Finalize merge

author: Julien Voisin 2016-02-03 14:31:22 +0100
committer: Julien Voisin 2016-02-03 14:31:22 +0100
commit: 4d0a0dcfc783a58acdeb49b40c8a8621e1577e25 (patch)
tree: f3dd7f5eea06a4c2b7cb4a6768909ce8436f45ca
parent: bbcf378a2b50525022e2065ef95bd7d5ad5886bc (diff)
1 files changed, 37 insertions, 40 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index d0b5c35..285ee77 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,15 +57,13 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
    strings:
-        $eval = /(<\?php\s*\n*\r*|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)/  // ;eval( <- this is dodgy
+        $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[\t ]*\(/  // ;eval( <- this is dodgy
        $b374k = "'ev'.'al'"
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
        $strange_arg = /\${\$[0-9a-zA-z]+}/
        $too_many_chr = /(chr\([\d]+\)\.){2,}?/
-        $many_comments = /\/\*.{,28}\*\/[^\/]*\/\*/  // Something like as/* */ser/* */t
        $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/    
 condition:
        any of them and not IsWhitelisted
@@ -105,24 +103,23 @@ rule SuspiciousEncoding
 rule DodgyPhp
 {
    strings:
-        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
+        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
+        $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
-        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
+        $htaccess = "SetHandler application/x-httpd-php"
-        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
+        $iis_com = /IIS:\/\/localhost\/w3svc/
-        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
+        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
        $ini_get = /ini_get\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
-     
+        $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
-        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
-        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
+        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
-        $htaccess = "SetHandler application/x-httpd-php"
+        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
+        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
        $udp_dos = /sockopen\s*\(['"]udp:\/\//
-        $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
-        $iis_com = /IIS:\/\/localhost\/w3svc/
        $user_function = /(call_user_func|create_function)/
-        $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
+        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
+        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
    condition:
        (any of them or CloudFlareBypass) and not IsWhitelisted
@@ -133,38 +130,38 @@ rule DangerousPhp
    strings:
        $system = "system" fullword  // localroot bruteforcers have a lot of this
-        $ = "exec" fullword
+        $ = "array_filter" fullword
-        $ = "eval" fullword
-        $ = "shell_exec" fullword
-        $ = "passthru" fullword
-        $ = "posix_getuid" fullword
-        $ = "posix_geteuid" fullword
-        $ = "posix_getgid" fullword
-        $ = "phpinfo" fullword
-        $ = "backticks" fullword
-        $ = "proc_open" fullword
-        $ = "win_shell_execute" fullword
-        $ = "win32_create_service" fullword
-        $ = "posix_getpwuid" fullword
-        $ = "shm_open" fullword
        $ = "assert" fullword
+        $ = "backticks" fullword
+        $ = "call_user_func" fullword
+        $ = "eval" fullword
+        $ = "exec" fullword
+        $ = "fpassthru" fullword
        $ = "fsockopen" fullword
        $ = "function_exists" fullword
        $ = "getmygid" fullword
+        $ = "mb_ereg_replace_callback" fullword
+        $ = "passthru" fullword
+        $ = "pcntl_exec" fullword
        $ = "php_uname" fullword
-        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
+        $ = "phpinfo" fullword
-        $ = "fpassthru" fullword
+        $ = "posix_geteuid" fullword
+        $ = "posix_getgid" fullword
+        $ = "posix_getpwuid" fullword
+        $ = "posix_getuid" fullword
        $ = "posix_setuid" fullword
-        $ = "xmlrpc_decode" fullword
+        $ = "preg_replace_callback" fullword
-        $ = "show_source" fullword
+        $ = "proc_open" fullword
-        $ = "pcntl_exec" fullword
-        $ = "array_filter" fullword
-        $ = "call_user_func" fullword
        $ = "register_shutdown_function" fullword
        $ = "register_tick_function" fullword
+        $ = "shell_exec" fullword
+        $ = "shm_open" fullword
+        $ = "show_source" fullword
+        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
+        $ = "win32_create_service" fullword
+        $ = "win_shell_execute" fullword
+        $ = "xmlrpc_decode" fullword
        $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
-        $ = "mb_ereg_replace_callback" fullword
-        $ = "preg_replace_callback" fullword
        $whitelist = /escapeshellcmd|escapeshellarg/
@@ -176,7 +173,6 @@ rule DodgyStrings
 {
    strings:
        $ = "/../../../"
-        $ = /\/bin\/(ba)?sh/ fullword
        $ = "/etc/passwd"
        $ = "/etc/proftpd.conf"
        $ = "/etc/resolv.conf"
@@ -193,7 +189,6 @@ rule DodgyStrings
        $ = "defaced" fullword nocase
        $ = "exploit" fullword nocase
        $ = "find . -type f" fullword
-        $ = /hack(ing|er)/ nocase
        $ = "hashcrack" nocase
        $ = "id_rsa" fullword
        $ = "ipconfig" fullword nocase
@@ -207,6 +202,8 @@ rule DodgyStrings
        $ = "uname -a" fullword
        $ = "warez" fullword nocase
        $ = /(reverse|web)\s*shell/ nocase
+        $ = /\/bin\/(ba)?sh/ fullword
+        $ = /hack(ing|er)/ nocase
        $vbs = /language\s*=\s*vbscript/ nocase
        $asp = "scripting.filesystemobject" nocase
author	Julien Voisin	2016-02-03 14:31:22 +0100
committer	Julien Voisin	2016-02-03 14:31:22 +0100
commit	4d0a0dcfc783a58acdeb49b40c8a8621e1577e25 (patch)
tree	f3dd7f5eea06a4c2b7cb4a6768909ce8436f45ca
parent	bbcf378a2b50525022e2065ef95bd7d5ad5886bc (diff)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index d0b5c35..285ee77 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -57,15 +57,13 @@ private rule CloudFlareBypass
57	rule ObfuscatedPhp	57	rule ObfuscatedPhp
58	{	58	{
59	strings:	59	strings:
60	$eval = /(<\?php\s\n\r\|[;{}])\s@?(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)/ // ;eval( <- this is dodgy	60	$eval = /(<\?php[[:space:]]\|[;{}])\s@?(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)[\t ]\(/ // ;eval( <- this is dodgy
61	$b374k = "'ev'.'al'"	61	$b374k = "'ev'.'al'"
62	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k	62	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
63	$oneliner = /<\?php\s\n\r\s@?(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)\(/
64	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher	63	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
65	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html	64	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
66	$strange_arg = /\${\$[0-9a-zA-z]+}/	65	$strange_arg = /\${\$[0-9a-zA-z]+}/
67	$too_many_chr = /(chr\([\d]+\)\.){2,}?/	66	$too_many_chr = /(chr\([\d]+\)\.){2,}?/
68	$many_comments = /\/\.{,28}\\/[^\/]\/\/ // Something like as/* /ser/ */t
69	$b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/	67	$b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/
70	condition:	68	condition:
71	any of them and not IsWhitelisted	69	any of them and not IsWhitelisted
@@ -105,24 +103,23 @@ rule SuspiciousEncoding
105	rule DodgyPhp	103	rule DodgyPhp
106	{	104	{
107	strings:	105	strings:
108	$vars = /\$__+/ // $__ is rarely used in legitimate scripts	106	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
		107	$disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
109	$double_encoding = /(base64_decode\s\(\s){2}/	108	$double_encoding = /(base64_decode\s\(\s){2}/
110	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/	109	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/
111	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	110	$htaccess = "SetHandler application/x-httpd-php"
112	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	111	$iis_com = /IIS:\/\/localhost\/w3svc/
113	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/	112	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
114	$restore_bypass = /ini_restore\(['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals)['"]\)/
115	$ini_get = /ini_get\(['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals)['"]\)/	113	$ini_get = /ini_get\(['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals)['"]\)/
116		114	$iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
117	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
118	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\(['"]\/[^\/]\/e['"]/ // http://php.net/manual/en/function.preg-replace.php	115	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\(['"]\/[^\/]\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
119	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes	116	$restore_bypass = /ini_restore\(['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals)['"]\)/
120	$htaccess = "SetHandler application/x-httpd-php"	117	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
		118	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
121	$udp_dos = /sockopen\s*\(['"]udp:\/\//	119	$udp_dos = /sockopen\s*\(['"]udp:\/\//
122	$iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
123	$iis_com = /IIS:\/\/localhost\/w3svc/
124	$user_function = /(call_user_func\|create_function)/	120	$user_function = /(call_user_func\|create_function)/
125	$disable_magic_quotes = /set_magic_quotes_runtime\(0\)/	121	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
		122	$vars = /\$__+/ // $__ is rarely used in legitimate scripts
126		123
127	condition:	124	condition:
128	(any of them or CloudFlareBypass) and not IsWhitelisted	125	(any of them or CloudFlareBypass) and not IsWhitelisted
@@ -133,38 +130,38 @@ rule DangerousPhp
133	strings:	130	strings:
134	$system = "system" fullword // localroot bruteforcers have a lot of this	131	$system = "system" fullword // localroot bruteforcers have a lot of this
135		132
136	$ = "exec" fullword	133	$ = "array_filter" fullword
137	$ = "eval" fullword
138	$ = "shell_exec" fullword
139	$ = "passthru" fullword
140	$ = "posix_getuid" fullword
141	$ = "posix_geteuid" fullword
142	$ = "posix_getgid" fullword
143	$ = "phpinfo" fullword
144	$ = "backticks" fullword
145	$ = "proc_open" fullword
146	$ = "win_shell_execute" fullword
147	$ = "win32_create_service" fullword
148	$ = "posix_getpwuid" fullword
149	$ = "shm_open" fullword
150	$ = "assert" fullword	134	$ = "assert" fullword
		135	$ = "backticks" fullword
		136	$ = "call_user_func" fullword
		137	$ = "eval" fullword
		138	$ = "exec" fullword
		139	$ = "fpassthru" fullword
151	$ = "fsockopen" fullword	140	$ = "fsockopen" fullword
152	$ = "function_exists" fullword	141	$ = "function_exists" fullword
153	$ = "getmygid" fullword	142	$ = "getmygid" fullword
		143	$ = "mb_ereg_replace_callback" fullword
		144	$ = "passthru" fullword
		145	$ = "pcntl_exec" fullword
154	$ = "php_uname" fullword	146	$ = "php_uname" fullword
155	$ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"	147	$ = "phpinfo" fullword
156	$ = "fpassthru" fullword	148	$ = "posix_geteuid" fullword
		149	$ = "posix_getgid" fullword
		150	$ = "posix_getpwuid" fullword
		151	$ = "posix_getuid" fullword
157	$ = "posix_setuid" fullword	152	$ = "posix_setuid" fullword
158	$ = "xmlrpc_decode" fullword	153	$ = "preg_replace_callback" fullword
159	$ = "show_source" fullword	154	$ = "proc_open" fullword
160	$ = "pcntl_exec" fullword
161	$ = "array_filter" fullword
162	$ = "call_user_func" fullword
163	$ = "register_shutdown_function" fullword	155	$ = "register_shutdown_function" fullword
164	$ = "register_tick_function" fullword	156	$ = "register_tick_function" fullword
		157	$ = "shell_exec" fullword
		158	$ = "shm_open" fullword
		159	$ = "show_source" fullword
		160	$ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
		161	$ = "win32_create_service" fullword
		162	$ = "win_shell_execute" fullword
		163	$ = "xmlrpc_decode" fullword
165	$ = /ob_start\s\(\s[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();	164	$ = /ob_start\s\(\s[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
166	$ = "mb_ereg_replace_callback" fullword
167	$ = "preg_replace_callback" fullword
168		165
169	$whitelist = /escapeshellcmd\|escapeshellarg/	166	$whitelist = /escapeshellcmd\|escapeshellarg/
170		167
@@ -176,7 +173,6 @@ rule DodgyStrings
176	{	173	{
177	strings:	174	strings:
178	$ = "/../../../"	175	$ = "/../../../"
179	$ = /\/bin\/(ba)?sh/ fullword
180	$ = "/etc/passwd"	176	$ = "/etc/passwd"
181	$ = "/etc/proftpd.conf"	177	$ = "/etc/proftpd.conf"
182	$ = "/etc/resolv.conf"	178	$ = "/etc/resolv.conf"
@@ -193,7 +189,6 @@ rule DodgyStrings
193	$ = "defaced" fullword nocase	189	$ = "defaced" fullword nocase
194	$ = "exploit" fullword nocase	190	$ = "exploit" fullword nocase
195	$ = "find . -type f" fullword	191	$ = "find . -type f" fullword
196	$ = /hack(ing\|er)/ nocase
197	$ = "hashcrack" nocase	192	$ = "hashcrack" nocase
198	$ = "id_rsa" fullword	193	$ = "id_rsa" fullword
199	$ = "ipconfig" fullword nocase	194	$ = "ipconfig" fullword nocase
@@ -207,6 +202,8 @@ rule DodgyStrings
207	$ = "uname -a" fullword	202	$ = "uname -a" fullword
208	$ = "warez" fullword nocase	203	$ = "warez" fullword nocase
209	$ = /(reverse\|web)\s*shell/ nocase	204	$ = /(reverse\|web)\s*shell/ nocase
		205	$ = /\/bin\/(ba)?sh/ fullword
		206	$ = /hack(ing\|er)/ nocase
210		207
211	$vbs = /language\s=\svbscript/ nocase	208	$vbs = /language\s=\svbscript/ nocase
212	$asp = "scripting.filesystemobject" nocase	209	$asp = "scripting.filesystemobject" nocase