They said that due to Lojack software being trusted by most AV solutions, these tainted version are being missed. Their suggestion is to use Yara to scan Lojack agents. I haven’t used Yara before, but wondered if comparing the hash value of the installation source would work as well? Are they saying Yara can help detect this post installation?
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/#Yara
Great question!
I don’t know the answer. Let’s see what I can dig up.
It looks like YARA is a detection tool as a well as a specification for file signatures: https://en.wikipedia.org/wiki/YARA.
According to https://securityintelligence.com/signature-based-detection-with-yara/, “YARA is a tool designed to help malware researchers identify and classify malware samples.”
Reading a few lines further, it looks like you would need to inspect every file of interest with the yara tool (via command line interface or otherwise) specifying the rule named ComputraceAgent given in https://asert.arbornetworks.com/lojack-becomes-a-double-agent/#Yara.
That command might look like this (on a host with only one drive):
C:\> yara ComputraceAgent.yara -r
That command would, if I’m not mistaken, inspect every file in C:\, and every file in all sub-directories, and tell you which ones matched the rule provided by the folks at Asert.
But, it also looks like AV products have taken the hint and changed the way that they categorize the Lojack double-agent files. So, maybe additional scanning is overkill? (See Figure 2 and the paragraph above in https://asert.arbornetworks.com/lojack-becomes-a-double-agent/#Yara, and note the improved detection as of May 3, 2018.)
To attempt to answer your first question directly, I see at https://github.com/VirusTotal/yara that a yara rule specifies binary and/or character string sequences to search for within each file scanned by the yara tool. Therefore I think that yara scanning is superior to file hash comparisons for finding malware files. Hash comparison can only identify malware that employs no file detection countermeasures. Signature-based detection is more fine-grained and can therefore overcome some countermeasures. (But, at the bottom of https://securityintelligence.com/signature-based-detection-with-yara/ that author hastens to point out that even signature based detection can be evaded, and so it should be considered a helpful though not foolproof practice.)
To answer your second question directly, the authors in https://asert.arbornetworks.com/lojack-becomes-a-double-agent/#Yara are stating that yara (the tool) can find Lojack double-agents using the rule that they have provided. However, you’re clause “post installation” may need qualification because of the way that Lojack lives in the BIOS or UEFI firmware and re-registers with the OS on every boot. See the section titled Lojack Summary. So, if you do detect Lojack double agent files using signature based detection, the remediation required will apparently necessitate eradicating them from BIOS or UEFI. (I have no idea how that would be accomplished.)
Also, for those who really understand the YARA signature spec, it may be possible to coax alternate file scanning tools to perform the same detection using your chosen tools own signature spec. (After all, https://securityintelligence.com/signature-based-detection-with-yara/ says that YARA is an alternative to CyBOX, “but the two are not mutually exclusive”.)
One last suggestion for seag33k, please do block all of the domains listed in https://asert.arbornetworks.com/lojack-becomes-a-double-agent/#Yara (as stated at the bottom) so that, if you do have Lojack double agents residing on hosts within your network, they’ll have a harder time communicating with their command and control servers.
I would love for an infosec practitioner to reply with practical, experienced-based advise (as opposed to my conjecture) about how to detect Lojack double-agents, and how to purge them from a host once detected.
Thank you!