ICS-CERT推荐YARA做工控恶意代码分析环境

自2011年以来,发生的多次针对工业控制系统的恶意代码威胁,很多都已被证明利用了工控系统的人机交互界面(human-machine interfaces ,简称HMIs)。

image

ICS-CERT已经注意到了这点,并指出包括:GE Cimplicity、 研华/Broadwin WebAccess 和西门子 WinCC等均已经受到恶意代码的严重威胁。

在分析了多种开源系统后,ICS-CERT认为YARA及其签名已被证明对大多数样本检测有效,并发布了指导如何使用 YARA 签名做典型分析环境的报告。
ICS CERT 已经明确建议现阶段采用YARA 签名针对工业控制系统 (ICSs) 进行恶意代码分析。

这里Pr0.s,给出关于BlackEnergy的BE3、BE2的YARA签名,供大家讨论分析:

// BE2 和 BE3 loader
rule BlackEnergy
{
strings:
$hc1 = {68 97 04 81 1D 6A 01}
$hc2 = {68 A8 06 B0 3B 6A 02}
$hc3 = {68 14 06 F5 33 6A 01}
$hc4 = {68 AF 02 91 AB 6A 01}
$hc5 = {68 8A 86 39 56 6A 02}
$hc6 = {68 19 2B 90 95 6A 01}
$hc7 = {(68 | B?) 11 05 90 23}
$hc8 = {(68 | B?) EB 05 4A 2F}
$hc9 = {(68 | B?) B7 05 57 2A}
condition:
2 of them
}

// BE3
rule BlackEnergy3
{
strings:
$a1 = "MCSF_Config" ascii
$a2 = "NTUSER.LOG" ascii
$a3 = "ldplg" ascii
$a4 = "unlplg" ascii
$a5 = "getp" ascii
$a6 = "getpd" ascii
$a7 = "CSTR" ascii
$a8 = "FONTCACHE.DAT" ascii
condition:
4 of ($a*)
}

// BE2 驱动
rule BlackEnergy2_Driver
{
strings:
$a1 = {7E 4B 54 1A}
$a2 = {E0 3C 96 A2}
$a3 = "IofCompleteRequest" ascii
$b1 = {31 A1 44 BC}
$b2 = "IoAttachDeviceToDeviceStack" ascii
$b3 = "KeInsertQueueDpc" ascii
$c1 = {A3 41 FD 66}
$c2 = {61 1E 4E F8}
$c3 = "PsCreateSystemThread" ascii
condition:
all of ($a*) and 3 of ($b*, $c*)
}

// BE2 插件
rule BlackEnergy2
{
strings:
$ex1 = "DispatchCommand" ascii
$ex2 = "DispatchEvent" ascii
$a1 = {68 A1 B0 5C 72}
$a2 = {68 6B 43 59 4E}
$a3 = {68 E6 4B 59 4E}
condition:
all of ($ex*) and 3 of ($a*)
}

什么是YARA?
开始脑补... ...
YARA(https://github.com/plusvic/yara/releases)是一个特别灵活的恶意软件识别和分类引擎,可以利用YARA创建规则以检测字符串、入侵序列、正则表达式、字节模式等。可以利用命令行模式下的yara工具扫描文件,也可以利用YARA提供的API函数将yara扫描引擎集成到C或Python语言编写的工具中。

下面场景可以使用YARA特征码:

1) 使用常见的密码创建规则文件,从而可以捕获试图使用暴力破解用户账户和登陆的恶意软件。

2) 使用登录字符串、URL字段以及银行以及银行域名等字符串创建规则文件,从而可以捕获以金融机构为目标的恶意软件。

3) 使用杀毒进程、杀毒服务以及杀毒网站域名等字符串创建规则文件,从而可以捕获试图终止或禁用杀毒产品的恶意软件。

一些YARA的规则实例:

巴基斯坦遭受诱惑性文档+Office 0day漏洞的APT攻击

rule Hangover2_Downloade {
strings:
$a = "WinInetGet/0.1" wide ascii
$b = "Excep while up" wide ascii
$c = "&file=" wide ascii
$d = "&str=" wide ascii
$e = "?cn=" wide ascii
condition:
all of them
}
rule Hangover2_stealer
{
strings:
$a = "MyWebClient" wide ascii
$b = "Location: {[0-9]+}" wide ascii
$c = "[%s]:[C-%s]:[A-%s]:[W-%s]:[S-%d]" wide ascii

condition:
all of them
}
rule Hangover2_backdoor_shell
{
strings:
$a = "Shell started at: " wide ascii
$b = "Shell closed at: " wide ascii
$c = "Shell is already closed!" wide ascii
$d = "Shell is not Running!" wide ascii

condition:
all of them
}
rule Hangover2_Keylogger
{
strings:
$a = "iconfall" wide ascii
$b = "/c ipconfig /all > "" wide ascii
$c = "Global\{CHKAJESKRB9-35NA7-94Y436G37KGT}" wide ascii
condition:
all of them
}

韩国网络攻击(Trojan.Hastati)

rule Trojan_Hastati{
meta:
description = “Korean campaign”
strings:
$str11 = “taskkill /F /IM clisvc.exe” nocase ascii wide
$str2 = “taskkill /F /IM pasvc.exe” nocase ascii wide
$str3 = “shutdown -r -t 0″ nocase ascii wide
condition:
all of them
}

本文转载 malwarebenchmark