summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Voisin2015-03-05 19:05:50 +0100
committerJulien Voisin2015-03-05 19:05:50 +0100
commit5435c0a936edf7f568a563be0d5b00f02d4b1905 (patch)
tree09059253f2dc4def332ce74dcd70c5f686856e18
parent6beeeebe3c43f0643e521139d3f8b1ff4a7f3059 (diff)
Update rules to detect packers
Diffstat
-rw-r--r--malwares.yara42
1 files changed, 28 insertions, 14 deletions
diff --git a/malwares.yara b/malwares.yara
index 3d857c1..96c5134 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -1,3 +1,18 @@
1/*
2 Detect:
3 - phpencode.org
4 - http://www.pipsomania.com/best_php_obfuscator.do
5 - http://atomiku.com/online-php-code-obfuscator/
6 - http://www.webtoolsvn.com/en-decode/
7 - http://obfuscator.uk/example/
8 - http://w3webtools.com/encode-php-online/
9 - http://www.joeswebtools.com/security/php-obfuscator/
10 - Weevely3
11 - http://cipherdesign.co.uk/service/php-obfuscator
12 - http://sysadmin.cyklodev.com/online-php-obfuscator/
13 - http://mohssen.org/SpinObf.php
14*/
15
1private rule IsPhp 16private rule IsPhp
2{ 17{
3 strings: 18 strings:
@@ -23,17 +38,26 @@ private rule IRC
23 5 of them 38 5 of them
24} 39}
25 40
41private rule Weevely3
42{
43 strings:
44 $launcher = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/
45 $replace = /\$\w=str_replace\('.', ''(,\$\w)+\);/
46
47 condition:
48 any of them
49}
50
26rule ObfuscatedPhp 51rule ObfuscatedPhp
27{ 52{
28 strings: 53 strings:
29 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts 54 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts
30 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla} 55 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla}
31 $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/ // <?php eval( 56 $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/ // <?php eval(
32 $eval = /;@?eval\(/ // ;eval( <- this is dodgy 57 $eval = /; *@?eval\(/ // ;eval( <- this is dodgy
33 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 58 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
34
35 condition: 59 condition:
36 IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5) 60 IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or Weevely3)
37} 61}
38 62
39rule CloudFlareBypass 63rule CloudFlareBypass
@@ -56,7 +80,7 @@ rule DodgyPhp
56 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 80 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
57 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ 81 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
58 $various = "<!--#exec cmd=" 82 $various = "<!--#exec cmd="
59 $pr = /preg_replace\(['"]\/[^\/]+e['"],/ 83 $pr = /preg_replace\(['"]\/\.\*\/e['"],/
60 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes 84 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes
61 $htaccess = "SetHandler application/x-httpd-php" 85 $htaccess = "SetHandler application/x-httpd-php"
62 86
@@ -97,16 +121,6 @@ rule DangerousPhp
97 not $whitelist and (5 of them or #system > 250) 121 not $whitelist and (5 of them or #system > 250)
98} 122}
99 123
100rule Weevely3
101{
102 strings:
103 $launcher = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/
104 $replace = /\$\w=str_replace\('.', ''(,\$\w)+\);/
105
106 condition:
107 IsPhp and any of them
108}
109
110rule DodgyStrings 124rule DodgyStrings
111{ 125{
112 strings: 126 strings: