From 3114ac27af22899d30a5a6e8f3a127589b0041e3 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Mon, 9 Mar 2015 10:56:44 +0100
Subject: More obfuscator detection

---
 malwares.yara | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 96c5134..f75342e 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -7,10 +7,11 @@
         - http://obfuscator.uk/example/
         - http://w3webtools.com/encode-php-online/
         - http://www.joeswebtools.com/security/php-obfuscator/
-        - Weevely3
+        - https://github.com/epinna/weevely3
         - http://cipherdesign.co.uk/service/php-obfuscator
         - http://sysadmin.cyklodev.com/online-php-obfuscator/
         - http://mohssen.org/SpinObf.php
+        - https://code.google.com/p/carbylamine/
 */
 
 private rule IsPhp
@@ -38,26 +39,17 @@ private rule IRC
         5 of them
 }
 
-private rule Weevely3
-{
-    strings:
-        $launcher = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/
-        $replace = /\$\w=str_replace\('.', ''(,\$\w)+\);/
-
-    condition:
-        any of them
-}
-
 rule ObfuscatedPhp
 {
     strings:
         $vars = /\$_{2,}/ fullword  // $__ is rarely used in legitimate scripts
         $hexvars = /\${['"][\w\\]+['"]}/ fullword  // ${blablabla}
         $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/  // <?php eval(
-        $eval = /; *@?eval\(/  // ;eval( <- this is dodgy
+        $eval = /[;}] *@?eval\(/  // ;eval( <- this is dodgy
+        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
     condition:
-        IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or Weevely3)
+        IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
 }
 
 rule CloudFlareBypass
@@ -79,8 +71,8 @@ rule DodgyPhp
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
         $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
-        $various = "<!--#exec cmd="
-        $pr = /preg_replace\(['"]\/\.\*\/e['"],/
+        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
+        $pr = /preg_replace\(['"]\/\.\*\/e['"],/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $htaccess = "SetHandler application/x-httpd-php"
 
@@ -159,6 +151,8 @@ rule ExploitsWebsites
         $exploitsdb = "exploit-db.com"
         $injector = "1337day.com"
         $rapid7 = "rapid7.com"
+        $shodan = "shodan.io"
+        $packetstorm = "packetstormsecurity.com"
 
     condition:
         any of them
-- 
cgit v1.3