summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Voisin2015-03-09 10:56:44 +0100
committerJulien Voisin2015-03-09 10:56:44 +0100
commit3114ac27af22899d30a5a6e8f3a127589b0041e3 (patch)
tree1f01fd23f9f7ad85addae99cf5c1009a75c480f0
parent5435c0a936edf7f568a563be0d5b00f02d4b1905 (diff)
More obfuscator detection
Diffstat
-rw-r--r--malwares.yara24
1 files changed, 9 insertions, 15 deletions
diff --git a/malwares.yara b/malwares.yara
index 96c5134..f75342e 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -7,10 +7,11 @@
7 - http://obfuscator.uk/example/ 7 - http://obfuscator.uk/example/
8 - http://w3webtools.com/encode-php-online/ 8 - http://w3webtools.com/encode-php-online/
9 - http://www.joeswebtools.com/security/php-obfuscator/ 9 - http://www.joeswebtools.com/security/php-obfuscator/
10 - Weevely3 10 - https://github.com/epinna/weevely3
11 - http://cipherdesign.co.uk/service/php-obfuscator 11 - http://cipherdesign.co.uk/service/php-obfuscator
12 - http://sysadmin.cyklodev.com/online-php-obfuscator/ 12 - http://sysadmin.cyklodev.com/online-php-obfuscator/
13 - http://mohssen.org/SpinObf.php 13 - http://mohssen.org/SpinObf.php
14 - https://code.google.com/p/carbylamine/
14*/ 15*/
15 16
16private rule IsPhp 17private rule IsPhp
@@ -38,26 +39,17 @@ private rule IRC
38 5 of them 39 5 of them
39} 40}
40 41
41private rule Weevely3
42{
43 strings:
44 $launcher = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/
45 $replace = /\$\w=str_replace\('.', ''(,\$\w)+\);/
46
47 condition:
48 any of them
49}
50
51rule ObfuscatedPhp 42rule ObfuscatedPhp
52{ 43{
53 strings: 44 strings:
54 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts 45 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts
55 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla} 46 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla}
56 $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/ // <?php eval( 47 $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/ // <?php eval(
57 $eval = /; *@?eval\(/ // ;eval( <- this is dodgy 48 $eval = /[;}] *@?eval\(/ // ;eval( <- this is dodgy
49 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
58 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 50 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
59 condition: 51 condition:
60 IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or Weevely3) 52 IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
61} 53}
62 54
63rule CloudFlareBypass 55rule CloudFlareBypass
@@ -79,8 +71,8 @@ rule DodgyPhp
79 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 71 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
80 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 72 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
81 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ 73 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
82 $various = "<!--#exec cmd=" 74 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
83 $pr = /preg_replace\(['"]\/\.\*\/e['"],/ 75 $pr = /preg_replace\(['"]\/\.\*\/e['"],/ // http://php.net/manual/en/function.preg-replace.php
84 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes 76 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes
85 $htaccess = "SetHandler application/x-httpd-php" 77 $htaccess = "SetHandler application/x-httpd-php"
86 78
@@ -159,6 +151,8 @@ rule ExploitsWebsites
159 $exploitsdb = "exploit-db.com" 151 $exploitsdb = "exploit-db.com"
160 $injector = "1337day.com" 152 $injector = "1337day.com"
161 $rapid7 = "rapid7.com" 153 $rapid7 = "rapid7.com"
154 $shodan = "shodan.io"
155 $packetstorm = "packetstormsecurity.com"
162 156
163 condition: 157 condition:
164 any of them 158 any of them