From 9d4b89be1fa740e183bf9ec69abca477796b4f3f Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Mon, 9 Mar 2015 14:40:15 +0100
Subject: Delete binary detection

---
 malwares.yara | 46 +++++++++++++++++++++-------------------------
 1 file changed, 21 insertions(+), 25 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index f75342e..88f6e94 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -39,6 +39,17 @@ private rule IRC
         5 of them
 }
 
+private rule CloudFlareBypass
+{
+    strings:
+        $chk_jschl = "chk_jschl"
+        $jschl_vc = "jschl_vc"
+        $jschl_answer = "jschl_answer"
+
+    condition:
+        2 of them // Better be safe than sorry
+}
+
 rule ObfuscatedPhp
 {
     strings:
@@ -46,21 +57,11 @@ rule ObfuscatedPhp
         $hexvars = /\${['"][\w\\]+['"]}/ fullword  // ${blablabla}
         $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/  // <?php eval(
         $eval = /[;}] *@?eval\(/  // ;eval( <- this is dodgy
+        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
     condition:
-        IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
-}
-
-rule CloudFlareBypass
-{
-    strings:
-        $chk_jschl = "chk_jschl"
-        $jschl_vc = "jschl_vc"
-        $jschl_answer = "jschl_answer"
-
-    condition:
-        2 of them // Better be safe than sorry
+        IsPhp and ($align or $eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
 }
 
 rule DodgyPhp
@@ -77,7 +78,7 @@ rule DodgyPhp
         $htaccess = "SetHandler application/x-httpd-php"
 
     condition:
-        IsPhp and any of them
+        IsPhp and (any of them or CloudFlareBypass)
 }
 
 rule DangerousPhp
@@ -110,7 +111,7 @@ rule DangerousPhp
         $whitelist = /escapeshellcmd|escapeshellarg/
 
     condition:
-        not $whitelist and (5 of them or #system > 250)
+        IsPhp and not $whitelist and (5 of them or #system > 250)
 }
 
 rule DodgyStrings
@@ -139,6 +140,11 @@ rule DodgyStrings
         $u = "/bin/sh" fullword
         $v = "/bin/bash" fullword
         $w = "ps -aux" fullword
+        $x = "b374k" fullword
+        $y = /(reverse|web)\s*shell/ nocase
+
+        $vbs = /language\s*=\s*vbscript/ nocase
+        $asp = "scripting.filesystemobject" nocase
 
     condition:
         IsPhp and (IRC or 2 of them)
@@ -155,15 +161,5 @@ rule ExploitsWebsites
         $packetstorm = "packetstormsecurity.com"
 
     condition:
-        any of them
-}
-
-rule DodgyFiletypes
-{
-    strings:
-        $elf = { 7f 45 4c 46 }
-        $pe = "MZ"
-
-    condition:
-        $elf at 0 or (for any i in (1..#pe): (uint32(@pe[i] + uint32(@pe[i] + 0x3C)) == 0x00004550))
+        IsPhp and any of them
 }
-- 
cgit v1.3