Skip to content

R
rules
Commit 724ff9f1 by Antonio S
Options

Fix #265 Included filesize condition in all rules

parent 2b474ade
Showing with 32 additions and 22 deletions
malware/MALW_Magento_suspicious.yar
...@@ -7,18 +7,12 @@ ref : https://github.com/gwillem/magento-malware-scanner/ ...@@ -7,18 +7,12 @@ ref : https://github.com/gwillem/magento-malware-scanner/
author : https://github.com/gwillem author : https://github.com/gwillem
*/ */
global private rule malware_size {
meta:
description = "Limit on file size"
condition:
/* uint16(0) == 0x4B50 and filesize < 3MB */
filesize < 500KB
}
rule fromCharCode_in_unicode { rule fromCharCode_in_unicode {
strings: $ = "\\u0066\\u0072\\u006f\\u006d\\u0043\\u0068\\u0061\\u0072\\u0043\\u006f\\u0064\\u0065" strings:
condition: any of them $ = "\\u0066\\u0072\\u006f\\u006d\\u0043\\u0068\\u0061\\u0072\\u0043\\u006f\\u0064\\u0065"
condition:
any of them and filesize < 500KB
} }
rule function_through_object { rule function_through_object {
strings: strings:
...@@ -26,12 +20,14 @@ rule function_through_object { ...@@ -26,12 +20,14 @@ rule function_through_object {
$ = "['unescape']" $ = "['unescape']"
$ = "['charCodeAt']" $ = "['charCodeAt']"
$ = "['fromCharCode']" $ = "['fromCharCode']"
condition: any of them condition:
any of them and filesize < 500KB
} }
rule hex_script { rule hex_script {
strings: strings:
$ = "\\x73\\x63\\x72\\x69\\x70\\x74\\x22" $ = "\\x73\\x63\\x72\\x69\\x70\\x74\\x22"
condition: any of them condition:
any of them and filesize < 500KB
} }
rule php_malfunctions { rule php_malfunctions {
...@@ -40,7 +36,8 @@ rule php_malfunctions { ...@@ -40,7 +36,8 @@ rule php_malfunctions {
$ = "gzinflate(" $ = "gzinflate("
$ = "str_rot13(" $ = "str_rot13("
$ = "base64_decode(" $ = "base64_decode("
condition: 3 of them condition:
3 of them and filesize < 500KB
} }
rule php_obf_malfunctions { rule php_obf_malfunctions {
...@@ -48,29 +45,39 @@ rule php_obf_malfunctions { ...@@ -48,29 +45,39 @@ rule php_obf_malfunctions {
$ = "eval(base64_decode" $ = "eval(base64_decode"
$ = "eval(gzinflate" $ = "eval(gzinflate"
$ = "str_rot13(base64_decode" $ = "str_rot13(base64_decode"
condition: any of them condition:
any of them and filesize < 500KB
} }
rule fopo_obfuscator { rule fopo_obfuscator {
strings: strings:
$ = "www.fopo.com.ar" $ = "www.fopo.com.ar"
condition: any of them condition:
any of them and filesize < 500KB
} }
rule obf_base64_decode { rule obf_base64_decode {
strings: $ = "\\x62\\x61\\x73\\145\\x36\\x34\\x5f\\x64\\x65\\143\\x6f\\144\\145" strings:
condition: any of them $ = "\\x62\\x61\\x73\\145\\x36\\x34\\x5f\\x64\\x65\\143\\x6f\\144\\145"
condition:
any of them and filesize < 500KB
} }
rule html_upload { rule html_upload {
strings: strings:
$ = "<input type='submit' name='upload' value='upload'>" $ = "<input type='submit' name='upload' value='upload'>"
$ = "if($_POST['upload'])" $ = "if($_POST['upload'])"
condition: any of them condition:
any of them and filesize < 500KB
} }
rule php_uname { rule php_uname {
strings: $ = "php_uname()" strings:
condition: any of them $ = "php_uname()"
condition:
any of them and filesize < 500KB
} }
rule scriptkiddies { rule scriptkiddies {
strings: strings:
$ = "lastc0de@Outlook.com" nocase $ = "lastc0de@Outlook.com" nocase
...@@ -78,10 +85,13 @@ rule scriptkiddies { ...@@ -78,10 +85,13 @@ rule scriptkiddies {
$ = "AgencyCaFc" nocase $ = "AgencyCaFc" nocase
$ = "IndoXploit" nocase $ = "IndoXploit" nocase
$ = "Kapaljetz666" nocase $ = "Kapaljetz666" nocase
condition: any of them condition:
any of them and filesize < 500KB
} }
rule eval_with_comments { rule eval_with_comments {
strings: strings:
$ = /(^|\s)eval\s*\/\*.{,128}\*\/\s*\(/ $ = /(^|\s)eval\s*\/\*.{,128}\*\/\s*\(/
condition: any of them condition:
any of them and filesize < 500KB
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment