signature-base icon indicating copy to clipboard operation
signature-base copied to clipboard

Published 20 hours ago verified publisher icon Neo23x0

False positive in rule rule Office_OLE_DDE, on gen_dde_in_office_docs.yar

Open debernal opened this issue 5 years ago • 6 comments

Hi Florian, I have detected a rule with a false positive, triggering a DDE alert.

Rule: Office_OLE_DDE {

The file, related with iTunes updates, that is triggering the rule is: http://swcdn.apple.com/content/downloads/56/00/091-97366/e23k1iiixvzrghv5grhee3kss1aqarqexq/AppleMobileDeviceSupport64.msi

File command detects it as: AppleMobileDeviceSupport64.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Installation Database, Subject: Apple Mobile Device Support Installer, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: Apple Mobile Device Support 12.2.0.15, Template: x64;1033, Revision Number: {8F4013EF-D6E7-433C-B22F-830A797C3179}, Create Time/Date: Fri Mar 8 21:10:20 2019, Last Saved Time/Date: Fri Mar 8 21:10:20 2019, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 2

This file has the string "Apple Mobile Device Support Installer" and other Apple-related strings. The following is a quick fix to avoid this specific false positive, although you may find a better way to do it.

rule Office_OLE_DDE { meta: description = "Detects DDE in MS Office documents" author = "NVISO Labs" reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/" date = "2017-10-12" score = 50 strings: $a = /\x13\s*DDE\b[^\x14]+/ nocase $b = "Apple Mobile Device Support Installer" condition: uint32be(0) == 0xD0CF11E0 and $a and not $b }

Best regards,

debernal avatar Apr 01 '19 17:04 debernal

Hi and thanks,

I'll exclude FPs by adding a strings that appears in all MSI packages.

      $r1 = "SummaryInformation" wide

Neo23x0 avatar Apr 01 '19 18:04 Neo23x0

ha, strange - I already improved the rule https://github.com/Neo23x0/signature-base/blob/master/yara/gen_dde_in_office_docs.yar#L57

I don't know which version do you use.

Neo23x0 avatar Apr 01 '19 18:04 Neo23x0

Thanks Florian! :)

debernal avatar Apr 01 '19 18:04 debernal

Great :), I love your rules Florian. Best regards, David

El lun., 1 abr. 2019 a las 12:43, Florian Roth ([email protected]) escribió:

Hi and thanks,

I'll exclude FPs by adding a strings that appears in all MSI packages.

  $r1 = "SummaryInformation" wide

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Neo23x0/signature-base/issues/66#issuecomment-478697359, or mute the thread https://github.com/notifications/unsubscribe-auth/AMc2N9yoP4edGZ40RRlzooo7ljOoTPIvks5vclNsgaJpZM4cWSjV .

debernal avatar Apr 01 '19 18:04 debernal

Just FYI ... the next big thing https://github.com/NextronSystems/valhallaAPI

Neo23x0 avatar Apr 01 '19 19:04 Neo23x0

Wow, looks really interesting, thanks for sharing. David

El lun., 1 abr. 2019 a las 13:12, Florian Roth ([email protected]) escribió:

Just FYI ... the next big thing https://github.com/NextronSystems/valhallaAPI

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Neo23x0/signature-base/issues/66#issuecomment-478707739, or mute the thread https://github.com/notifications/unsubscribe-auth/AMc2Nze5aGeTgS-Xfh7yOk6s8aUXBhNxks5vcloMgaJpZM4cWSjV .

debernal avatar Apr 01 '19 19:04 debernal