project-kb icon indicating copy to clipboard operation
project-kb copied to clipboard
verified publisher icon SAP

Create statements for malicious packages

Open henrikplate opened this issue 5 years ago • 2 comments

One additional source of statements could be the list of known malicious packages maintained at https://github.com/dasfreak/Backstabbers-Knife-Collection.

It contains a file package_index.csv with the following columns: Type, Package Name, Affected Version, Published, Reported, Sample, Injection Component, Obfuscation, Trigger, Conditional, Targeted OS, Objective, Details, Source, Comment, Typo Target, Campaign, Location of malicious snippet. See here for a detailed description of those columns.

The first three columns can be used to create one or more PURLs for artifacts, (some of) the other columns can be used for the description and references.

henrikplate avatar Oct 07 '20 12:10 henrikplate

For every CSV entry with a valid URL in field Source and specific versions in field Affected Version (thus, no empty fields or *), a statement shall be generated as follows:

  • Statement ID must be composed as follows: <Package Name>-<yyyy of Published>. Note: Other fields were excluded, since their values might be subject to future change, which would alter the identifiers of existing statements.
  • Statement text will be created out of several fields: Malicious package with objective <Objective> (<Details>). Affects <all operating systems|Targeted OS>. Malicious code is executed [depending on <Conditional>] during <Trigger>. The square brackets are omitted in case the field Conditional==Operating System || Unconditional.

Example statement for nodemailer.js:

vulnerability_id: nodemailer.js-2017
notes:
- text: Malicious package with objective data exfiltration (steals environment variables and sends them to attacker controlled locations). Affects all operating systems. Malicious code is executed during install.
- link: https://www.npmjs.com/advisories/511
- link: https://github.com/dasfreak/Backstabbers-Knife-Collection
artifacts:
- id: pkg:npm/[email protected]
  reason: Backstabber Collection
  affected: true
- id: pkg:npm/[email protected]
  reason: Backstabber Collection
  affected: true

henrikplate avatar Oct 12 '20 10:10 henrikplate

Re: IDs: fine for me, but I would add a "counter" segment to the name, in case there should be multiple "vulnerabilities" for the same component in a given year. Something like:

nodemailer.js-001-2017

Also, remember that besides the ID, a statement can indicate alternative identifiers (aliases) which leaves us to flexibility to adapt in the future, if needed.

copernico avatar Oct 12 '20 13:10 copernico