summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Voisin2015-03-09 14:40:15 +0100
committerJulien Voisin2015-03-09 14:40:15 +0100
commit9d4b89be1fa740e183bf9ec69abca477796b4f3f (patch)
treee7a443499de9dbbf3e5bdc63f1fe6f496c596572
parent1596c27d5c56a3484796276e3f3b643dc42a7349 (diff)
Delete binary detection
Diffstat
-rw-r--r--malwares.yara46
1 files changed, 21 insertions, 25 deletions
diff --git a/malwares.yara b/malwares.yara
index f75342e..88f6e94 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -39,6 +39,17 @@ private rule IRC
39 5 of them 39 5 of them
40} 40}
41 41
42private rule CloudFlareBypass
43{
44 strings:
45 $chk_jschl = "chk_jschl"
46 $jschl_vc = "jschl_vc"
47 $jschl_answer = "jschl_answer"
48
49 condition:
50 2 of them // Better be safe than sorry
51}
52
42rule ObfuscatedPhp 53rule ObfuscatedPhp
43{ 54{
44 strings: 55 strings:
@@ -46,21 +57,11 @@ rule ObfuscatedPhp
46 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla} 57 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla}
47 $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/ // <?php eval( 58 $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/ // <?php eval(
48 $eval = /[;}] *@?eval\(/ // ;eval( <- this is dodgy 59 $eval = /[;}] *@?eval\(/ // ;eval( <- this is dodgy
60 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
49 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 61 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
50 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 62 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
51 condition: 63 condition:
52 IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3) 64 IsPhp and ($align or $eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
53}
54
55rule CloudFlareBypass
56{
57 strings:
58 $chk_jschl = "chk_jschl"
59 $jschl_vc = "jschl_vc"
60 $jschl_answer = "jschl_answer"
61
62 condition:
63 2 of them // Better be safe than sorry
64} 65}
65 66
66rule DodgyPhp 67rule DodgyPhp
@@ -77,7 +78,7 @@ rule DodgyPhp
77 $htaccess = "SetHandler application/x-httpd-php" 78 $htaccess = "SetHandler application/x-httpd-php"
78 79
79 condition: 80 condition:
80 IsPhp and any of them 81 IsPhp and (any of them or CloudFlareBypass)
81} 82}
82 83
83rule DangerousPhp 84rule DangerousPhp
@@ -110,7 +111,7 @@ rule DangerousPhp
110 $whitelist = /escapeshellcmd|escapeshellarg/ 111 $whitelist = /escapeshellcmd|escapeshellarg/
111 112
112 condition: 113 condition:
113 not $whitelist and (5 of them or #system > 250) 114 IsPhp and not $whitelist and (5 of them or #system > 250)
114} 115}
115 116
116rule DodgyStrings 117rule DodgyStrings
@@ -139,6 +140,11 @@ rule DodgyStrings
139 $u = "/bin/sh" fullword 140 $u = "/bin/sh" fullword
140 $v = "/bin/bash" fullword 141 $v = "/bin/bash" fullword
141 $w = "ps -aux" fullword 142 $w = "ps -aux" fullword
143 $x = "b374k" fullword
144 $y = /(reverse|web)\s*shell/ nocase
145
146 $vbs = /language\s*=\s*vbscript/ nocase
147 $asp = "scripting.filesystemobject" nocase
142 148
143 condition: 149 condition:
144 IsPhp and (IRC or 2 of them) 150 IsPhp and (IRC or 2 of them)
@@ -155,15 +161,5 @@ rule ExploitsWebsites
155 $packetstorm = "packetstormsecurity.com" 161 $packetstorm = "packetstormsecurity.com"
156 162
157 condition: 163 condition:
158 any of them 164 IsPhp and any of them
159}
160
161rule DodgyFiletypes
162{
163 strings:
164 $elf = { 7f 45 4c 46 }
165 $pe = "MZ"
166
167 condition:
168 $elf at 0 or (for any i in (1..#pe): (uint32(@pe[i] + uint32(@pe[i] + 0x3C)) == 0x00004550))
169} 165}