From d3e3e2e8cd0e79ad388c55650d6ffb459c4f1182 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Tue, 24 Mar 2015 11:05:36 +0100
Subject: Add some encoding rules, and remove some false-positives

---
 malwares.yara | 41 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 88f6e94..3adc5f8 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -17,7 +17,7 @@
 private rule IsPhp
 {
     strings:
-        $php = "<?"
+        $php = /<\?[^x]/ //php but not xml
 
     condition:
         $php
@@ -55,19 +55,48 @@ rule ObfuscatedPhp
     strings:
         $vars = /\$_{2,}/ fullword  // $__ is rarely used in legitimate scripts
         $hexvars = /\${['"][\w\\]+['"]}/ fullword  // ${blablabla}
-        $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/  // <?php eval(
-        $eval = /[;}] *@?eval\(/  // ;eval( <- this is dodgy
+        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
+        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
     condition:
-        IsPhp and ($align or $eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
+        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
+}
+
+private rule base64
+{
+    strings:
+        $eval = "ZXZhbCg"
+        $system = "c3lzdGVt"
+        $preg_replace = "cHJlZ19yZXBsYWNl"
+        $exec = "ZXhlYyg"
+    condition:
+        any of them
+}
+
+private rule hex
+{
+    strings:
+      $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
+      $exec = "\\x65\\x78\\x65\\x63" nocase
+      $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
+      $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+    
+    condition:
+        any of them
+}
+
+rule SuspiciousEncoding
+{
+    condition:
+        IsPhp and (base64 or hex)
 }
 
 rule DodgyPhp
 {
     strings:
-        $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gzinflate|getenv|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
@@ -107,6 +136,8 @@ rule DangerousPhp
         $s = "php_uname" fullword
         $t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
         $u = "fpassthru" fullword
+        $v = "posix_setuid" fullword
+        $w = "xmlrpc_decode" fullword
 
         $whitelist = /escapeshellcmd|escapeshellarg/
 
-- 
cgit v1.3