add YARA detection for compromised cert serial

[wesinator]

the signing certificate should be considered compromised

this rule detects the cert serial number in a binary

https://www.virustotal.com/gui/file/d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600/details

[technion]

I looked into writing this myself - but it should be noted that other "not compromised" Solarwinds products are signed with the same certificate, as is the just released "fixed" patch for Orion.

[wesinator]

I looked into writing this myself - but it should be noted that other "not compromised" Solarwinds products are signed with the same certificate, as is the just released "fixed" patch for Orion.

@technion I understand that, this rule isn't meant to be the same level of "severity" as the rules detecting the malware. It's hard to capture that in the rule since there isn't a base yara metadata standard for the concept of severity. I'd welcome suggestions from maintainers on adding/updating the description

Also the fact that they still use that signing key actually the problem.

If the adversary was able to insert a backdoor and build it with a signed DLL inside a signed installer, then it's safe to assume the signing key is compromised. Also, you can't prove a negative anyway so they cannot prove it wasn't stolen, and should assume compromise.

Given that being the case, then what Solarwinds should be doing is:

1. Revoking the signing certificate on all software, not just the affected/backdoored software
2. Issue a new signing key, generated on a clean installed, verified, up-to-date machine.

Any software that uses this current signing serial should now be untrusted, even if it isn't actually compromised or "malicious"

[technion]

I completely agree @wesinator . Three minutes ago I received an email stating exactly those actions will be taken on December 21.

[Neo23x0]

Better rule:

import "pe"

rule SUSP_Solarwinds_SUNBURST_Revoked_Cert {
   meta:
      description = "Detects executables signed with a compromised certificate after 2019 (this doesn't mean that the file is malicious but it could be worth checking)"
      date = "2020-12-14"
      reference = "https://github.com/fireeye/sunburst_countermeasures/pull/3#issuecomment-747156202"
      score = 50
   condition:
      uint16(0) == 0x5a4d and
      for any i in (0 .. pe.number_of_signatures) : (
         pe.signatures[i].issuer contains "Symantec Class 3 SHA256 Code Signing CA" and
         pe.signatures[i].serial == "0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed" and
         /* valid after Tuesday, January 1, 2019 0:00:00 */
         pe.signatures[i].not_before > 1546300800
      )
}

[bvengerik]

Agree that the certificate is compromised, however we have avoided providing a specific signature for the certificate in order mitigate "FP" alerting on legitimate Solarwinds files that are signed with the same certificate. If the certificate is revoked on the 21st, we may add a signature looking for it.

[technion]

Official announcement is here. The revocation has been delayed until February 22nd:

https://status.solarwindsmsp.com/2020/12/18/update-digital-certificate-revocation-date-change/