From 7b4a39bb2d44b0cc1119aa8ba10caed7ebedb5e3 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Thu, 9 Jul 2015 13:36:16 +0200 Subject: Use anonymous strings where it makes sense to do so. --- malwares.yara | 164 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 82 insertions(+), 82 deletions(-) diff --git a/malwares.yara b/malwares.yara index d438854..0ec4eee 100644 --- a/malwares.yara +++ b/malwares.yara @@ -37,14 +37,14 @@ global private rule IsPhp private rule IRC { strings: - $a = "USER" fullword - $b = "PASS" fullword - $c = "PRIVMSG" fullword - $d = "MODE" fullword - $e = "PING" fullword - $f = "PONG" fullword - $g = "JOIN" fullword - $h = "PART" fullword + $ = "USER" fullword + $ = "PASS" fullword + $ = "PRIVMSG" fullword + $ = "MODE" fullword + $ = "PING" fullword + $ = "PONG" fullword + $ = "JOIN" fullword + $ = "PART" fullword condition: 5 of them @@ -53,9 +53,9 @@ private rule IRC private rule CloudFlareBypass { strings: - $chk_jschl = "chk_jschl" - $jschl_vc = "jschl_vc" - $jschl_answer = "jschl_answer" + $ = "chk_jschl" + $ = "jschl_vc" + $ = "jschl_answer" condition: 2 of them // Better be safe than sorry @@ -68,7 +68,7 @@ rule ObfuscatedPhp $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/ $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher - $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html + $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/ $strange_arg = /\${\$[0-9a-zA-z]+}/ condition: @@ -129,31 +129,31 @@ rule DangerousPhp strings: $system = "system" fullword // localroot bruteforcers have a lot of this - $a = "exec" fullword - $b = "eval" fullword - $c = "shell_exec" fullword - $v = "passthru" fullword - $e = "posix_getuid" fullword - $f = "posix_geteuid" fullword - $g = "posix_getgid" fullword - $h = "phpinfo" fullword - $i = "backticks" fullword - $j = "proc_open" fullword - $k = "win_shell_execute" fullword - $l = "win32_create_service" fullword - $m = "posix_getpwuid" fullword - $n = "shm_open" fullword - $o = "assert" fullword - $p = "fsockopen" fullword - $q = "function_exists" fullword - $r = "getmygid" fullword - $s = "php_uname" fullword - $t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" - $u = "fpassthru" fullword - $v = "posix_setuid" fullword - $w = "xmlrpc_decode" fullword - $x = "show_source" fullword - $y = "pcntl_exec" fullword + $ = "exec" fullword + $ = "eval" fullword + $ = "shell_exec" fullword + $ = "passthru" fullword + $ = "posix_getuid" fullword + $ = "posix_geteuid" fullword + $ = "posix_getgid" fullword + $ = "phpinfo" fullword + $ = "backticks" fullword + $ = "proc_open" fullword + $ = "win_shell_execute" fullword + $ = "win32_create_service" fullword + $ = "posix_getpwuid" fullword + $ = "shm_open" fullword + $ = "assert" fullword + $ = "fsockopen" fullword + $ = "function_exists" fullword + $ = "getmygid" fullword + $ = "php_uname" fullword + $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" + $ = "fpassthru" fullword + $ = "posix_setuid" fullword + $ = "xmlrpc_decode" fullword + $ = "show_source" fullword + $ = "pcntl_exec" fullword $whitelist = /escapeshellcmd|escapeshellarg/ @@ -164,31 +164,31 @@ rule DangerousPhp rule DodgyStrings { strings: - $a = "/etc/passwd" - $b = "/etc/shadow" - $c = "/etc/resolv.conf" - $d = "/etc/syslog.conf" - $e = "/etc/proftpd.conf" - $e = "WinExec" - $f = "uname -a" fullword - $g = "nc -l" fullword - $h = "ls -la" fullword - $i = "cmd.exe" fullword nocase - $j = "ipconfig" fullword nocase - $k = "find . -type f" fullword - $l = "defaced" fullword nocase - $m = "slowloris" fullword nocase - $o = "id_rsa" fullword - $p = "backdoor" fullword nocase - $q = "webshell" fullword nocase - $r = "exploit" fullword nocase - $s = "hacking" fullword nocase - $t = "/proc/cpuinfo" fullword - $u = "/bin/sh" fullword - $v = "/bin/bash" fullword - $w = "ps -aux" fullword - $x = "b374k" fullword - $y = /(reverse|web)\s*shell/ nocase + $ = "/etc/passwd" + $ = "/etc/shadow" + $ = "/etc/resolv.conf" + $ = "/etc/syslog.conf" + $ = "/etc/proftpd.conf" + $ = "WinExec" + $ = "uname -a" fullword + $ = "nc -l" fullword + $ = "ls -la" fullword + $ = "cmd.exe" fullword nocase + $ = "ipconfig" fullword nocase + $ = "find . -type f" fullword + $ = "defaced" fullword nocase + $ = "slowloris" fullword nocase + $ = "id_rsa" fullword + $ = "backdoor" fullword nocase + $ = "webshell" fullword nocase + $ = "exploit" fullword nocase + $ = "hacking" fullword nocase + $ = "/proc/cpuinfo" fullword + $ = "/bin/sh" fullword + $ = "/bin/bash" fullword + $ = "ps -aux" fullword + $ = "b374k" fullword + $ = /(reverse|web)\s*shell/ nocase $vbs = /language\s*=\s*vbscript/ nocase $asp = "scripting.filesystemobject" nocase @@ -200,26 +200,26 @@ rule DodgyStrings rule Websites { strings: - $milw0rm = "milw0rm.com" - $exploitsdb = "exploit-db.com" - $injector = "1337day.com" - $rapid7 = "rapid7.com" - $shodan = "shodan.io" - $packetstorm = "packetstormsecurity" - $crackfor = "crackfor" nocase - $rednoize = "md5.rednoize" - $hashcracking = "hashcracking" nocase - $darkc0de = "darkc0de" nocase - $securityfocus = "securityfocus" nocase - $antichat = "antichat.ru" - $kingdefacer = "KingDefacer" nocase - $md5crack = "md5crack.com" - $md5crack = "md5decrypter.com" - $hashkiller = "hashkiller.com" - $hashchecker = "hashchecker.com" - $fopo = "www.fopo.com.ar" /* Free Online Php Obfuscator */ - $ccteam = "ccteam.ru" - $locus = "locus7s.com" + $ = "milw0rm.com" + $ = "exploit-db.com" + $ = "1337day.com" + $ = "rapid7.com" + $ = "shodan.io" + $ = "packetstormsecurity" + $ = "crackfor" nocase + $ = "md5.rednoize" + $ = "hashcracking" nocase + $ = "darkc0de" nocase + $ = "securityfocus" nocase + $ = "antichat.ru" + $ = "KingDefacer" nocase + $ = "md5crack.com" + $ = "md5decrypter.com" + $ = "hashkiller.com" + $ = "hashchecker.com" + $ = "www.fopo.com.ar" /* Free Online Php Obfuscator */ + $ = "ccteam.ru" + $ = "locus7s.com" condition: any of them -- cgit v1.3