yara icon indicating copy to clipboard operation
yara copied to clipboard

Published 20 hours ago verified publisher icon VirusTotal

Bug: Yara PE module "pe.number_of_signatures" doesn't check hash

Open ladislav-zezula opened this issue 6 years ago • 4 comments

Hi,

I found that YARA's pe.number_of_signatures ignores whether the signatures are valid (i.e. whether the hash matches). As a result, YARA doesn't have a way to check number of signatures that are actually valid.

Sample: f5b56970f8bab4e0bc32c76485b4b3d6bb3f85ae202b19c4db1bfe2512458ca2 (clean, signed, valid)

pe
	number_of_signatures = 1   <--- This is OK and correct
	signatures
		[0]
			issuer = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA"
			subject = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=AOC/CN=Microsoft Corporation"
			version = 3
			algorithm = "sha1WithRSAEncryption"
			serial = "33:00:00:01:78:25:5a:b5:cd:23:c6:5f:95:00:01:00:00:01:78"
			not_before = 1502482275
			not_after = 1534018275

Sample: 3f81d595816d8e334cdce4e13fe8ba6263d71679eac8597acae04a47780fae9e (clean, signed, signature corrupted)

pe
	number_of_signatures = 0    <--- This is OK and correct
	signatures
	number_of_resources = 3

Sample: 011001cce0953e554bcf064a991b6b9b14a1aa12a5459ca37e3d7cd9d9b5ec65 (clean, signed, file modified)

pe
	number_of_signatures = 1    <--- There is 1 signature but the file was modified
	signatures
		[0]
			issuer = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA"
			subject = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=AOC/CN=Microsoft Corporation"
			version = 3
			algorithm = "sha1WithRSAEncryption"
			serial = "33:00:00:01:78:25:5a:b5:cd:23:c6:5f:95:00:01:00:00:01:78"
			not_before = 1502482275
			not_after = 1534018275

Sample: b47e34059f33cd8856eb1eb0407cfdd21d81b8eef36c03fa2f3bd8ae6c166890 (signed, infected by Expiro)

pe
	number_of_signatures = 1    <--- There is 1 signature but the file was infected and thus is malicious
	signatures
		[0]
			issuer = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Copyright (c) 2000 Microsoft Corp./CN=Microsoft Code Signing PCA"
			subject = "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation"
			version = 3
			algorithm = "sha1WithRSAEncryption"
			serial = "61:0e:7d:a7:00:00:00:00:00:48"
			not_before = 1067061554
			not_after = 1106633354

ladislav-zezula avatar Mar 27 '18 13:03 ladislav-zezula

YARA never claims to validate signatures, nor do I think it should. The point is not to say if the signature is valid or not, but to give you the ability to inspect the signature metadata.

wxsBSD avatar Mar 27 '18 13:03 wxsBSD

Oh ok. Would there be a chance of adding a function that would actually verify the signature?

ladislav-zezula avatar Mar 27 '18 13:03 ladislav-zezula

Please don't ever do that

Neo23x0 avatar Oct 22 '22 09:10 Neo23x0

Didn't the recent updates make verification a thing? Please note, verification is very different from trusted, and @ladislav-zezula was very careful to make that distinction in the update.

wxsBSD avatar Oct 22 '22 21:10 wxsBSD