summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjvoisin2015-07-29 16:27:30 +0200
committerMathieu Deous2015-10-29 14:54:45 +0100
commit1b88cf3b85d8e3225fb55526f53cbf4df75d9813 (patch)
treeefaab3c5b0bbd883adfe8c921e27ab86d12f1f0e
parent07532c1fb1b36baaee81985e3e6d22ad2bb718c3 (diff)
Add some more rules
Diffstat
-rw-r--r--malwares.yara11
1 files changed, 5 insertions, 6 deletions
diff --git a/malwares.yara b/malwares.yara
index 02d7127..569f16c 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -56,12 +56,11 @@ private rule CloudFlareBypass
56rule ObfuscatedPhp 56rule ObfuscatedPhp
57{ 57{
58 strings: 58 strings:
59 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy 59 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy
60 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 60 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
61 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/ 61 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
62 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 62 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
63 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 63 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
64 $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
65 $strange_arg = /\${\$[0-9a-zA-z]+}/ 64 $strange_arg = /\${\$[0-9a-zA-z]+}/
66 condition: 65 condition:
67 any of them and not IsWhitelisted 66 any of them and not IsWhitelisted
@@ -74,6 +73,7 @@ private rule base64
74 $system = "c3lzdGVt" 73 $system = "c3lzdGVt"
75 $preg_replace = "cHJlZ19yZXBsYWNl" 74 $preg_replace = "cHJlZ19yZXBsYWNl"
76 $exec = "ZXhlYyg" 75 $exec = "ZXhlYyg"
76 $base64_decode = "YmFzZTY0X2RlY29kZ"
77 condition: 77 condition:
78 any of them 78 any of them
79} 79}
@@ -101,8 +101,7 @@ rule DodgyPhp
101{ 101{
102 strings: 102 strings:
103 $vars = /\$___+/ // $__ is rarely used in legitimate scripts 103 $vars = /\$___+/ // $__ is rarely used in legitimate scripts
104 $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\( *(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/ 104 $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
105 $double_encoding = /(base64_decode\s*\(\s*){2}/
106 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ 105 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
107 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 106 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
108 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 107 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
@@ -151,7 +150,7 @@ rule DangerousPhp
151 $ = "call_user_func" fullword 150 $ = "call_user_func" fullword
152 $ = "register_shutdown_function" fullword 151 $ = "register_shutdown_function" fullword
153 $ = "register_tick_function" fullword 152 $ = "register_tick_function" fullword
154 $ = /ob_start\s*\(\s*['"]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush(); 153 $ = /ob_start\s*\(\s*[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
155 $ = "mb_ereg_replace_callback" fullword 154 $ = "mb_ereg_replace_callback" fullword
156 $ = "preg_replace_callback" fullword 155 $ = "preg_replace_callback" fullword
157 156