From 5435c0a936edf7f568a563be0d5b00f02d4b1905 Mon Sep 17 00:00:00 2001 From: Julien Voisin Date: Thu, 5 Mar 2015 19:05:50 +0100 Subject: Update rules to detect packers --- malwares.yara | 42 ++++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/malwares.yara b/malwares.yara index 3d857c1..96c5134 100644 --- a/malwares.yara +++ b/malwares.yara @@ -1,3 +1,18 @@ +/* + Detect: + - phpencode.org + - http://www.pipsomania.com/best_php_obfuscator.do + - http://atomiku.com/online-php-code-obfuscator/ + - http://www.webtoolsvn.com/en-decode/ + - http://obfuscator.uk/example/ + - http://w3webtools.com/encode-php-online/ + - http://www.joeswebtools.com/security/php-obfuscator/ + - Weevely3 + - http://cipherdesign.co.uk/service/php-obfuscator + - http://sysadmin.cyklodev.com/online-php-obfuscator/ + - http://mohssen.org/SpinObf.php +*/ + private rule IsPhp { strings: @@ -23,17 +38,26 @@ private rule IRC 5 of them } +private rule Weevely3 +{ + strings: + $launcher = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ + $replace = /\$\w=str_replace\('.', ''(,\$\w)+\);/ + + condition: + any of them +} + rule ObfuscatedPhp { strings: $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla} $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/ // 5 or #hexvars > 5) + IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or Weevely3) } rule CloudFlareBypass @@ -56,7 +80,7 @@ rule DodgyPhp $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ $various = "