From 4d0a0dcfc783a58acdeb49b40c8a8621e1577e25 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Wed, 3 Feb 2016 14:31:22 +0100
Subject: Finalize merge

---
 php-malware-finder/malwares.yara | 77 +++++++++++++++++++---------------------
 1 file changed, 37 insertions(+), 40 deletions(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index d0b5c35..285ee77 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,15 +57,13 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /(<\?php\s*\n*\r*|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)/  // ;eval( <- this is dodgy
+        $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[\t ]*\(/  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
         $too_many_chr = /(chr\([\d]+\)\.){2,}?/
-        $many_comments = /\/\*.{,28}\*\/[^\/]*\/\*/  // Something like as/* */ser/* */t
         $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/    
 condition:
         any of them and not IsWhitelisted
@@ -105,24 +103,23 @@ rule SuspiciousEncoding
 rule DodgyPhp
 {
     strings:
-        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
+        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
+        $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
         $double_encoding = /(base64_decode\s*\(\s*){2}/
         $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
-        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
-        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
-        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
+        $htaccess = "SetHandler application/x-httpd-php"
+        $iis_com = /IIS:\/\/localhost\/w3svc/
+        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $ini_get = /ini_get\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
-     
-        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
+        $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
         $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
-        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
-        $htaccess = "SetHandler application/x-httpd-php"
+        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
+        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
+        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
-        $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
-        $iis_com = /IIS:\/\/localhost\/w3svc/
         $user_function = /(call_user_func|create_function)/
-        $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
+        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
+        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
 
     condition:
         (any of them or CloudFlareBypass) and not IsWhitelisted
@@ -133,38 +130,38 @@ rule DangerousPhp
     strings:
         $system = "system" fullword  // localroot bruteforcers have a lot of this
 
-        $ = "exec" fullword
-        $ = "eval" fullword
-        $ = "shell_exec" fullword
-        $ = "passthru" fullword
-        $ = "posix_getuid" fullword
-        $ = "posix_geteuid" fullword
-        $ = "posix_getgid" fullword
-        $ = "phpinfo" fullword
-        $ = "backticks" fullword
-        $ = "proc_open" fullword
-        $ = "win_shell_execute" fullword
-        $ = "win32_create_service" fullword
-        $ = "posix_getpwuid" fullword
-        $ = "shm_open" fullword
+        $ = "array_filter" fullword
         $ = "assert" fullword
+        $ = "backticks" fullword
+        $ = "call_user_func" fullword
+        $ = "eval" fullword
+        $ = "exec" fullword
+        $ = "fpassthru" fullword
         $ = "fsockopen" fullword
         $ = "function_exists" fullword
         $ = "getmygid" fullword
+        $ = "mb_ereg_replace_callback" fullword
+        $ = "passthru" fullword
+        $ = "pcntl_exec" fullword
         $ = "php_uname" fullword
-        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
-        $ = "fpassthru" fullword
+        $ = "phpinfo" fullword
+        $ = "posix_geteuid" fullword
+        $ = "posix_getgid" fullword
+        $ = "posix_getpwuid" fullword
+        $ = "posix_getuid" fullword
         $ = "posix_setuid" fullword
-        $ = "xmlrpc_decode" fullword
-        $ = "show_source" fullword
-        $ = "pcntl_exec" fullword
-        $ = "array_filter" fullword
-        $ = "call_user_func" fullword
+        $ = "preg_replace_callback" fullword
+        $ = "proc_open" fullword
         $ = "register_shutdown_function" fullword
         $ = "register_tick_function" fullword
+        $ = "shell_exec" fullword
+        $ = "shm_open" fullword
+        $ = "show_source" fullword
+        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
+        $ = "win32_create_service" fullword
+        $ = "win_shell_execute" fullword
+        $ = "xmlrpc_decode" fullword
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
-        $ = "mb_ereg_replace_callback" fullword
-        $ = "preg_replace_callback" fullword
 
         $whitelist = /escapeshellcmd|escapeshellarg/
 
@@ -176,7 +173,6 @@ rule DodgyStrings
 {
     strings:
         $ = "/../../../"
-        $ = /\/bin\/(ba)?sh/ fullword
         $ = "/etc/passwd"
         $ = "/etc/proftpd.conf"
         $ = "/etc/resolv.conf"
@@ -193,7 +189,6 @@ rule DodgyStrings
         $ = "defaced" fullword nocase
         $ = "exploit" fullword nocase
         $ = "find . -type f" fullword
-        $ = /hack(ing|er)/ nocase
         $ = "hashcrack" nocase
         $ = "id_rsa" fullword
         $ = "ipconfig" fullword nocase
@@ -207,6 +202,8 @@ rule DodgyStrings
         $ = "uname -a" fullword
         $ = "warez" fullword nocase
         $ = /(reverse|web)\s*shell/ nocase
+        $ = /\/bin\/(ba)?sh/ fullword
+        $ = /hack(ing|er)/ nocase
 
         $vbs = /language\s*=\s*vbscript/ nocase
         $asp = "scripting.filesystemobject" nocase
-- 
cgit v1.3