Malicious activity detection: AV killing
Two months ago, I released a YARA rule and an IOC rule to detect some generic folder dumps files. It has been proven useful in the real world, showing that it is possible to detect some attacks on a host with very easy rules.
Today I had another detection idea, as basic as the previous one. It is based on my experience in malware analysis and incident response, so I hope it will be helpful to other incident responders, especially when they work on APT attacks.
As you might know, some malware, in addition to every malicious activity they can provide, do deactivate the anti-virus running on the system. Usually, these malware are easily noticeable because (once depacked) they show strings which are known anti-virus processes names.
Some examples are:
These malware do usually know between 10 and 40 processes names that they absolutely want to kill.
Therefore, the idea is to try to detect any binary which contains these processes names.
I looked a bit around and found that Jerome Athias had released a "killav.rb" script in Metasploit. He provides us with 579 different processes names, all related to security tools and anti-virus products.
I asked Jerome and he kindly allowed me to use that list to build the YARA rule I was thinking of (with a bit of Python, it would have taken too long by hand of course).
The rule is built so that it will be triggered if 4 or more strings are found.
Please feel free to tweet me (@cedricpernet) or e-mail me any missing process name (there must be plenty) and I will update the rule accordingly. Also, if it triggers false positives, do not hesitate to reach me.
The YARA rule is here.