summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshaddai2015-11-26 15:13:25 +0100
committershaddai2015-11-26 15:13:25 +0100
commit8277b307068b9ad4dddb0632ae5d412eea2924a0 (patch)
tree04a13ed65234e7036a094996d243a0e743738d36
parentce0439f3181e3014451c7bb04afa7ecc4a31a3dd (diff)
new rules
some samples from this repo weren't detected : https://github.com/tennc/webshell Fixes #3
Diffstat
-rw-r--r--malwares.yara28
1 files changed, 21 insertions, 7 deletions
diff --git a/malwares.yara b/malwares.yara
index c901d06..73195da 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -15,6 +15,7 @@ include "whitelist.yara"
15 - http://sysadmin.cyklodev.com/online-php-obfuscator/ 15 - http://sysadmin.cyklodev.com/online-php-obfuscator/
16 - http://mohssen.org/SpinObf.php 16 - http://mohssen.org/SpinObf.php
17 - https://code.google.com/p/carbylamine/ 17 - https://code.google.com/p/carbylamine/
18 - https://github.com/tennc/webshell
18*/ 19*/
19 20
20global private rule IsPhp 21global private rule IsPhp
@@ -56,13 +57,15 @@ private rule CloudFlareBypass
56rule ObfuscatedPhp 57rule ObfuscatedPhp
57{ 58{
58 strings: 59 strings:
59 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy 60 $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy
61 $b374k = /'ev'\.'al'/
60 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 62 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
61 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/ 63 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
62 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 64 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
63 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 65 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
64 $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
65 $strange_arg = /\${\$[0-9a-zA-z]+}/ 66 $strange_arg = /\${\$[0-9a-zA-z]+}/
67 $too_many_chr = /(chr\([\d]+\)\.){2,}?/
68 $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/
66 condition: 69 condition:
67 any of them and not IsWhitelisted 70 any of them and not IsWhitelisted
68} 71}
@@ -74,6 +77,7 @@ private rule base64
74 $system = "c3lzdGVt" 77 $system = "c3lzdGVt"
75 $preg_replace = "cHJlZ19yZXBsYWNl" 78 $preg_replace = "cHJlZ19yZXBsYWNl"
76 $exec = "ZXhlYyg" 79 $exec = "ZXhlYyg"
80 $base64_decode = "YmFzZTY0X2RlY29kZ"
77 condition: 81 condition:
78 any of them 82 any of them
79} 83}
@@ -100,18 +104,20 @@ rule SuspiciousEncoding
100rule DodgyPhp 104rule DodgyPhp
101{ 105{
102 strings: 106 strings:
103 $vars = /\$___+/ // $__ is rarely used in legitimate scripts 107 $vars = /\$__+/ // $__ is rarely used in legitimate scripts
104 $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
105 $double_encoding = /(base64_decode\s*\(\s*){2}/ 108 $double_encoding = /(base64_decode\s*\(\s*){2}/
109 $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
106 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ 110 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
107 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 111 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
108 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 112 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
109 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ 113 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir)['"]\)/
110 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec 114 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
111 $pr = /preg_replace\s*\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php 115 $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
112 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes 116 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes
113 $htaccess = "SetHandler application/x-httpd-php" 117 $htaccess = "SetHandler application/x-httpd-php"
114 $udp_dos = /sockopen\s*\(['"]udp:\/\// 118 $udp_dos = /sockopen\s*\(['"]udp:\/\//
119 $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
120 $iis_com = /IIS:\/\/localhost\/w3svc/
115 121
116 condition: 122 condition:
117 (any of them or CloudFlareBypass) and not IsWhitelisted 123 (any of them or CloudFlareBypass) and not IsWhitelisted
@@ -148,6 +154,12 @@ rule DangerousPhp
148 $ = "show_source" fullword 154 $ = "show_source" fullword
149 $ = "pcntl_exec" fullword 155 $ = "pcntl_exec" fullword
150 $ = "array_filter" fullword 156 $ = "array_filter" fullword
157 $ = "call_user_func" fullword
158 $ = "register_shutdown_function" fullword
159 $ = "register_tick_function" fullword
160 $ = /ob_start\s*\(\s*[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
161 $ = "mb_ereg_replace_callback" fullword
162 $ = "preg_replace_callback" fullword
151 163
152 $whitelist = /escapeshellcmd|escapeshellarg/ 164 $whitelist = /escapeshellcmd|escapeshellarg/
153 165
@@ -214,6 +226,8 @@ rule Websites
214 $ = "www.fopo.com.ar" /* Free Online Php Obfuscator */ 226 $ = "www.fopo.com.ar" /* Free Online Php Obfuscator */
215 $ = "ccteam.ru" 227 $ = "ccteam.ru"
216 $ = "locus7s.com" 228 $ = "locus7s.com"
229 $ = "b374k"
230 $ = "www.egyspider.eu"
217 231
218 condition: 232 condition:
219 any of them and not IsWhitelisted 233 any of them and not IsWhitelisted