diff options
| author | jvoisin | 2015-07-09 14:08:27 +0200 |
|---|---|---|
| committer | jvoisin | 2015-07-09 14:08:27 +0200 |
| commit | 640a4de4dde0b4054830182b920c08083d764fd9 (patch) | |
| tree | d1791efc7118044ee983edfc294fbc243a630c31 | |
| parent | 06af8f15e46299a6bea00be8d86abcf290e41be4 (diff) | |
Split the whitelist in another file
| -rw-r--r-- | malwares.yara | 21 | ||||
| -rw-r--r-- | whitelist.yara | 18 |
2 files changed, 20 insertions, 19 deletions
diff --git a/malwares.yara b/malwares.yara index 206acf0..1126efb 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -1,4 +1,6 @@ | |||
| 1 | import "hash" | 1 | import "hash" |
| 2 | include "whitelist.yara" | ||
| 3 | |||
| 2 | /* | 4 | /* |
| 3 | Detect: | 5 | Detect: |
| 4 | - phpencode.org | 6 | - phpencode.org |
| @@ -15,25 +17,6 @@ import "hash" | |||
| 15 | - https://code.google.com/p/carbylamine/ | 17 | - https://code.google.com/p/carbylamine/ |
| 16 | */ | 18 | */ |
| 17 | 19 | ||
| 18 | private rule IsWhitelisted | ||
| 19 | { | ||
| 20 | condition: | ||
| 21 | /* Prestashop 1.6.1.0 */ | ||
| 22 | hash.sha1(0, filesize) == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php | ||
| 23 | hash.sha1(0, filesize) == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php | ||
| 24 | hash.sha1(0, filesize) == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" or // classes/Tools.php | ||
| 25 | |||
| 26 | /* Wordpress 3.5.1 */ | ||
| 27 | hash.sha1(0, filesize) == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php | ||
| 28 | hash.sha1(0, filesize) == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php | ||
| 29 | |||
| 30 | /* Wordpress 3.2.1 */ | ||
| 31 | hash.sha1(0, filesize) == "b4f53b8c360f9e47cc63047305a0ce2e3ff6a251" or // wp-includes/functions.php | ||
| 32 | hash.sha1(0, filesize) == "ac8298df16a560c80fb213ef3f51f90df8ef5292" or // wp-includes/class-phpmailer.php | ||
| 33 | hash.sha1(0, filesize) == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" // wp-admin/includes/menu.php | ||
| 34 | |||
| 35 | } | ||
| 36 | |||
| 37 | global private rule IsPhp | 20 | global private rule IsPhp |
| 38 | { | 21 | { |
| 39 | strings: | 22 | strings: |
diff --git a/whitelist.yara b/whitelist.yara new file mode 100644 index 0000000..06cb59b --- /dev/null +++ b/whitelist.yara | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | private rule IsWhitelisted | ||
| 2 | { | ||
| 3 | condition: | ||
| 4 | /* Prestashop 1.6.1.0 */ | ||
| 5 | hash.sha1(0, filesize) == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php | ||
| 6 | hash.sha1(0, filesize) == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php | ||
| 7 | hash.sha1(0, filesize) == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" or // classes/Tools.php | ||
| 8 | |||
| 9 | /* Wordpress 3.5.1 */ | ||
| 10 | hash.sha1(0, filesize) == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php | ||
| 11 | hash.sha1(0, filesize) == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php | ||
| 12 | |||
| 13 | /* Wordpress 3.2.1 */ | ||
| 14 | hash.sha1(0, filesize) == "b4f53b8c360f9e47cc63047305a0ce2e3ff6a251" or // wp-includes/functions.php | ||
| 15 | hash.sha1(0, filesize) == "ac8298df16a560c80fb213ef3f51f90df8ef5292" or // wp-includes/class-phpmailer.php | ||
| 16 | hash.sha1(0, filesize) == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" // wp-admin/includes/menu.php | ||
| 17 | |||
| 18 | } | ||