summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Voisin2015-03-24 11:05:36 +0100
committerJulien Voisin2015-03-24 11:05:36 +0100
commitd3e3e2e8cd0e79ad388c55650d6ffb459c4f1182 (patch)
tree7a0e31cdf2798b84d35e826e121ebad162a7a1d8
parent155add4d398ae8a4a610d78b8284a0ccd3eb86cf (diff)
Add some encoding rules, and remove some false-positives
Diffstat
-rw-r--r--malwares.yara41
1 files changed, 36 insertions, 5 deletions
diff --git a/malwares.yara b/malwares.yara
index 88f6e94..3adc5f8 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -17,7 +17,7 @@
17private rule IsPhp 17private rule IsPhp
18{ 18{
19 strings: 19 strings:
20 $php = "<?" 20 $php = /<\?[^x]/ //php but not xml
21 21
22 condition: 22 condition:
23 $php 23 $php
@@ -55,19 +55,48 @@ rule ObfuscatedPhp
55 strings: 55 strings:
56 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts 56 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts
57 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla} 57 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla}
58 $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/ // <?php eval( 58 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy
59 $eval = /[;}] *@?eval\(/ // ;eval( <- this is dodgy
60 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 59 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
60 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
61 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 61 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
62 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 62 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
63 condition: 63 condition:
64 IsPhp and ($align or $eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3) 64 IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
65}
66
67private rule base64
68{
69 strings:
70 $eval = "ZXZhbCg"
71 $system = "c3lzdGVt"
72 $preg_replace = "cHJlZ19yZXBsYWNl"
73 $exec = "ZXhlYyg"
74 condition:
75 any of them
76}
77
78private rule hex
79{
80 strings:
81 $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
82 $exec = "\\x65\\x78\\x65\\x63" nocase
83 $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
84 $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
85
86 condition:
87 any of them
88}
89
90rule SuspiciousEncoding
91{
92 condition:
93 IsPhp and (base64 or hex)
65} 94}
66 95
67rule DodgyPhp 96rule DodgyPhp
68{ 97{
69 strings: 98 strings:
70 $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gzinflate|getenv|\\?\$_(GET|REQUEST|POST))/ 99 $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
71 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ 100 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
72 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 101 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
73 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 102 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
@@ -107,6 +136,8 @@ rule DangerousPhp
107 $s = "php_uname" fullword 136 $s = "php_uname" fullword
108 $t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" 137 $t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
109 $u = "fpassthru" fullword 138 $u = "fpassthru" fullword
139 $v = "posix_setuid" fullword
140 $w = "xmlrpc_decode" fullword
110 141
111 $whitelist = /escapeshellcmd|escapeshellarg/ 142 $whitelist = /escapeshellcmd|escapeshellarg/
112 143