Challange_Guidelines
Considering the probability space of this encoder i believe that no rule based static detection mechanism can detect the binaries that are encoded with SGN. So, i am willing to give out the donation money for this project as a symbolic prize if anyone can write a YARA rule that can detect every encoded output. There are 3 main rules you need to consider while writing a YARA rule for getting the prize.
1. Rule should be able to detect all possible outputs of the encoder. Since encoder will encode every binary in a unique way, every output binary will be significantly different. Obviously for this rules to be successful it needs to be able to detect every possible output.
2. Rule should have a acceptable false/positive rate. This encoder designed for offensive security related purposes such as making statically undetectable payloads. Another obvious criteria of success is the false positive rate while looking for those payloads. Because it needs to be usable in defensive products such as IDS, IPS, Anti Virus or network inspections. If rules trigger too many false alerts there is just no point using it.
3. Rules should have acceptable performance In order to be usable inside a defensive product rule also needs to be able to run without creating a major stall for the system. So try to avoid writing 20 pages long rules with lots of regex inside.
First of all make sure that you are working with the latest version of the tool(latest commit). Once you come up with a rule go ahead and test the rule with yara_test.sh script. This script will test your YARA rule if it can detect different variations of SGN encoded binaries.
If your rule passes the test stages successfully, then you need to check the false positive rate of your rule. For this step you can take advantage of the following platforms with YARA search capabilities. While analyzing the results consider the release date of this tool. If there are lots of matches with samples that are uploaded before the release date of this tool it probably indicates FP.
- https://www.hybrid-analysis.com/yara-search
- https://www.joesandbox.com/yaraspaged/0
- https://www.virustotal.com/
- https://mwdb.cert.pl/
If you believe your rule has a low F/P ratio then you can open a issue on this project with your rule and i will check the performance and decide if it is eligible.
Check out Current Donation Amount