reorganized git repo

author: Julien "shaddai" Reveret 2015-10-08 17:44:47 +0200
committer: Mathieu Deous 2015-10-29 14:55:04 +0100
commit: ff0c609ce15299fcd0da5f5b471d3519495977ff (patch)
tree: b217ff3ed047ad0f63c4e39b8f400eebafa0d1a3 /malwares.yara
parent: 1b88cf3b85d8e3225fb55526f53cbf4df75d9813 (diff)
1 files changed, 0 insertions, 225 deletions
diff --git a/malwares.yara b/malwares.yara
deleted file mode 100644
index 569f16c..0000000
--- a/malwares.yara
+++ /dev/null
@@ -1,225 +0,0 @@
-import "hash"
-include "whitelist.yara"
-/*
-    Detect:
-        - phpencode.org
-        - http://www.pipsomania.com/best_php_obfuscator.do
-        - http://atomiku.com/online-php-code-obfuscator/
-        - http://www.webtoolsvn.com/en-decode/
-        - http://obfuscator.uk/example/
-        - http://w3webtools.com/encode-php-online/
-        - http://www.joeswebtools.com/security/php-obfuscator/
-        - https://github.com/epinna/weevely3
-        - http://cipherdesign.co.uk/service/php-obfuscator
-        - http://sysadmin.cyklodev.com/online-php-obfuscator/
-        - http://mohssen.org/SpinObf.php
-        - https://code.google.com/p/carbylamine/
-*/
-global private rule IsPhp
-{
-    strings:
-        $php = /<\?[^x]/
-    condition:
-        $php and filesize < 5MB
-}
-private rule IRC
-{
-    strings:
-        $ = "USER" fullword
-        $ = "PASS" fullword
-        $ = "PRIVMSG" fullword
-        $ = "MODE" fullword
-        $ = "PING" fullword
-        $ = "PONG" fullword
-        $ = "JOIN" fullword
-        $ = "PART" fullword
-    condition:
-        5 of them
-}
-private rule CloudFlareBypass
-{
-    strings:
-        $ = "chk_jschl"
-        $ = "jschl_vc"
-        $ = "jschl_answer"
-    condition:
-        2 of them // Better be safe than sorry
-}
-rule ObfuscatedPhp
-{
-    strings:
-        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
-        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
-        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
-        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
-        $strange_arg = /\${\$[0-9a-zA-z]+}/
-    condition:
-        any of them and not IsWhitelisted
-}
-private rule base64
-{
-    strings:
-        $eval = "ZXZhbCg"
-        $system = "c3lzdGVt"
-        $preg_replace = "cHJlZ19yZXBsYWNl"
-        $exec = "ZXhlYyg"
-        $base64_decode = "YmFzZTY0X2RlY29kZ"
-    condition:
-        any of them
-}
-private rule hex
-{
-    strings:
-      $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
-      $exec = "\\x65\\x78\\x65\\x63" nocase
-      $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
-      $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
-      $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
-    
-    condition:
-        any of them
-}
-rule SuspiciousEncoding
-{
-    condition:
-        base64 or hex
-}
-rule DodgyPhp
-{
-    strings:
-        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
-        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
-        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
-        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
-        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
-        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
-        $htaccess = "SetHandler application/x-httpd-php"
-        $udp_dos = /sockopen\s*\(['"]udp:\/\//
-    condition:
-        (any of them or CloudFlareBypass) and not IsWhitelisted
-}
-rule DangerousPhp
-{
-    strings:
-        $system = "system" fullword  // localroot bruteforcers have a lot of this
-        $ = "exec" fullword
-        $ = "eval" fullword
-        $ = "shell_exec" fullword
-        $ = "passthru" fullword
-        $ = "posix_getuid" fullword
-        $ = "posix_geteuid" fullword
-        $ = "posix_getgid" fullword
-        $ = "phpinfo" fullword
-        $ = "backticks" fullword
-        $ = "proc_open" fullword
-        $ = "win_shell_execute" fullword
-        $ = "win32_create_service" fullword
-        $ = "posix_getpwuid" fullword
-        $ = "shm_open" fullword
-        $ = "assert" fullword
-        $ = "fsockopen" fullword
-        $ = "function_exists" fullword
-        $ = "getmygid" fullword
-        $ = "php_uname" fullword
-        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
-        $ = "fpassthru" fullword
-        $ = "posix_setuid" fullword
-        $ = "xmlrpc_decode" fullword
-        $ = "show_source" fullword
-        $ = "pcntl_exec" fullword
-        $ = "array_filter" fullword
-        $ = "call_user_func" fullword
-        $ = "register_shutdown_function" fullword
-        $ = "register_tick_function" fullword
-        $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
-        $ = "mb_ereg_replace_callback" fullword
-        $ = "preg_replace_callback" fullword
-        $whitelist = /escapeshellcmd|escapeshellarg/
-    condition:
-        not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
-}
-rule DodgyStrings
-{
-    strings:
-        $ = "/etc/passwd"
-        $ = "/etc/shadow"
-        $ = "/etc/resolv.conf"
-        $ = "/etc/syslog.conf"
-        $ = "/etc/proftpd.conf"
-        $ = "WinExec"
-        $ = "uname -a" fullword
-        $ = "nc -l" fullword
-        $ = "ls -la" fullword
-        $ = "cmd.exe" fullword nocase
-        $ = "ipconfig" fullword nocase
-        $ = "find . -type f" fullword
-        $ = "defaced" fullword nocase
-        $ = "slowloris" fullword nocase
-        $ = "id_rsa" fullword
-        $ = "backdoor" fullword nocase
-        $ = "webshell" fullword nocase
-        $ = "exploit" fullword nocase
-        $ = "hacking" fullword nocase
-        $ = "/proc/cpuinfo" fullword
-        $ = "/bin/sh" fullword
-        $ = "/bin/bash" fullword
-        $ = "ps -aux" fullword
-        $ = "b374k" fullword
-        $ = /(reverse|web)\s*shell/ nocase
-        $vbs = /language\s*=\s*vbscript/ nocase
-        $asp = "scripting.filesystemobject" nocase
-    condition:
-        IRC or 2 of them and not IsWhitelisted
-}
-rule Websites
-{
-    strings:
-        $ = "milw0rm.com"
-        $ = "exploit-db.com"
-        $ = "1337day.com"
-        $ = "rapid7.com"
-        $ = "shodan.io"
-        $ = "packetstormsecurity"
-        $ = "crackfor" nocase
-        $ = "md5.rednoize"
-        $ = "hashcracking" nocase
-        $ = "darkc0de" nocase
-        $ = "securityfocus" nocase
-        $ = "antichat.ru"
-        $ = "KingDefacer" nocase
-        $ = "md5crack.com"
-        $ = "md5decrypter.com"
-        $ = "hashkiller.com"
-        $ = "hashchecker.com"
-        $ = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
-        $ = "ccteam.ru"
-        $ = "locus7s.com"
-    condition:
-        any of them and not IsWhitelisted
-}
author	Julien "shaddai" Reveret	2015-10-08 17:44:47 +0200
committer	Mathieu Deous	2015-10-29 14:55:04 +0100
commit	ff0c609ce15299fcd0da5f5b471d3519495977ff (patch)
tree	b217ff3ed047ad0f63c4e39b8f400eebafa0d1a3 /malwares.yara
parent	1b88cf3b85d8e3225fb55526f53cbf4df75d9813 (diff)

diff --git a/malwares.yara b/malwares.yara deleted file mode 100644 index 569f16c..0000000 --- a/malwares.yara +++ /dev/null
@@ -1,225 +0,0 @@
1	import "hash"
2	include "whitelist.yara"
3
4	/*
5	Detect:
6	- phpencode.org
7	- http://www.pipsomania.com/best_php_obfuscator.do
8	- http://atomiku.com/online-php-code-obfuscator/
9	- http://www.webtoolsvn.com/en-decode/
10	- http://obfuscator.uk/example/
11	- http://w3webtools.com/encode-php-online/
12	- http://www.joeswebtools.com/security/php-obfuscator/
13	- https://github.com/epinna/weevely3
14	- http://cipherdesign.co.uk/service/php-obfuscator
15	- http://sysadmin.cyklodev.com/online-php-obfuscator/
16	- http://mohssen.org/SpinObf.php
17	- https://code.google.com/p/carbylamine/
18	*/
19
20	global private rule IsPhp
21	{
22	strings:
23	$php = /<\?[^x]/
24
25	condition:
26	$php and filesize < 5MB
27	}
28
29	private rule IRC
30	{
31	strings:
32	$ = "USER" fullword
33	$ = "PASS" fullword
34	$ = "PRIVMSG" fullword
35	$ = "MODE" fullword
36	$ = "PING" fullword
37	$ = "PONG" fullword
38	$ = "JOIN" fullword
39	$ = "PART" fullword
40
41	condition:
42	5 of them
43	}
44
45	private rule CloudFlareBypass
46	{
47	strings:
48	$ = "chk_jschl"
49	$ = "jschl_vc"
50	$ = "jschl_answer"
51
52	condition:
53	2 of them // Better be safe than sorry
54	}
55
56	rule ObfuscatedPhp
57	{
58	strings:
59	$eval = /[;}][\t ]*@?(eval\|preg_replace\|system\|exec\|assert\|passthru)\(/ // ;eval( <- this is dodgy
60	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
61	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec\|assert\|passthru)\(/
62	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
63	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
64	$strange_arg = /\${\$[0-9a-zA-z]+}/
65	condition:
66	any of them and not IsWhitelisted
67	}
68
69	private rule base64
70	{
71	strings:
72	$eval = "ZXZhbCg"
73	$system = "c3lzdGVt"
74	$preg_replace = "cHJlZ19yZXBsYWNl"
75	$exec = "ZXhlYyg"
76	$base64_decode = "YmFzZTY0X2RlY29kZ"
77	condition:
78	any of them
79	}
80
81	private rule hex
82	{
83	strings:
84	$eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
85	$exec = "\\x65\\x78\\x65\\x63" nocase
86	$system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
87	$preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
88	$http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
89
90	condition:
91	any of them
92	}
93
94	rule SuspiciousEncoding
95	{
96	condition:
97	base64 or hex
98	}
99
100	rule DodgyPhp
101	{
102	strings:
103	$vars = /\$___+/ // $__ is rarely used in legitimate scripts
104	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/
105	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
106	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
107	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
108	$restore_bypass = /ini_restore\(['"](safe_mode\|open_basedir)['"]\)/
109	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
110	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\(['"]\/[^\/]\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
111	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
112	$htaccess = "SetHandler application/x-httpd-php"
113	$udp_dos = /sockopen\s*\(['"]udp:\/\//
114
115	condition:
116	(any of them or CloudFlareBypass) and not IsWhitelisted
117	}
118
119	rule DangerousPhp
120	{
121	strings:
122	$system = "system" fullword // localroot bruteforcers have a lot of this
123
124	$ = "exec" fullword
125	$ = "eval" fullword
126	$ = "shell_exec" fullword
127	$ = "passthru" fullword
128	$ = "posix_getuid" fullword
129	$ = "posix_geteuid" fullword
130	$ = "posix_getgid" fullword
131	$ = "phpinfo" fullword
132	$ = "backticks" fullword
133	$ = "proc_open" fullword
134	$ = "win_shell_execute" fullword
135	$ = "win32_create_service" fullword
136	$ = "posix_getpwuid" fullword
137	$ = "shm_open" fullword
138	$ = "assert" fullword
139	$ = "fsockopen" fullword
140	$ = "function_exists" fullword
141	$ = "getmygid" fullword
142	$ = "php_uname" fullword
143	$ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
144	$ = "fpassthru" fullword
145	$ = "posix_setuid" fullword
146	$ = "xmlrpc_decode" fullword
147	$ = "show_source" fullword
148	$ = "pcntl_exec" fullword
149	$ = "array_filter" fullword
150	$ = "call_user_func" fullword
151	$ = "register_shutdown_function" fullword
152	$ = "register_tick_function" fullword
153	$ = /ob_start\s\(\s[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
154	$ = "mb_ereg_replace_callback" fullword
155	$ = "preg_replace_callback" fullword
156
157	$whitelist = /escapeshellcmd\|escapeshellarg/
158
159	condition:
160	not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
161	}
162
163	rule DodgyStrings
164	{
165	strings:
166	$ = "/etc/passwd"
167	$ = "/etc/shadow"
168	$ = "/etc/resolv.conf"
169	$ = "/etc/syslog.conf"
170	$ = "/etc/proftpd.conf"
171	$ = "WinExec"
172	$ = "uname -a" fullword
173	$ = "nc -l" fullword
174	$ = "ls -la" fullword
175	$ = "cmd.exe" fullword nocase
176	$ = "ipconfig" fullword nocase
177	$ = "find . -type f" fullword
178	$ = "defaced" fullword nocase
179	$ = "slowloris" fullword nocase
180	$ = "id_rsa" fullword
181	$ = "backdoor" fullword nocase
182	$ = "webshell" fullword nocase
183	$ = "exploit" fullword nocase
184	$ = "hacking" fullword nocase
185	$ = "/proc/cpuinfo" fullword
186	$ = "/bin/sh" fullword
187	$ = "/bin/bash" fullword
188	$ = "ps -aux" fullword
189	$ = "b374k" fullword
190	$ = /(reverse\|web)\s*shell/ nocase
191
192	$vbs = /language\s=\svbscript/ nocase
193	$asp = "scripting.filesystemobject" nocase
194
195	condition:
196	IRC or 2 of them and not IsWhitelisted
197	}
198
199	rule Websites
200	{
201	strings:
202	$ = "milw0rm.com"
203	$ = "exploit-db.com"
204	$ = "1337day.com"
205	$ = "rapid7.com"
206	$ = "shodan.io"
207	$ = "packetstormsecurity"
208	$ = "crackfor" nocase
209	$ = "md5.rednoize"
210	$ = "hashcracking" nocase
211	$ = "darkc0de" nocase
212	$ = "securityfocus" nocase
213	$ = "antichat.ru"
214	$ = "KingDefacer" nocase
215	$ = "md5crack.com"
216	$ = "md5decrypter.com"
217	$ = "hashkiller.com"
218	$ = "hashchecker.com"
219	$ = "www.fopo.com.ar" /* Free Online Php Obfuscator */
220	$ = "ccteam.ru"
221	$ = "locus7s.com"
222
223	condition:
224	any of them and not IsWhitelisted
225	}