From 0fdae3a7ac0d99624626ae42ae7966689b1b989a Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 9 Jul 2015 11:53:51 +0200
Subject: Add a whitelist system

---
 malwares.yara | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 0df037b..b3f5e78 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -1,3 +1,4 @@
+import "hash"
 /*
     Detect:
         - phpencode.org
@@ -14,6 +15,15 @@
         - https://code.google.com/p/carbylamine/
 */
 
+private rule IsWhitelisted
+{
+    condition:
+        /* Prestashop 1.6.1.0 */
+        hash.sha1(0, filesize)  == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php
+        hash.sha1(0, filesize)  == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php
+        hash.sha1(0, filesize)  == "15da986fccdc7104f9d4e8c344f332db5ae9a32b"  // classes/Tools.php
+}
+
 private rule IsPhp
 {
     strings:
@@ -62,7 +72,7 @@ rule ObfuscatedPhp
         $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
         $strange_arg = /\${\$[0-9a-zA-z]+}/
     condition:
-        IsPhp and any of them
+        IsPhp and any of them and not IsWhitelisted
 }
 
 private rule base64
@@ -111,7 +121,7 @@ rule DodgyPhp
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
 
     condition:
-        IsPhp and (any of them or CloudFlareBypass)
+        IsPhp and (any of them or CloudFlareBypass) and not IsWhitelisted
 }
 
 rule DangerousPhp
@@ -148,7 +158,7 @@ rule DangerousPhp
         $whitelist = /escapeshellcmd|escapeshellarg/
 
     condition:
-        IsPhp and not $whitelist and (5 of them or #system > 250)
+        IsPhp and not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
 }
 
 rule DodgyStrings
-- 
cgit v1.3