search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.32k stars 1.45k forks source link

Base64 modifier doesn't value case sensitivity #2026

Closed djlukic closed 10 months ago

djlukic commented 10 months ago

Hi,

    strings:

        $ = "CreateObject" wide ascii base64 base64wide
        $ = "createobject" wide ascii base64 base64wide

I did a test rule to try to match above two strings and it hit on this base64 content: NyZWF0ZU9iamVjd

I went into the hex editor and it was the part of this text: wb3J0VXJsID0gVVJMLmNyZWF0ZU9iamVjdFVSTChmaWxlKTsgd2luZG93LmxvY2F

If we decoded that blob, this is what we get: URL.createObjectURL(file);

as you can see createObject is hit which is not in any of the strings I tried to match.

Thank you!

plusvic commented 10 months ago

This is a well-known issue with base64 and base64wide modifiers, it's not actually related to case-sensitiveness, but to the fact that these modifiers can produce false positives. For example, the rule below can match both "This program cannot" and "Dhis program cannow".

rule Base64Example2
{
    strings:
        $a = "This program cannot" base64
    condition:
        $a
}

The documentation states:

Because of the way that YARA strips the leading and trailing characters after base64 encoding, one of the base64 encodings of "Dhis program cannow" and "This program cannot" are identical.

This issue is solved in YARA-X (https://github.com/VirusTotal/yara-x?tab=readme-ov-file#base64-modifier-cant-be-used-with-strings-shorter-than-3-characters)