Use anonymous strings where it makes sense to do so.

author: jvoisin 2015-07-09 13:36:16 +0200
committer: jvoisin 2015-07-09 13:36:16 +0200
commit: 7b4a39bb2d44b0cc1119aa8ba10caed7ebedb5e3 (patch)
tree: b35b75a974bf8d04174df131ec8f662038ed8685
parent: 82aa5ca8080b3787dfb5d5e3944a8cdfc0c9dc6c (diff)
1 files changed, 82 insertions, 82 deletions
diff --git a/malwares.yara b/malwares.yara
index d438854..0ec4eee 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -37,14 +37,14 @@ global private rule IsPhp
 private rule IRC
 {
    strings:
-        $a = "USER" fullword
+        $ = "USER" fullword
-        $b = "PASS" fullword
+        $ = "PASS" fullword
-        $c = "PRIVMSG" fullword
+        $ = "PRIVMSG" fullword
-        $d = "MODE" fullword
+        $ = "MODE" fullword
-        $e = "PING" fullword
+        $ = "PING" fullword
-        $f = "PONG" fullword
+        $ = "PONG" fullword
-        $g = "JOIN" fullword
+        $ = "JOIN" fullword
-        $h = "PART" fullword
+        $ = "PART" fullword
    condition:
        5 of them
@@ -53,9 +53,9 @@ private rule IRC
 private rule CloudFlareBypass
 {
    strings:
-        $chk_jschl = "chk_jschl"
+        $ = "chk_jschl"
-        $jschl_vc = "jschl_vc"
+        $ = "jschl_vc"
-        $jschl_answer = "jschl_answer"
+        $ = "jschl_answer"
    condition:
        2 of them // Better be safe than sorry
@@ -68,7 +68,7 @@ rule ObfuscatedPhp
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
-        $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
+        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
        $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
        $strange_arg = /\${\$[0-9a-zA-z]+}/
    condition:
@@ -129,31 +129,31 @@ rule DangerousPhp
    strings:
        $system = "system" fullword  // localroot bruteforcers have a lot of this
-        $a = "exec" fullword
+        $ = "exec" fullword
-        $b = "eval" fullword
+        $ = "eval" fullword
-        $c = "shell_exec" fullword
+        $ = "shell_exec" fullword
-        $v = "passthru" fullword
+        $ = "passthru" fullword
-        $e = "posix_getuid" fullword
+        $ = "posix_getuid" fullword
-        $f = "posix_geteuid" fullword
+        $ = "posix_geteuid" fullword
-        $g = "posix_getgid" fullword
+        $ = "posix_getgid" fullword
-        $h = "phpinfo" fullword
+        $ = "phpinfo" fullword
-        $i = "backticks" fullword
+        $ = "backticks" fullword
-        $j = "proc_open" fullword
+        $ = "proc_open" fullword
-        $k = "win_shell_execute" fullword
+        $ = "win_shell_execute" fullword
-        $l = "win32_create_service" fullword
+        $ = "win32_create_service" fullword
-        $m = "posix_getpwuid" fullword
+        $ = "posix_getpwuid" fullword
-        $n = "shm_open" fullword
+        $ = "shm_open" fullword
-        $o = "assert" fullword
+        $ = "assert" fullword
-        $p = "fsockopen" fullword
+        $ = "fsockopen" fullword
-        $q = "function_exists" fullword
+        $ = "function_exists" fullword
-        $r = "getmygid" fullword
+        $ = "getmygid" fullword
-        $s = "php_uname" fullword
+        $ = "php_uname" fullword
-        $t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
+        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
-        $u = "fpassthru" fullword
+        $ = "fpassthru" fullword
-        $v = "posix_setuid" fullword
+        $ = "posix_setuid" fullword
-        $w = "xmlrpc_decode" fullword
+        $ = "xmlrpc_decode" fullword
-        $x = "show_source" fullword
+        $ = "show_source" fullword
-        $y = "pcntl_exec" fullword
+        $ = "pcntl_exec" fullword
        $whitelist = /escapeshellcmd|escapeshellarg/
@@ -164,31 +164,31 @@ rule DangerousPhp
 rule DodgyStrings
 {
    strings:
-        $a = "/etc/passwd"
+        $ = "/etc/passwd"
-        $b = "/etc/shadow"
+        $ = "/etc/shadow"
-        $c = "/etc/resolv.conf"
+        $ = "/etc/resolv.conf"
-        $d = "/etc/syslog.conf"
+        $ = "/etc/syslog.conf"
-        $e = "/etc/proftpd.conf"
+        $ = "/etc/proftpd.conf"
-        $e = "WinExec"
+        $ = "WinExec"
-        $f = "uname -a" fullword
+        $ = "uname -a" fullword
-        $g = "nc -l" fullword
+        $ = "nc -l" fullword
-        $h = "ls -la" fullword
+        $ = "ls -la" fullword
-        $i = "cmd.exe" fullword nocase
+        $ = "cmd.exe" fullword nocase
-        $j = "ipconfig" fullword nocase
+        $ = "ipconfig" fullword nocase
-        $k = "find . -type f" fullword
+        $ = "find . -type f" fullword
-        $l = "defaced" fullword nocase
+        $ = "defaced" fullword nocase
-        $m = "slowloris" fullword nocase
+        $ = "slowloris" fullword nocase
-        $o = "id_rsa" fullword
+        $ = "id_rsa" fullword
-        $p = "backdoor" fullword nocase
+        $ = "backdoor" fullword nocase
-        $q = "webshell" fullword nocase
+        $ = "webshell" fullword nocase
-        $r = "exploit" fullword nocase
+        $ = "exploit" fullword nocase
-        $s = "hacking" fullword nocase
+        $ = "hacking" fullword nocase
-        $t = "/proc/cpuinfo" fullword
+        $ = "/proc/cpuinfo" fullword
-        $u = "/bin/sh" fullword
+        $ = "/bin/sh" fullword
-        $v = "/bin/bash" fullword
+        $ = "/bin/bash" fullword
-        $w = "ps -aux" fullword
+        $ = "ps -aux" fullword
-        $x = "b374k" fullword
+        $ = "b374k" fullword
-        $y = /(reverse|web)\s*shell/ nocase
+        $ = /(reverse|web)\s*shell/ nocase
        $vbs = /language\s*=\s*vbscript/ nocase
        $asp = "scripting.filesystemobject" nocase
@@ -200,26 +200,26 @@ rule DodgyStrings
 rule Websites
 {
    strings:
-        $milw0rm = "milw0rm.com"
+        $ = "milw0rm.com"
-        $exploitsdb = "exploit-db.com"
+        $ = "exploit-db.com"
-        $injector = "1337day.com"
+        $ = "1337day.com"
-        $rapid7 = "rapid7.com"
+        $ = "rapid7.com"
-        $shodan = "shodan.io"
+        $ = "shodan.io"
-        $packetstorm = "packetstormsecurity"
+        $ = "packetstormsecurity"
-        $crackfor = "crackfor" nocase
+        $ = "crackfor" nocase
-        $rednoize = "md5.rednoize"
+        $ = "md5.rednoize"
-        $hashcracking = "hashcracking" nocase
+        $ = "hashcracking" nocase
-        $darkc0de = "darkc0de" nocase
+        $ = "darkc0de" nocase
-        $securityfocus = "securityfocus" nocase
+        $ = "securityfocus" nocase
-        $antichat = "antichat.ru"
+        $ = "antichat.ru"
-        $kingdefacer = "KingDefacer" nocase
+        $ = "KingDefacer" nocase
-        $md5crack = "md5crack.com"
+        $ = "md5crack.com"
-        $md5crack = "md5decrypter.com"
+        $ = "md5decrypter.com"
-        $hashkiller = "hashkiller.com"
+        $ = "hashkiller.com"
-        $hashchecker = "hashchecker.com"
+        $ = "hashchecker.com"
-        $fopo = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
+        $ = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
-        $ccteam = "ccteam.ru"
+        $ = "ccteam.ru"
-        $locus = "locus7s.com"
+        $ = "locus7s.com"
    condition:
        any of them
author	jvoisin	2015-07-09 13:36:16 +0200
committer	jvoisin	2015-07-09 13:36:16 +0200
commit	7b4a39bb2d44b0cc1119aa8ba10caed7ebedb5e3 (patch)
tree	b35b75a974bf8d04174df131ec8f662038ed8685
parent	82aa5ca8080b3787dfb5d5e3944a8cdfc0c9dc6c (diff)

diff --git a/malwares.yara b/malwares.yara index d438854..0ec4eee 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -37,14 +37,14 @@ global private rule IsPhp
37	private rule IRC	37	private rule IRC
38	{	38	{
39	strings:	39	strings:
40	$a = "USER" fullword	40	$ = "USER" fullword
41	$b = "PASS" fullword	41	$ = "PASS" fullword
42	$c = "PRIVMSG" fullword	42	$ = "PRIVMSG" fullword
43	$d = "MODE" fullword	43	$ = "MODE" fullword
44	$e = "PING" fullword	44	$ = "PING" fullword
45	$f = "PONG" fullword	45	$ = "PONG" fullword
46	$g = "JOIN" fullword	46	$ = "JOIN" fullword
47	$h = "PART" fullword	47	$ = "PART" fullword
48		48
49	condition:	49	condition:
50	5 of them	50	5 of them
@@ -53,9 +53,9 @@ private rule IRC
53	private rule CloudFlareBypass	53	private rule CloudFlareBypass
54	{	54	{
55	strings:	55	strings:
56	$chk_jschl = "chk_jschl"	56	$ = "chk_jschl"
57	$jschl_vc = "jschl_vc"	57	$ = "jschl_vc"
58	$jschl_answer = "jschl_answer"	58	$ = "jschl_answer"
59		59
60	condition:	60	condition:
61	2 of them // Better be safe than sorry	61	2 of them // Better be safe than sorry
@@ -68,7 +68,7 @@ rule ObfuscatedPhp
68	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k	68	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
69	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec)\(/	69	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec)\(/
70	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher	70	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
71	$launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html	71	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
72	$danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/	72	$danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
73	$strange_arg = /\${\$[0-9a-zA-z]+}/	73	$strange_arg = /\${\$[0-9a-zA-z]+}/
74	condition:	74	condition:
@@ -129,31 +129,31 @@ rule DangerousPhp
129	strings:	129	strings:
130	$system = "system" fullword // localroot bruteforcers have a lot of this	130	$system = "system" fullword // localroot bruteforcers have a lot of this
131		131
132	$a = "exec" fullword	132	$ = "exec" fullword
133	$b = "eval" fullword	133	$ = "eval" fullword
134	$c = "shell_exec" fullword	134	$ = "shell_exec" fullword
135	$v = "passthru" fullword	135	$ = "passthru" fullword
136	$e = "posix_getuid" fullword	136	$ = "posix_getuid" fullword
137	$f = "posix_geteuid" fullword	137	$ = "posix_geteuid" fullword
138	$g = "posix_getgid" fullword	138	$ = "posix_getgid" fullword
139	$h = "phpinfo" fullword	139	$ = "phpinfo" fullword
140	$i = "backticks" fullword	140	$ = "backticks" fullword
141	$j = "proc_open" fullword	141	$ = "proc_open" fullword
142	$k = "win_shell_execute" fullword	142	$ = "win_shell_execute" fullword
143	$l = "win32_create_service" fullword	143	$ = "win32_create_service" fullword
144	$m = "posix_getpwuid" fullword	144	$ = "posix_getpwuid" fullword
145	$n = "shm_open" fullword	145	$ = "shm_open" fullword
146	$o = "assert" fullword	146	$ = "assert" fullword
147	$p = "fsockopen" fullword	147	$ = "fsockopen" fullword
148	$q = "function_exists" fullword	148	$ = "function_exists" fullword
149	$r = "getmygid" fullword	149	$ = "getmygid" fullword
150	$s = "php_uname" fullword	150	$ = "php_uname" fullword
151	$t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"	151	$ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
152	$u = "fpassthru" fullword	152	$ = "fpassthru" fullword
153	$v = "posix_setuid" fullword	153	$ = "posix_setuid" fullword
154	$w = "xmlrpc_decode" fullword	154	$ = "xmlrpc_decode" fullword
155	$x = "show_source" fullword	155	$ = "show_source" fullword
156	$y = "pcntl_exec" fullword	156	$ = "pcntl_exec" fullword
157		157
158	$whitelist = /escapeshellcmd\|escapeshellarg/	158	$whitelist = /escapeshellcmd\|escapeshellarg/
159		159
@@ -164,31 +164,31 @@ rule DangerousPhp
164	rule DodgyStrings	164	rule DodgyStrings
165	{	165	{
166	strings:	166	strings:
167	$a = "/etc/passwd"	167	$ = "/etc/passwd"
168	$b = "/etc/shadow"	168	$ = "/etc/shadow"
169	$c = "/etc/resolv.conf"	169	$ = "/etc/resolv.conf"
170	$d = "/etc/syslog.conf"	170	$ = "/etc/syslog.conf"
171	$e = "/etc/proftpd.conf"	171	$ = "/etc/proftpd.conf"
172	$e = "WinExec"	172	$ = "WinExec"
173	$f = "uname -a" fullword	173	$ = "uname -a" fullword
174	$g = "nc -l" fullword	174	$ = "nc -l" fullword
175	$h = "ls -la" fullword	175	$ = "ls -la" fullword
176	$i = "cmd.exe" fullword nocase	176	$ = "cmd.exe" fullword nocase
177	$j = "ipconfig" fullword nocase	177	$ = "ipconfig" fullword nocase
178	$k = "find . -type f" fullword	178	$ = "find . -type f" fullword
179	$l = "defaced" fullword nocase	179	$ = "defaced" fullword nocase
180	$m = "slowloris" fullword nocase	180	$ = "slowloris" fullword nocase
181	$o = "id_rsa" fullword	181	$ = "id_rsa" fullword
182	$p = "backdoor" fullword nocase	182	$ = "backdoor" fullword nocase
183	$q = "webshell" fullword nocase	183	$ = "webshell" fullword nocase
184	$r = "exploit" fullword nocase	184	$ = "exploit" fullword nocase
185	$s = "hacking" fullword nocase	185	$ = "hacking" fullword nocase
186	$t = "/proc/cpuinfo" fullword	186	$ = "/proc/cpuinfo" fullword
187	$u = "/bin/sh" fullword	187	$ = "/bin/sh" fullword
188	$v = "/bin/bash" fullword	188	$ = "/bin/bash" fullword
189	$w = "ps -aux" fullword	189	$ = "ps -aux" fullword
190	$x = "b374k" fullword	190	$ = "b374k" fullword
191	$y = /(reverse\|web)\s*shell/ nocase	191	$ = /(reverse\|web)\s*shell/ nocase
192		192
193	$vbs = /language\s=\svbscript/ nocase	193	$vbs = /language\s=\svbscript/ nocase
194	$asp = "scripting.filesystemobject" nocase	194	$asp = "scripting.filesystemobject" nocase
@@ -200,26 +200,26 @@ rule DodgyStrings
200	rule Websites	200	rule Websites
201	{	201	{
202	strings:	202	strings:
203	$milw0rm = "milw0rm.com"	203	$ = "milw0rm.com"
204	$exploitsdb = "exploit-db.com"	204	$ = "exploit-db.com"
205	$injector = "1337day.com"	205	$ = "1337day.com"
206	$rapid7 = "rapid7.com"	206	$ = "rapid7.com"
207	$shodan = "shodan.io"	207	$ = "shodan.io"
208	$packetstorm = "packetstormsecurity"	208	$ = "packetstormsecurity"
209	$crackfor = "crackfor" nocase	209	$ = "crackfor" nocase
210	$rednoize = "md5.rednoize"	210	$ = "md5.rednoize"
211	$hashcracking = "hashcracking" nocase	211	$ = "hashcracking" nocase
212	$darkc0de = "darkc0de" nocase	212	$ = "darkc0de" nocase
213	$securityfocus = "securityfocus" nocase	213	$ = "securityfocus" nocase
214	$antichat = "antichat.ru"	214	$ = "antichat.ru"
215	$kingdefacer = "KingDefacer" nocase	215	$ = "KingDefacer" nocase
216	$md5crack = "md5crack.com"	216	$ = "md5crack.com"
217	$md5crack = "md5decrypter.com"	217	$ = "md5decrypter.com"
218	$hashkiller = "hashkiller.com"	218	$ = "hashkiller.com"
219	$hashchecker = "hashchecker.com"	219	$ = "hashchecker.com"
220	$fopo = "www.fopo.com.ar" /* Free Online Php Obfuscator */	220	$ = "www.fopo.com.ar" /* Free Online Php Obfuscator */
221	$ccteam = "ccteam.ru"	221	$ = "ccteam.ru"
222	$locus = "locus7s.com"	222	$ = "locus7s.com"
223		223
224	condition:	224	condition:
225	any of them	225	any of them