From ff0c609ce15299fcd0da5f5b471d3519495977ff Mon Sep 17 00:00:00 2001
From: Julien "shaddai" Reveret
Date: Thu, 8 Oct 2015 17:44:47 +0200
Subject: reorganized git repo

---
 malwares.yara | 225 ----------------------------------------------------------
 1 file changed, 225 deletions(-)
 delete mode 100644 malwares.yara

(limited to 'malwares.yara')

diff --git a/malwares.yara b/malwares.yara
deleted file mode 100644
index 569f16c..0000000
--- a/malwares.yara
+++ /dev/null
@@ -1,225 +0,0 @@
-import "hash"
-include "whitelist.yara"
-
-/*
-    Detect:
-        - phpencode.org
-        - http://www.pipsomania.com/best_php_obfuscator.do
-        - http://atomiku.com/online-php-code-obfuscator/
-        - http://www.webtoolsvn.com/en-decode/
-        - http://obfuscator.uk/example/
-        - http://w3webtools.com/encode-php-online/
-        - http://www.joeswebtools.com/security/php-obfuscator/
-        - https://github.com/epinna/weevely3
-        - http://cipherdesign.co.uk/service/php-obfuscator
-        - http://sysadmin.cyklodev.com/online-php-obfuscator/
-        - http://mohssen.org/SpinObf.php
-        - https://code.google.com/p/carbylamine/
-*/
-
-global private rule IsPhp
-{
-    strings:
-        $php = /<\?[^x]/
-
-    condition:
-        $php and filesize < 5MB
-}
-
-private rule IRC
-{
-    strings:
-        $ = "USER" fullword
-        $ = "PASS" fullword
-        $ = "PRIVMSG" fullword
-        $ = "MODE" fullword
-        $ = "PING" fullword
-        $ = "PONG" fullword
-        $ = "JOIN" fullword
-        $ = "PART" fullword
-
-    condition:
-        5 of them
-}
-
-private rule CloudFlareBypass
-{
-    strings:
-        $ = "chk_jschl"
-        $ = "jschl_vc"
-        $ = "jschl_answer"
-
-    condition:
-        2 of them // Better be safe than sorry
-}
-
-rule ObfuscatedPhp
-{
-    strings:
-        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
-        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
-        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
-        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
-        $strange_arg = /\${\$[0-9a-zA-z]+}/
-    condition:
-        any of them and not IsWhitelisted
-}
-
-private rule base64
-{
-    strings:
-        $eval = "ZXZhbCg"
-        $system = "c3lzdGVt"
-        $preg_replace = "cHJlZ19yZXBsYWNl"
-        $exec = "ZXhlYyg"
-        $base64_decode = "YmFzZTY0X2RlY29kZ"
-    condition:
-        any of them
-}
-
-private rule hex
-{
-    strings:
-      $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
-      $exec = "\\x65\\x78\\x65\\x63" nocase
-      $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
-      $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
-      $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
-    
-    condition:
-        any of them
-}
-
-rule SuspiciousEncoding
-{
-    condition:
-        base64 or hex
-}
-
-rule DodgyPhp
-{
-    strings:
-        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
-        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
-        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
-        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
-        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
-        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
-        $htaccess = "SetHandler application/x-httpd-php"
-        $udp_dos = /sockopen\s*\(['"]udp:\/\//
-
-    condition:
-        (any of them or CloudFlareBypass) and not IsWhitelisted
-}
-
-rule DangerousPhp
-{
-    strings:
-        $system = "system" fullword  // localroot bruteforcers have a lot of this
-
-        $ = "exec" fullword
-        $ = "eval" fullword
-        $ = "shell_exec" fullword
-        $ = "passthru" fullword
-        $ = "posix_getuid" fullword
-        $ = "posix_geteuid" fullword
-        $ = "posix_getgid" fullword
-        $ = "phpinfo" fullword
-        $ = "backticks" fullword
-        $ = "proc_open" fullword
-        $ = "win_shell_execute" fullword
-        $ = "win32_create_service" fullword
-        $ = "posix_getpwuid" fullword
-        $ = "shm_open" fullword
-        $ = "assert" fullword
-        $ = "fsockopen" fullword
-        $ = "function_exists" fullword
-        $ = "getmygid" fullword
-        $ = "php_uname" fullword
-        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
-        $ = "fpassthru" fullword
-        $ = "posix_setuid" fullword
-        $ = "xmlrpc_decode" fullword
-        $ = "show_source" fullword
-        $ = "pcntl_exec" fullword
-        $ = "array_filter" fullword
-        $ = "call_user_func" fullword
-        $ = "register_shutdown_function" fullword
-        $ = "register_tick_function" fullword
-        $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
-        $ = "mb_ereg_replace_callback" fullword
-        $ = "preg_replace_callback" fullword
-
-        $whitelist = /escapeshellcmd|escapeshellarg/
-
-    condition:
-        not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
-}
-
-rule DodgyStrings
-{
-    strings:
-        $ = "/etc/passwd"
-        $ = "/etc/shadow"
-        $ = "/etc/resolv.conf"
-        $ = "/etc/syslog.conf"
-        $ = "/etc/proftpd.conf"
-        $ = "WinExec"
-        $ = "uname -a" fullword
-        $ = "nc -l" fullword
-        $ = "ls -la" fullword
-        $ = "cmd.exe" fullword nocase
-        $ = "ipconfig" fullword nocase
-        $ = "find . -type f" fullword
-        $ = "defaced" fullword nocase
-        $ = "slowloris" fullword nocase
-        $ = "id_rsa" fullword
-        $ = "backdoor" fullword nocase
-        $ = "webshell" fullword nocase
-        $ = "exploit" fullword nocase
-        $ = "hacking" fullword nocase
-        $ = "/proc/cpuinfo" fullword
-        $ = "/bin/sh" fullword
-        $ = "/bin/bash" fullword
-        $ = "ps -aux" fullword
-        $ = "b374k" fullword
-        $ = /(reverse|web)\s*shell/ nocase
-
-        $vbs = /language\s*=\s*vbscript/ nocase
-        $asp = "scripting.filesystemobject" nocase
-
-    condition:
-        IRC or 2 of them and not IsWhitelisted
-}
-
-rule Websites
-{
-    strings:
-        $ = "milw0rm.com"
-        $ = "exploit-db.com"
-        $ = "1337day.com"
-        $ = "rapid7.com"
-        $ = "shodan.io"
-        $ = "packetstormsecurity"
-        $ = "crackfor" nocase
-        $ = "md5.rednoize"
-        $ = "hashcracking" nocase
-        $ = "darkc0de" nocase
-        $ = "securityfocus" nocase
-        $ = "antichat.ru"
-        $ = "KingDefacer" nocase
-        $ = "md5crack.com"
-        $ = "md5decrypter.com"
-        $ = "hashkiller.com"
-        $ = "hashchecker.com"
-        $ = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
-        $ = "ccteam.ru"
-        $ = "locus7s.com"
-
-    condition:
-        any of them and not IsWhitelisted
-}
-- 
cgit v1.3