Perf optimization and rules completion

author: jvoisin 2016-01-04 15:47:28 +0100
committer: jvoisin 2016-01-04 15:47:28 +0100
commit: 8039662c4ec5e407d23d19a27df34286e398ad45 (patch)
tree: 4f18d19387b71fdc81f80dbe22037f90d2ebc10c
parent: 79bdee48721c6a023cbea9c66e825f0b8834038f (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/malwares.yara b/malwares.yara
index 4f08a9b..98e11cb 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,10 +57,10 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
    strings:
-        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
+        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
-        $b374k = /'ev'\.'al'/
+        $b374k = "'ev'.'al'"
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
+        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
        $strange_arg = /\${\$[0-9a-zA-z]+}/
@@ -105,7 +105,7 @@ rule DodgyPhp
    strings:
        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
        $double_encoding = /(base64_decode\s*\(\s*){2}/
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
author	jvoisin	2016-01-04 15:47:28 +0100
committer	jvoisin	2016-01-04 15:47:28 +0100
commit	8039662c4ec5e407d23d19a27df34286e398ad45 (patch)
tree	4f18d19387b71fdc81f80dbe22037f90d2ebc10c
parent	79bdee48721c6a023cbea9c66e825f0b8834038f (diff)

diff --git a/malwares.yara b/malwares.yara index 4f08a9b..98e11cb 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -57,10 +57,10 @@ private rule CloudFlareBypass
57	rule ObfuscatedPhp	57	rule ObfuscatedPhp
58	{	58	{
59	strings:	59	strings:
60	$eval = /[;{}][\t ]*@?(eval\|preg_replace\|system\|exec\|assert\|passthru)\(/ // ;eval( <- this is dodgy	60	$eval = /[;{}][\t ]*@?(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)\(/ // ;eval( <- this is dodgy
61	$b374k = /'ev'\.'al'/	61	$b374k = "'ev'.'al'"
62	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k	62	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
63	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec\|assert\|passthru)\(/	63	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)\(/
64	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher	64	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
65	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html	65	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
66	$strange_arg = /\${\$[0-9a-zA-z]+}/	66	$strange_arg = /\${\$[0-9a-zA-z]+}/
@@ -105,7 +105,7 @@ rule DodgyPhp
105	strings:	105	strings:
106	$vars = /\$__+/ // $__ is rarely used in legitimate scripts	106	$vars = /\$__+/ // $__ is rarely used in legitimate scripts
107	$double_encoding = /(base64_decode\s\(\s){2}/	107	$double_encoding = /(base64_decode\s\(\s){2}/
108	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/	108	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/
109	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	109	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
110	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	110	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
111	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/	111	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/