Yara is cooler than Python

author: Julien Voisin 2015-03-05 15:36:22 +0100
committer: Julien Voisin 2015-03-05 15:36:22 +0100
commit: 6beeeebe3c43f0643e521139d3f8b1ff4a7f3059 (patch)
tree: 72de2c9e6f8eb30b847da44213b8482f98691589 /malwares.yara
parent: 1c917ed43a58e1c1c77ccd0815b6e95fbcca54ff (diff)
1 files changed, 161 insertions, 0 deletions
diff --git a/malwares.yara b/malwares.yara
new file mode 100644
index 0000000..3d857c1
--- /dev/null
+++ b/malwares.yara
@@ -0,0 +1,161 @@
+private rule IsPhp
+{
+    strings:
+        $php = "<?"
+    condition:
+        $php
+}
+private rule IRC
+{
+    strings:
+        $a = "USER" fullword
+        $b = "PASS" fullword
+        $c = "PRIVMSG" fullword
+        $d = "MODE" fullword
+        $e = "PING" fullword
+        $f = "PONG" fullword
+        $g = "JOIN" fullword
+        $h = "PART" fullword
+    condition:
+        5 of them
+}
+rule ObfuscatedPhp
+{
+    strings:
+        $vars = /\$_{2,}/ fullword  // $__ is rarely used in legitimate scripts
+        $hexvars = /\${['"][\w\\]+['"]}/ fullword  // ${blablabla}
+        $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/  // <?php eval(
+        $eval = /;@?eval\(/  // ;eval( <- this is dodgy
+        $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
+    condition:
+        IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5)
+}
+rule CloudFlareBypass
+{
+    strings:
+        $chk_jschl = "chk_jschl"
+        $jschl_vc = "jschl_vc"
+        $jschl_answer = "jschl_answer"
+    condition:
+        2 of them // Better be safe than sorry
+}
+rule DodgyPhp
+{
+    strings:
+        $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gzinflate|getenv|\\?\$_(GET|REQUEST|POST))/
+        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
+        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
+        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
+        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
+        $various = "<!--#exec cmd="
+        $pr = /preg_replace\(['"]\/[^\/]+e['"],/
+        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
+        $htaccess = "SetHandler application/x-httpd-php"
+    condition:
+        IsPhp and any of them
+}
+rule DangerousPhp
+{
+    strings:
+        $system = "system" fullword  // localroot bruteforcers have a lot of this
+        $a = "exec" fullword
+        $b = "eval" fullword
+        $c = "shell_exec" fullword
+        $v = "passthru" fullword
+        $e = "posix_getuid" fullword
+        $f = "posix_geteuid" fullword
+        $g = "posix_getgid" fullword
+        $h = "phpinfo" fullword
+        $i = "backticks" fullword
+        $j = "proc_open" fullword
+        $k = "win_shell_execute" fullword
+        $l = "win32_create_service" fullword
+        $m = "posix_getpwuid" fullword
+        $n = "shmop_open" fullword
+        $o = "assert" fullword
+        $p = "fsockopen" fullword
+        $q = "function_exists" fullword
+        $r = "getmygid" fullword
+        $s = "php_uname" fullword
+        $t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
+        $u = "fpassthru" fullword
+        $whitelist = /escapeshellcmd|escapeshellarg/
+    condition:
+        not $whitelist and (5 of them or #system > 250)
+}
+rule Weevely3
+{
+    strings:
+        $launcher = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/
+        $replace = /\$\w=str_replace\('.', ''(,\$\w)+\);/
+    condition:
+        IsPhp and any of them
+}
+rule DodgyStrings
+{
+    strings:
+        $a = "/etc/passwd"
+        $b = "/etc/shadow"
+        $c = "/etc/resolv.conf"
+        $d = "/etc/syslog.conf"
+        $e = "/etc/proftpd.conf"
+        $e = "WinExec"
+        $f = "uname -a" fullword
+        $g = "nc -l" fullword
+        $h = "ls -la" fullword
+        $i = "cmd.exe" fullword nocase
+        $j = "ipconfig" fullword nocase
+        $k = "find . -type f" fullword
+        $l = "defaced" fullword nocase
+        $m = "slowloris" fullword nocase
+        $o = "id_rsa" fullword
+        $p = "backdoor" fullword nocase
+        $q = "webshell" fullword nocase
+        $r = "exploit" fullword nocase
+        $s = "hacking" fullword nocase
+        $t = "/proc/cpuinfo" fullword
+        $u = "/bin/sh" fullword
+        $v = "/bin/bash" fullword
+        $w = "ps -aux" fullword
+    condition:
+        IsPhp and (IRC or 2 of them)
+}
+rule ExploitsWebsites
+{
+    strings:
+        $milw0rm = "milw0rm"
+        $exploitsdb = "exploit-db.com"
+        $injector = "1337day.com"
+        $rapid7 = "rapid7.com"
+    condition:
+        any of them
+}
+rule DodgyFiletypes
+{
+    strings:
+        $elf = { 7f 45 4c 46 }
+        $pe = "MZ"
+    condition:
+        $elf at 0 or (for any i in (1..#pe): (uint32(@pe[i] + uint32(@pe[i] + 0x3C)) == 0x00004550))
+}
author	Julien Voisin	2015-03-05 15:36:22 +0100
committer	Julien Voisin	2015-03-05 15:36:22 +0100
commit	6beeeebe3c43f0643e521139d3f8b1ff4a7f3059 (patch)
tree	72de2c9e6f8eb30b847da44213b8482f98691589 /malwares.yara
parent	1c917ed43a58e1c1c77ccd0815b6e95fbcca54ff (diff)

diff --git a/malwares.yara b/malwares.yara new file mode 100644 index 0000000..3d857c1 --- /dev/null +++ b/malwares.yara
@@ -0,0 +1,161 @@
	1	private rule IsPhp
	2	{
	3	strings:
	4	$php = "<?"
	5
	6	condition:
	7	$php
	8	}
	9
	10	private rule IRC
	11	{
	12	strings:
	13	$a = "USER" fullword
	14	$b = "PASS" fullword
	15	$c = "PRIVMSG" fullword
	16	$d = "MODE" fullword
	17	$e = "PING" fullword
	18	$f = "PONG" fullword
	19	$g = "JOIN" fullword
	20	$h = "PART" fullword
	21
	22	condition:
	23	5 of them
	24	}
	25
	26	rule ObfuscatedPhp
	27	{
	28	strings:
	29	$vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts
	30	$hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla}
	31	$eval_start = /(\s)<\?(php)?(\n)(\s)*eval\(/ // <?php eval(
	32	$eval = /;@?eval\(/ // ;eval( <- this is dodgy
	33	$launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
	34
	35	condition:
	36	IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5)
	37	}
	38
	39	rule CloudFlareBypass
	40	{
	41	strings:
	42	$chk_jschl = "chk_jschl"
	43	$jschl_vc = "jschl_vc"
	44	$jschl_answer = "jschl_answer"
	45
	46	condition:
	47	2 of them // Better be safe than sorry
	48	}
	49
	50	rule DodgyPhp
	51	{
	52	strings:
	53	$execution = /(eval\|passthru\|exec\|system\|win_shell_execute)\((base64_decode\|php:\/\/input\|str_rot13\|gzinflate\|getenv\|\\?\$_(GET\|REQUEST\|POST))/
	54	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
	55	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
	56	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
	57	$restore_bypass = /ini_restore\(['"](safe_mode\|open_basedir)['"]\)/
	58	$various = "<!--#exec cmd="
	59	$pr = /preg_replace\(['"]\/[^\/]+e['"],/
	60	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
	61	$htaccess = "SetHandler application/x-httpd-php"
	62
	63	condition:
	64	IsPhp and any of them
	65	}
	66
	67	rule DangerousPhp
	68	{
	69	strings:
	70	$system = "system" fullword // localroot bruteforcers have a lot of this
	71
	72	$a = "exec" fullword
	73	$b = "eval" fullword
	74	$c = "shell_exec" fullword
	75	$v = "passthru" fullword
	76	$e = "posix_getuid" fullword
	77	$f = "posix_geteuid" fullword
	78	$g = "posix_getgid" fullword
	79	$h = "phpinfo" fullword
	80	$i = "backticks" fullword
	81	$j = "proc_open" fullword
	82	$k = "win_shell_execute" fullword
	83	$l = "win32_create_service" fullword
	84	$m = "posix_getpwuid" fullword
	85	$n = "shmop_open" fullword
	86	$o = "assert" fullword
	87	$p = "fsockopen" fullword
	88	$q = "function_exists" fullword
	89	$r = "getmygid" fullword
	90	$s = "php_uname" fullword
	91	$t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
	92	$u = "fpassthru" fullword
	93
	94	$whitelist = /escapeshellcmd\|escapeshellarg/
	95
	96	condition:
	97	not $whitelist and (5 of them or #system > 250)
	98	}
	99
	100	rule Weevely3
	101	{
	102	strings:
	103	$launcher = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/
	104	$replace = /\$\w=str_replace\('.', ''(,\$\w)+\);/
	105
	106	condition:
	107	IsPhp and any of them
	108	}
	109
	110	rule DodgyStrings
	111	{
	112	strings:
	113	$a = "/etc/passwd"
	114	$b = "/etc/shadow"
	115	$c = "/etc/resolv.conf"
	116	$d = "/etc/syslog.conf"
	117	$e = "/etc/proftpd.conf"
	118	$e = "WinExec"
	119	$f = "uname -a" fullword
	120	$g = "nc -l" fullword
	121	$h = "ls -la" fullword
	122	$i = "cmd.exe" fullword nocase
	123	$j = "ipconfig" fullword nocase
	124	$k = "find . -type f" fullword
	125	$l = "defaced" fullword nocase
	126	$m = "slowloris" fullword nocase
	127	$o = "id_rsa" fullword
	128	$p = "backdoor" fullword nocase
	129	$q = "webshell" fullword nocase
	130	$r = "exploit" fullword nocase
	131	$s = "hacking" fullword nocase
	132	$t = "/proc/cpuinfo" fullword
	133	$u = "/bin/sh" fullword
	134	$v = "/bin/bash" fullword
	135	$w = "ps -aux" fullword
	136
	137	condition:
	138	IsPhp and (IRC or 2 of them)
	139	}
	140
	141	rule ExploitsWebsites
	142	{
	143	strings:
	144	$milw0rm = "milw0rm"
	145	$exploitsdb = "exploit-db.com"
	146	$injector = "1337day.com"
	147	$rapid7 = "rapid7.com"
	148
	149	condition:
	150	any of them
	151	}
	152
	153	rule DodgyFiletypes
	154	{
	155	strings:
	156	$elf = { 7f 45 4c 46 }
	157	$pe = "MZ"
	158
	159	condition:
	160	$elf at 0 or (for any i in (1..#pe): (uint32(@pe[i] + uint32(@pe[i] + 0x3C)) == 0x00004550))
	161	}