Copyright banners – re-visited
2023-12-19 08:52:9 Author: www.hexacorn.com(查看原文) 阅读量:12 收藏

Over a decade ago I posted some random copyright banner stats from my (relatively small by today’s standards) malware repo. I really liked these stats back then and I still like them today.

Why?

These banners are great ‘low hanging fruits’ that may immediately help with sample analysis as they immediately draw analyst’s attention to features responsible for data compression/decompression, data coding/encoding, media coding/encoding, archive file creation/processing, etc.

So I decided to check what has changed since.

One of the obvious and expected changes was that banners now cover years 201x and 202x:

  • 1995-2013 Jean-loup Gailly and Mark Adler
  • 1995-2017 Jean-loup Gailly and Mark Adler
  • copyright 1997-2021 Simon Tatham
  • Copyright (c) 2021 Richard L. Wolf
  • Copyright (C) 2006-2021 WIBU-SYSTEMS AG
  • Copyright 2021 Google Inc. All rights reserved.

I also noticed that some malware authors try to modify some of these very recognizable copyright banners to make them less useful for yara signatures and static detection engines that rely on hardcoded strings f.ex.

Copyright 1935-2022 Jean-loop Gai1ly and Merk Adler

Not only the starting year is waaaaay beyond acceptable norm, there is also a modification of authors’ names. You can see the sample doing so here.

We also see more ‘novelty’ copyright banners f.ex. associated with cryptomining:

Copyright (C) 2016-2017 xmrig.com
Copyright (C) 2016-2018 xmrig.com
Copyright (C) 2016-2019 xmrig.com
Copyright (C) 2016-2020 xmrig.com
Copyright (C) 2016-2021 xmrig.com

and lots more Google banners:

Copyright (C) 2011 Google Inc. All rights reserved.
Copyright 2012 Google Inc. All rights reserved.
Copyright (C) 2013 Google Inc. All rights reserved.
Copyright 2016 Google Inc. All Rights Reserved.
Copyright 2017 Google Inc.
Copyright 2017 Google Inc. All rights reserved.
Copyright 2018 Google LLC
Copyright 2019 Google LLC. All rights reserved.
Copyright 2020 Google LLC. All rights reserved.
Copyright 2021 Google LLC. All rights reserved.

and there are also some random copyrights like the ones below:

  • Copyright 2017 Gr0wh4x All rights reserved.
  • Copyright (c) Black.Hacker
  • Copyright 2021 InsiderHack Inc. All rights reserved.
  • Copyright (C) 2016 Weijie Gao [email protected]

In general though, we see less and less reliance on old, well-established, statically linked libraries and less and less copyright banners as a result. Times are changing, and the old protectors, packers, packing, compression libraries are now out of fashion…


文章来源: https://www.hexacorn.com/blog/2023/12/19/copyright-banners-re-visited/
如有侵权请联系:admin#unsafe.sh