{"id":3388,"date":"2015-11-09T18:04:18","date_gmt":"2015-11-09T18:04:18","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3388"},"modified":"2015-11-09T18:07:38","modified_gmt":"2015-11-09T18:07:38","slug":"why-puapup-are-bad-for-you-a-k-a-the-evil-of-environment-fingerprinting","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/11\/09\/why-puapup-are-bad-for-you-a-k-a-the-evil-of-environment-fingerprinting\/","title":{"rendered":"Why PUA\/PUP are bad for you a.k.a. the evil of environment fingerprinting"},"content":{"rendered":"<p>In my post about <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/11\/07\/antiedr-samples-targeting-edr-endpoint-detection-and-response-solutions\/\">sample targeting EDR<\/a> I mentioned that the sample is a PUA\/PUP. Looking at the code of many PUA\/PUP\/adware samples created in last few years it&#8217;s easy to see how far they go nowadays in fingerprinting the environments.<\/p>\n<p>This is why many of them should be treated as malware &amp; should not be ignored in &#8216;business as usual&#8217; IR activities.<\/p>\n<p>In the aforementioned post I listed a couple of routine names that that particular sample used. All these routines are called one by one, and a final string is generated containing reference numbers associated with each &#8216;discovered&#8217; piece in the environment.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/11\/fingerprinting.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3389 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/11\/fingerprinting.png\" alt=\"fingerprinting\" width=\"443\" height=\"1350\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/11\/fingerprinting.png 443w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/11\/fingerprinting-98x300.png 98w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/11\/fingerprinting-336x1024.png 336w\" sizes=\"(max-width: 443px) 100vw, 443px\" \/><\/a>This is no longer just a sandbox detection.<\/p>\n<p>EDR, VPN, AV, security tools, often list of updates, hotfixes, full software list from registry, etc. is added too. Someone, somewhere populates some large databases with a lot of this &#8216;goodness&#8217;.<\/p>\n<p>One can imagine that this data may be a very valuable piece of information &#8211; it could be sold not only to advertisers, software writers, even companies whose products are being profiled (competition\/market research), but also &#8211; of course &#8211; on a darker side &#8211; to random malware authors, and guys specializing in targeted attacks. If you think of it, a good PUP\/PUA campaign could be even orchestrated by the actual BAD guys.<\/p>\n<p>If 0days allow a way in, a database with an information about used software may simplify and speed up a lateral movement. And why bother doing all the time-consuming illegal hacking\/malware infestation\/recon if you can simply deploy borderline software first. Let it populate a huge matrix including lots of information about as many hosts as possible in as many organizations as possible. And then, with such precise information about installed software &amp; deployed countermeasures it can be leveraged to simplify many hacking operations (and targeting).<\/p>\n<p>This is of course scaremongering on my side and a conspiracy theory in the making, but the only reason I am writing this is that if you are ever looking for arguments to treat PUA\/PUP as malware&#8230; or someone argues that PUA\/PUP can be ignored in your AV alerts then the massive fingerprinting they do nowadays is the big one&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my post about sample targeting EDR I mentioned that the sample is a PUA\/PUP. Looking at the code of many PUA\/PUP\/adware samples created in last few years it&#8217;s easy to see how far they go nowadays in fingerprinting the &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/11\/09\/why-puapup-are-bad-for-you-a-k-a-the-evil-of-environment-fingerprinting\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,46,8],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3388"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3388"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3388\/revisions"}],"predecessor-version":[{"id":3393,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3388\/revisions\/3393"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}