Air-gapped VirusTotal malware checks

How do you quickly check unknown/suspicious PE samples against VirusTotal on an air-gapped computer, or after taking a computer offline during an incident investigation? This is a pretty common situation in Incident Response teams, and there’s often no clearly defined procedure for this. Here’s a simple way to get the job done.

Read More

You don't need all those root certificates

As of today, Windows trusts 322 root certificates issued by 122 different organizations from 47 countries. This number is quite high, and has been steadily growing over the last few years. And it turns out many of those certificates are not needed at all by the vast majority of Windows users, can be distrusted with no ill effects of any sort.

Read More

A critical Windows component expires in 25 hours

While working on the new version of CTLInfo (screenshot below), I ran across an unexpected and rather scary finding: A key security component of Windows, the so-called ‘Disallowed’ CTL, has a validity of 15 months and is going to expire in 25 hours.

Read More

How to find files by MD5 using YARA

A little-known feature of Yara is its powerful hash module, which you can easily use to search your sample library (or any other directory) for a given MD5 hash. Here’s how:

// rule file (save as "md5_match.yara")

import "hash" 

rule REALNOTEPAD {

    meta:
        description = "REAL NOTEPAD"

    strings:
        $m0 = { 4D 5A } // wide ascii

    condition:
        $m0 at 0   and 
        filesize < 350KB and
        hash.md5(0, filesize) == "e30299799c4ece3b53f4a7b8897a35b6"     
}

Now use the following command to search the current path for hash:

yara -f md5_match.yara .

But how to search for a whole set of hashes rather than just one? Well, it’s just as simple:

import "hash" 

rule MSFT_WHITELIST {

    meta:
        description = "Genuine Microsoft"

    condition:
        uint16(0) == 0x5A4D and
        filesize < 1MB and
        hash.md5(0, filesize) == "e30299799c4ece3b53f4a7b8897a35b6"   or  
        hash.md5(0, filesize) == "897a35b6e30299799c4ece3b53f4a7b8"   or 
        hash.md5(0, filesize) == "6462c8c3b51e302997897a35ba7b8846"   or 
        hash.md5(0, filesize) == "e30f4a7b8897219799c4ece3b4ece377"   or 
        hash.md5(0, filesize) == "9c4ece3b53f4a7b8897e3063379a35b6"   or  
        hash.md5(0, filesize) == "a45f7fcc14b9b6462c8c3b51623c4301"     
}
Read More