search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.24k stars 1.44k forks source link

Bug: Yara PE module "pe.number_of_signatures" doesn't check hash #851

Open ladislav-zezula opened 6 years ago

ladislav-zezula commented 6 years ago

Hi,

I found that YARA's pe.number_of_signatures ignores whether the signatures are valid (i.e. whether the hash matches). As a result, YARA doesn't have a way to check number of signatures that are actually valid.

Sample: f5b56970f8bab4e0bc32c76485b4b3d6bb3f85ae202b19c4db1bfe2512458ca2 (clean, signed, valid)

pe
    number_of_signatures = 1   <--- This is OK and correct
    signatures
        [0]
            issuer = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA"
            subject = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=AOC/CN=Microsoft Corporation"
            version = 3
            algorithm = "sha1WithRSAEncryption"
            serial = "33:00:00:01:78:25:5a:b5:cd:23:c6:5f:95:00:01:00:00:01:78"
            not_before = 1502482275
            not_after = 1534018275

Sample: 3f81d595816d8e334cdce4e13fe8ba6263d71679eac8597acae04a47780fae9e (clean, signed, signature corrupted)

pe
    number_of_signatures = 0    <--- This is OK and correct
    signatures
    number_of_resources = 3

Sample: 011001cce0953e554bcf064a991b6b9b14a1aa12a5459ca37e3d7cd9d9b5ec65 (clean, signed, file modified)

pe
    number_of_signatures = 1    <--- There is 1 signature but the file was modified
    signatures
        [0]
            issuer = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA"
            subject = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=AOC/CN=Microsoft Corporation"
            version = 3
            algorithm = "sha1WithRSAEncryption"
            serial = "33:00:00:01:78:25:5a:b5:cd:23:c6:5f:95:00:01:00:00:01:78"
            not_before = 1502482275
            not_after = 1534018275

Sample: b47e34059f33cd8856eb1eb0407cfdd21d81b8eef36c03fa2f3bd8ae6c166890 (signed, infected by Expiro)

pe
    number_of_signatures = 1    <--- There is 1 signature but the file was infected and thus is malicious
    signatures
        [0]
            issuer = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Copyright (c) 2000 Microsoft Corp./CN=Microsoft Code Signing PCA"
            subject = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation"
            version = 3
            algorithm = "sha1WithRSAEncryption"
            serial = "61:0e:7d:a7:00:00:00:00:00:48"
            not_before = 1067061554
            not_after = 1106633354
wxsBSD commented 6 years ago

YARA never claims to validate signatures, nor do I think it should. The point is not to say if the signature is valid or not, but to give you the ability to inspect the signature metadata.

ladislav-zezula commented 6 years ago

Oh ok. Would there be a chance of adding a function that would actually verify the signature?

Neo23x0 commented 1 year ago

Please don't ever do that

wxsBSD commented 1 year ago

Didn't the recent updates make verification a thing? Please note, verification is very different from trusted, and @ladislav-zezula was very careful to make that distinction in the update.