Add some Magento whitelists

author: jvoisin 2015-07-09 14:22:38 +0200
committer: jvoisin 2015-07-09 14:22:38 +0200
commit: ec29d8800be56d53a6e1e1e12161caf3bd679b9f (patch)
tree: 7c86034940705273b04ac3a4cf95b522996a6e24
parent: 640a4de4dde0b4054830182b920c08083d764fd9 (diff)
2 files changed, 34 insertions, 7 deletions
diff --git a/malwares.yara b/malwares.yara
index 1126efb..9e962f0 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -187,7 +187,7 @@ rule DodgyStrings
        $asp = "scripting.filesystemobject" nocase
    condition:
-        IRC or 2 of them
+        IRC or 2 of them and not IsWhitelisted
 }
 rule Websites
diff --git a/whitelist.yara b/whitelist.yara
index 06cb59b..3b3e361 100644
--- a/whitelist.yara
+++ b/whitelist.yara
@@ -1,11 +1,6 @@
-private rule IsWhitelisted
+private rule Wordpress
 {
    condition:
-        /* Prestashop 1.6.1.0 */
-        hash.sha1(0, filesize)  == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php
-        hash.sha1(0, filesize)  == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php
-        hash.sha1(0, filesize)  == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" or // classes/Tools.php
        /* Wordpress 3.5.1 */
        hash.sha1(0, filesize)  == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php
        hash.sha1(0, filesize)  == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php
@@ -14,5 +9,37 @@ private rule IsWhitelisted
        hash.sha1(0, filesize)  == "b4f53b8c360f9e47cc63047305a0ce2e3ff6a251" or // wp-includes/functions.php
        hash.sha1(0, filesize)  == "ac8298df16a560c80fb213ef3f51f90df8ef5292" or // wp-includes/class-phpmailer.php
        hash.sha1(0, filesize)  == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" // wp-admin/includes/menu.php
+}
+private rule Prestashop
+{
+    condition:
+        /* Prestashop 1.6.1.0 */
+        hash.sha1(0, filesize)  == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php
+        hash.sha1(0, filesize)  == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php
+        hash.sha1(0, filesize)  == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" // classes/Tools.php
+}
+private rule Magento
+{
+    condition:
+        /* Magento 1.7.0.2 */
+        hash.sha1(0, filesize)  == "f46cf6fd47e60e77089d94cca5b89d19458987ca" or // lib/Zend/Session.php
+        hash.sha1(0, filesize)  == "ffb3e46c87e173b1960e50f771954ebb1efda66e" or // lib/Zend/Ldap/Converter.php
+        hash.sha1(0, filesize)  == "7faa31f0ee66f32a92b5fd516eb65ff4a3603156" or // lib/PEAR/SOAP/WSDL.php
+        hash.sha1(0, filesize)  == "539de72a2a424d86483f461a9e38ee42df158f26" or // app/code/core/Mage/Adminhtml/Model/Url.php
+        hash.sha1(0, filesize)  == "6b3f32e50343b70138ce4adb73045782b3edd851" or // lib/phpseclib/Net/SSH1.php
+        /* Magento 1.4.1.1 */
+        hash.sha1(0, filesize)  == "0b74f4b259c63c01c74fb5913c3ada87296107c8" or // lib/Zend/Session.php
+        hash.sha1(0, filesize)  == "951a4639e49c6b2ad8adeb38481e2290297c8e70" or // lib/Zend/Ldap/Converter.php
+        hash.sha1(0, filesize)  == "44ba7a5b685f4a52113559f366aaf6e9a22ae21e"  // app/code/core/Mage/Adminhtml/Model/Url.php
+}
+private rule IsWhitelisted
+{
+    condition:
+        Wordpress or
+        Prestashop or
+        Magento
 }
author	jvoisin	2015-07-09 14:22:38 +0200
committer	jvoisin	2015-07-09 14:22:38 +0200
commit	ec29d8800be56d53a6e1e1e12161caf3bd679b9f (patch)
tree	7c86034940705273b04ac3a4cf95b522996a6e24
parent	640a4de4dde0b4054830182b920c08083d764fd9 (diff)

diff --git a/malwares.yara b/malwares.yara index 1126efb..9e962f0 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -187,7 +187,7 @@ rule DodgyStrings
187	$asp = "scripting.filesystemobject" nocase	187	$asp = "scripting.filesystemobject" nocase
188		188
189	condition:	189	condition:
190	IRC or 2 of them	190	IRC or 2 of them and not IsWhitelisted
191	}	191	}
192		192
193	rule Websites	193	rule Websites


diff --git a/whitelist.yara b/whitelist.yara index 06cb59b..3b3e361 100644 --- a/whitelist.yara +++ b/whitelist.yara
@@ -1,11 +1,6 @@
1	private rule IsWhitelisted	1	private rule Wordpress
2	{	2	{
3	condition:	3	condition:
4	/* Prestashop 1.6.1.0 */
5	hash.sha1(0, filesize) == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php
6	hash.sha1(0, filesize) == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php
7	hash.sha1(0, filesize) == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" or // classes/Tools.php
8
9	/* Wordpress 3.5.1 */	4	/* Wordpress 3.5.1 */
10	hash.sha1(0, filesize) == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php	5	hash.sha1(0, filesize) == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php
11	hash.sha1(0, filesize) == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php	6	hash.sha1(0, filesize) == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php
@@ -14,5 +9,37 @@ private rule IsWhitelisted
14	hash.sha1(0, filesize) == "b4f53b8c360f9e47cc63047305a0ce2e3ff6a251" or // wp-includes/functions.php	9	hash.sha1(0, filesize) == "b4f53b8c360f9e47cc63047305a0ce2e3ff6a251" or // wp-includes/functions.php
15	hash.sha1(0, filesize) == "ac8298df16a560c80fb213ef3f51f90df8ef5292" or // wp-includes/class-phpmailer.php	10	hash.sha1(0, filesize) == "ac8298df16a560c80fb213ef3f51f90df8ef5292" or // wp-includes/class-phpmailer.php
16	hash.sha1(0, filesize) == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" // wp-admin/includes/menu.php	11	hash.sha1(0, filesize) == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" // wp-admin/includes/menu.php
		12	}
17		13
		14	private rule Prestashop
		15	{
		16	condition:
		17	/* Prestashop 1.6.1.0 */
		18	hash.sha1(0, filesize) == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php
		19	hash.sha1(0, filesize) == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php
		20	hash.sha1(0, filesize) == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" // classes/Tools.php
		21	}
		22
		23	private rule Magento
		24	{
		25	condition:
		26	/* Magento 1.7.0.2 */
		27	hash.sha1(0, filesize) == "f46cf6fd47e60e77089d94cca5b89d19458987ca" or // lib/Zend/Session.php
		28	hash.sha1(0, filesize) == "ffb3e46c87e173b1960e50f771954ebb1efda66e" or // lib/Zend/Ldap/Converter.php
		29	hash.sha1(0, filesize) == "7faa31f0ee66f32a92b5fd516eb65ff4a3603156" or // lib/PEAR/SOAP/WSDL.php
		30	hash.sha1(0, filesize) == "539de72a2a424d86483f461a9e38ee42df158f26" or // app/code/core/Mage/Adminhtml/Model/Url.php
		31	hash.sha1(0, filesize) == "6b3f32e50343b70138ce4adb73045782b3edd851" or // lib/phpseclib/Net/SSH1.php
		32
		33	/* Magento 1.4.1.1 */
		34	hash.sha1(0, filesize) == "0b74f4b259c63c01c74fb5913c3ada87296107c8" or // lib/Zend/Session.php
		35	hash.sha1(0, filesize) == "951a4639e49c6b2ad8adeb38481e2290297c8e70" or // lib/Zend/Ldap/Converter.php
		36	hash.sha1(0, filesize) == "44ba7a5b685f4a52113559f366aaf6e9a22ae21e" // app/code/core/Mage/Adminhtml/Model/Url.php
		37	}
		38
		39	private rule IsWhitelisted
		40	{
		41	condition:
		42	Wordpress or
		43	Prestashop or
		44	Magento
18	}	45	}