From 1c7deb02ca805a28d6485f76e44ee0b7fe6f31d4 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Fri, 26 Feb 2016 11:53:40 +0100
Subject: Did you know that php functions aren't case-sensitive ?

---
 php-malware-finder/malwares.yara | 108 ++++++++++++++++++++-------------------
 1 file changed, 55 insertions(+), 53 deletions(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index a326ef3..81de9e5 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\s*\(/  // ;eval( <- this is dodgy
+        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\s*\(/ nocase  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
@@ -108,16 +108,16 @@ rule DodgyPhp
         $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
         $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
         $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
+        $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
         $htaccess = "SetHandler application/x-httpd-php"
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
-        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/
-        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(\s*['"]\/[^\/]*\/e/  // http://php.net/manual/en/function.preg-replace.php
+        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(\s*['"]\/[^\/]*\/e/  nocase // http://php.net/manual/en/function.preg-replace.php
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/
         $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\//
-        $user_function = /(call_user_func|create_function)/
+        $user_function = /(call_user_func|create_function)/ nocase
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
 
     condition:
@@ -127,56 +127,56 @@ rule DodgyPhp
 rule DangerousPhp
 {
     strings:
-        $system = "system" fullword  // localroot bruteforcers have a lot of this
+        $system = "system" fullword nocase  // localroot bruteforcers have a lot of this
 
-        $ = "array_filter" fullword
-        $ = "assert" fullword
-        $ = "backticks" fullword
-        $ = "call_user_func" fullword
-        $ = "eval" fullword
-        $ = "exec" fullword
-        $ = "fpassthru" fullword
-        $ = "fsockopen" fullword
-        $ = "function_exists" fullword
-        $ = "getmygid" fullword
-        $ = "shmop_open" fullword
-        $ = "mb_ereg_replace_callback" fullword
-        $ = "passthru" fullword
-        $ = "pcntl_exec" fullword
-        $ = "pcntl_fork" fullword
-        $ = "php_uname" fullword
-        $ = "phpinfo" fullword
-        $ = "posix_geteuid" fullword
-        $ = "posix_getgid" fullword
-        $ = "posix_getpgid" fullword
-        $ = "posix_getppid" fullword
-        $ = "posix_getpwnam" fullword
-        $ = "posix_getpwuid" fullword
-        $ = "posix_getsid" fullword
-        $ = "posix_getuid" fullword
-        $ = "posix_kill" fullword
-        $ = "posix_setegid" fullword
-        $ = "posix_seteuid" fullword
-        $ = "posix_setgid" fullword
-        $ = "posix_setpgid" fullword
-        $ = "posix_setsid" fullword
-        $ = "posix_setsid" fullword
-        $ = "posix_setuid" fullword
+        $ = "array_filter" fullword nocase
+        $ = "assert" fullword nocase
+        $ = "backticks" fullword nocase
+        $ = "call_user_func" fullword nocase
+        $ = "eval" fullword nocase
+        $ = "exec" fullword nocase
+        $ = "fpassthru" fullword nocase
+        $ = "fsockopen" fullword nocase
+        $ = "function_exists" fullword nocase
+        $ = "getmygid" fullword nocase
+        $ = "shmop_open" fullword nocase
+        $ = "mb_ereg_replace_callback" fullword nocase
+        $ = "passthru" fullword nocase
+        $ = "pcntl_exec" fullword nocase
+        $ = "pcntl_fork" fullword nocase
+        $ = "php_uname" fullword nocase
+        $ = "phpinfo" fullword nocase
+        $ = "posix_geteuid" fullword nocase
+        $ = "posix_getgid" fullword nocase
+        $ = "posix_getpgid" fullword nocase
+        $ = "posix_getppid" fullword nocase
+        $ = "posix_getpwnam" fullword nocase
+        $ = "posix_getpwuid" fullword nocase
+        $ = "posix_getsid" fullword nocase
+        $ = "posix_getuid" fullword nocase
+        $ = "posix_kill" fullword nocase
+        $ = "posix_setegid" fullword nocase
+        $ = "posix_seteuid" fullword nocase
+        $ = "posix_setgid" fullword nocase
+        $ = "posix_setpgid" fullword nocase
+        $ = "posix_setsid" fullword nocase
+        $ = "posix_setsid" fullword nocase
+        $ = "posix_setuid" fullword nocase
         $ = "preg_replace_callback" fullword
-        $ = "proc_open" fullword
-        $ = "register_shutdown_function" fullword
-        $ = "register_tick_function" fullword
-        $ = "shell_exec" fullword
-        $ = "shm_open" fullword
-        $ = "show_source" fullword
-        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
-        $ = "stream_socket_pair"
-        $ = "win32_create_service" fullword
-        $ = "win_shell_execute" fullword
-        $ = "xmlrpc_decode" fullword
+        $ = "proc_open" fullword nocase
+        $ = "register_shutdown_function" fullword nocase
+        $ = "register_tick_function" fullword nocase
+        $ = "shell_exec" fullword nocase
+        $ = "shm_open" fullword nocase
+        $ = "show_source" fullword nocase
+        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
+        $ = "stream_socket_pair" nocase
+        $ = "win32_create_service" fullword nocase
+        $ = "win_shell_execute" fullword nocase
+        $ = "xmlrpc_decode" fullword nocase nocase
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
 
-        $whitelist = /escapeshellcmd|escapeshellarg/
+        $whitelist = /escapeshellcmd|escapeshellarg/ nocase
 
     condition:
         not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
@@ -205,7 +205,7 @@ rule DodgyStrings
         $ = "backdoor" fullword nocase
         $ = /(c99|r57|fx29)shell/
         $ = "cmd.exe" fullword nocase
-        $ = "defaced" fullword nocase
+        $ = /defac(ed|er|ement|ing)/ fullword nocase
         $ = "evilc0ders" fullword nocase
         $ = "exploit" fullword nocase
         $ = "find . -type f" fullword
@@ -224,12 +224,14 @@ rule DodgyStrings
         $ = "rootkit" fullword nocase
         $ = "slowloris" fullword nocase
         $ = "suhosin.executor.func.blacklist"
+        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
         $ = "uname -a" fullword
         $ = "warez" fullword nocase
+        $ = "whoami" fullword
         $ = /(reverse|web)\s*shell/ nocase
         $ = /-perm -0[24]000/ // find setuid files
         $ = /\/bin\/(ba)?sh/ fullword
-        $ = /hack(ing|er)/ nocase
+        $ = /hack(ing|er|ed)/ nocase
         $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
 
         $vbs = /language\s*=\s*vbscript/ nocase
-- 
cgit v1.3