From 6beeeebe3c43f0643e521139d3f8b1ff4a7f3059 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Thu, 5 Mar 2015 15:36:22 +0100
Subject: Yara is cooler than Python

---
 malwares.yara | 161 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 161 insertions(+)
 create mode 100644 malwares.yara

(limited to 'malwares.yara')

diff --git a/malwares.yara b/malwares.yara
new file mode 100644
index 0000000..3d857c1
--- /dev/null
+++ b/malwares.yara
@@ -0,0 +1,161 @@
+private rule IsPhp
+{
+    strings:
+        $php = "<?"
+
+    condition:
+        $php
+}
+
+private rule IRC
+{
+    strings:
+        $a = "USER" fullword
+        $b = "PASS" fullword
+        $c = "PRIVMSG" fullword
+        $d = "MODE" fullword
+        $e = "PING" fullword
+        $f = "PONG" fullword
+        $g = "JOIN" fullword
+        $h = "PART" fullword
+
+    condition:
+        5 of them
+}
+
+rule ObfuscatedPhp
+{
+    strings:
+        $vars = /\$_{2,}/ fullword  // $__ is rarely used in legitimate scripts
+        $hexvars = /\${['"][\w\\]+['"]}/ fullword  // ${blablabla}
+        $eval_start = /(\s)*<\?(php)?(\n)*(\s)*eval\(/  // <?php eval(
+        $eval = /;@?eval\(/  // ;eval( <- this is dodgy
+        $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
+
+    condition:
+        IsPhp and ($eval_start or $eval or $launcher or #vars > 5 or #hexvars > 5)
+}
+
+rule CloudFlareBypass
+{
+    strings:
+        $chk_jschl = "chk_jschl"
+        $jschl_vc = "jschl_vc"
+        $jschl_answer = "jschl_answer"
+
+    condition:
+        2 of them // Better be safe than sorry
+}
+
+rule DodgyPhp
+{
+    strings:
+        $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gzinflate|getenv|\\?\$_(GET|REQUEST|POST))/
+        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
+        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
+        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
+        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
+        $various = "<!--#exec cmd="
+        $pr = /preg_replace\(['"]\/[^\/]+e['"],/
+        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
+        $htaccess = "SetHandler application/x-httpd-php"
+
+    condition:
+        IsPhp and any of them
+}
+
+rule DangerousPhp
+{
+    strings:
+        $system = "system" fullword  // localroot bruteforcers have a lot of this
+
+        $a = "exec" fullword
+        $b = "eval" fullword
+        $c = "shell_exec" fullword
+        $v = "passthru" fullword
+        $e = "posix_getuid" fullword
+        $f = "posix_geteuid" fullword
+        $g = "posix_getgid" fullword
+        $h = "phpinfo" fullword
+        $i = "backticks" fullword
+        $j = "proc_open" fullword
+        $k = "win_shell_execute" fullword
+        $l = "win32_create_service" fullword
+        $m = "posix_getpwuid" fullword
+        $n = "shmop_open" fullword
+        $o = "assert" fullword
+        $p = "fsockopen" fullword
+        $q = "function_exists" fullword
+        $r = "getmygid" fullword
+        $s = "php_uname" fullword
+        $t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
+        $u = "fpassthru" fullword
+
+        $whitelist = /escapeshellcmd|escapeshellarg/
+
+    condition:
+        not $whitelist and (5 of them or #system > 250)
+}
+
+rule Weevely3
+{
+    strings:
+        $launcher = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/
+        $replace = /\$\w=str_replace\('.', ''(,\$\w)+\);/
+
+    condition:
+        IsPhp and any of them
+}
+
+rule DodgyStrings
+{
+    strings:
+        $a = "/etc/passwd"
+        $b = "/etc/shadow"
+        $c = "/etc/resolv.conf"
+        $d = "/etc/syslog.conf"
+        $e = "/etc/proftpd.conf"
+        $e = "WinExec"
+        $f = "uname -a" fullword
+        $g = "nc -l" fullword
+        $h = "ls -la" fullword
+        $i = "cmd.exe" fullword nocase
+        $j = "ipconfig" fullword nocase
+        $k = "find . -type f" fullword
+        $l = "defaced" fullword nocase
+        $m = "slowloris" fullword nocase
+        $o = "id_rsa" fullword
+        $p = "backdoor" fullword nocase
+        $q = "webshell" fullword nocase
+        $r = "exploit" fullword nocase
+        $s = "hacking" fullword nocase
+        $t = "/proc/cpuinfo" fullword
+        $u = "/bin/sh" fullword
+        $v = "/bin/bash" fullword
+        $w = "ps -aux" fullword
+
+    condition:
+        IsPhp and (IRC or 2 of them)
+}
+
+rule ExploitsWebsites
+{
+    strings:
+        $milw0rm = "milw0rm"
+        $exploitsdb = "exploit-db.com"
+        $injector = "1337day.com"
+        $rapid7 = "rapid7.com"
+
+    condition:
+        any of them
+}
+
+rule DodgyFiletypes
+{
+    strings:
+        $elf = { 7f 45 4c 46 }
+        $pe = "MZ"
+
+    condition:
+        $elf at 0 or (for any i in (1..#pe): (uint32(@pe[i] + uint32(@pe[i] + 0x3C)) == 0x00004550))
+}
-- 
cgit v1.3