[prev in list] [next in list] [prev in thread] [next in thread]
List: cuckoo
Subject: [cuckoo] bugs in several signatures
From: claudio () shadowserver ! org (Claudio)
Date: 2014-05-04 14:53:55
Message-ID: 53665483.8020405 () shadowserver ! org
[Download RAW message or body]
I updated the signature in question and made it more accurate:
https://github.com/cuckoobox/community/commit/289b3a85bcce55caba3128e0ab829263b5f8f522
Now it will only be triggered by processes with names different than
common browser names. Obviously, this would cause false negatives, but
hey, it's the best I can come up with.
On 05/04/2014 11:35 AM, Claudio wrote:
> That's exactly what I said.
>
> On 05/04/2014 09:46 AM, Irena Damsky wrote:
> > It actually differentiate in case you submit a URL, in case you submit an HTML \
> > file, it fails to distinguish between the cases
> > Irena
> > ---
> > "Intelligence is of the essence in warfare. It is what the Armies depend upon in \
> > their every move" -Sun Tzu
> >
> > -----Original Message-----
> > From: cuckoo-bounces at public.honeynet.org [mailto:cuckoo-bounces at \
> > public.honeynet.org] On Behalf Of Claudio
> > Sent: Thursday, April 24, 2014 5:33 PM
> > To: cuckoo at public.honeynet.org
> > Subject: Re: [cuckoo] bugs in several signatures
> >
> > It already differentiates between file and url analyses.
> > If it was to differentiate more, it would have to be on the process name which is \
> > not solid.
> > On 04/24/2014 02:02 PM, Irena Damsky wrote:
> > > Hi,
> > >
> > >
> > >
> > > We have been analyzing a phishing HTML with cuckoo and although this
> > > is solely phishing HTML - not an exploited webpage - we had some
> > > signatures pop on it although they should have not.
> > >
> > >
> > >
> > > One of the alerts that cuckoo gives is"Steals private information from
> > > local Internet browsers
> > > <https://malwr.com/analysis/YjkxNmUxNjM0Nzk5NDZmYWIwMDhhMTM0NzAwZjAyNGQ/#signature_infostealer_browser>"
> > > this is done using this
> > > signaturehttps://github.com/cuckoobox/community/blob/master/modules/si
> > > gnatures/infostealer_browser.py and looking for the following
> > > indicators :
> > >
> > >
> > > ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\.sq
> > > lite$",
> > >
> > >
> > > ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\secmod\.db$
> > > ",
> > >
> > >
> > > ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\cert8\.db$"
> > > ,
> > >
> > >
> > > ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\key3\.db$",
> > >
> > > ".*\\\\History\\\\History\.IE5\\\\index\.dat$",
> > >
> > > ".*\\\\Temporary\\\\ Internet\\
> > > Files\\\\Content\.IE5\\\\index\.dat$",
> > >
> > > ".*\\\\Application\\ Data\\\\Google\\\\Chrome\\\\.*",
> > >
> > > ".*\\\\Application\\ Data\\\\Opera\\\\.*",
> > >
> > > ".*\\\\Application\\ Data\\\\Chromium\\\\.*",
> > >
> > > ".*\\\\Application\\ Data\\\\ChromePlus\\\\.*",
> > >
> > > ".*\\\\Application\\ Data\\\\Nichrome\\\\.*",
> > >
> > > ".*\\\\Application\\ Data\\\\Bromium\\\\.*",
> > >
> > > ".*\\\\Application\\ Data\\\\RockMelt\\\\.*"
> > >
> > >
> > >
> > >
> > >
> > > And we can see this files was accessed
> > >
> > > C:\Documents and Settings\User\Local
> > > Settings\History\History.IE5\index.dat
> > >
> > >
> > >
> > > I do think, that this module should be running only on samples of type
> > > URL and note FILE and the fact that it analyzed an HTML sample confused it.
> > >
> > > It does sound legit that accessing an HTML file will change the values
> > > of the history in IE J.
> > >
> > >
> > >
> > > You should probably check the different behaviors for web and file
> > > emulation more carefully.
> > >
> > >
> > >
> > > Irena Damsky
> > >
> > > /Threat Intelligence, Threat Prevention Products/
> > >
> > > /Check Point Software Technologies Ltd./
> > >
> > > /irenad at checkpoint.com <mailto:irenad at checkpoint.com>/
> > >
> > > /Office: +972-73-258-8377/
> > >
> > > /Cell: +972-52-329-4417/
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > cuckoo mailing list
> > > cuckoo at public.honeynet.org
> > > https://public.honeynet.org/mailman/listinfo/cuckoo
> > >
> >
> > _______________________________________________
> > cuckoo mailing list
> > cuckoo at public.honeynet.org
> > https://public.honeynet.org/mailman/listinfo/cuckoo
> >
> > Email secured by Check Point
> > _______________________________________________
> > cuckoo mailing list
> > cuckoo at public.honeynet.org
> > https://public.honeynet.org/mailman/listinfo/cuckoo
> >
>
> _______________________________________________
> cuckoo mailing list
> cuckoo at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/cuckoo
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic