exchange with Tim I mentioned my earlier post in which I described a practice of crypto code copypasting being quite prevalent. Such practice is problematic of course, because if the whole code is naively copypasted, the paste will include fixed keys, and IV making the whole encryption scheme kinda questionable…

It crossed my mind that it would be an interesting set of yara sigs to focus on these known keys, IVs, or plain text passwords and as such, I am listing a bunch of these below:

  • MAKV2SPBNI99212
  • Venom69
  • Y4 0:;%ZejQ\”(et4Id\xqJuq\r#hh!k?
  • NdU(kcV_{KGVa*'z\"8L<(VlZy8L8mx
  • !leafweb26!
  • systemator
  • ndtscsw
  • nsmlpswd
  • P&t5/x8E
  • y?4BD5r-!Q
  • vc_3C-205Dota
  • SvcAct1vate
  • a?3WY6g_q
  • MWProTrialKey
  • FarmPassword
  • w4i5u6n8
  • PWD
  • A –okay, this one is a bad example, but it’s real!
  • TrialProxyPassword
  • hk4g4nkau3n
  • DUMMYAA000-0000-1111-2222-3333-4444
  • bf_48eFs6
  • WashAndGo
  • Y&d3%9EzBp
  • systools@123
  • 1l9d5c8br
  • PassWord
  • masterkey
  • p!nn@c1eP@5s
  • crypercrashreport#2014
  • HDPassword1
  • ndserver
  • Passwd
  • Register — not very unique, is it?
  • wrap_password
  • Inda
  • 0E86652A27C4D999D497A9173877A4CDCB2201FA1735FC29AC2048550ECF0780
  • p@ssw0rd
  • VelvetSweatshop
  • smux-password
  • testpassword
  • QKMJqg6t

Yes, you can use these in VT, or elsewhere, and with time collect samples that may be of interest. Be it vulnerability research, or simple clustering exercise. And yes, not all of these are guaranteed hits, and some of the samples you will find are kinda archaic by today’s standards (compiled in 2000s). Still, it’s an interesting detection mechanism, right?

Also, I intentionally don’t link it to vendors, because it’s not about shame and blame. My first ever written online forum (in PHP) stored credentials in a database, in plain text. So, there you have it. We all just need to keep raising that bar together…