Merge branch 'main' into fix-tar-gz-bug

Signed-off-by: Evan Gibler <[email protected]>

pkg/action/scan.go

@@ -497,6 +497,14 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi
 	if err != nil {
 		return nil, fmt.Errorf("extract to temp: %w", err)
 	}
+	// Ensure that tmpRoot is removed before returning if created successfully
+	if tmpRoot != "" {
+		defer func() {
+			if err := os.RemoveAll(tmpRoot); err != nil {
+				logger.Errorf("remove %s: %v", tmpRoot, err)
+			}
+		}()
+	}
 	// macOS will prefix temporary directories with `/private`
 	// update tmpRoot with this prefix to allow strings.TrimPrefix to work
 	if runtime.GOOS == "darwin" {
@@ -515,13 +523,10 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi
 		}
 		if fr != nil {
 			// Store a clean reprepsentation of the archive's scanned file to match single file scanning behavior
-			extractedFilePath = strings.TrimPrefix(extractedFilePath, tmpRoot)
-			frs.Store(extractedFilePath, fr)
+			clean := strings.TrimPrefix(extractedFilePath, tmpRoot)
+			frs.Store(clean, fr)
 		}
 	}
-	if err := os.RemoveAll(tmpRoot); err != nil {
-		logger.Errorf("remove %s: %v", tmpRoot, err)
-	}
 
 	return &frs, nil
 }

rules/evasion/rootkit/userspace.yara

@@ -48,18 +48,20 @@ rule readdir_intercept: high {
 
 rule readdir_dlsym_interceptor: high {
   meta:
-    description = "userland rootkit designed to hide files (readdir)"
+    description = "userland rootkit designed to hide files (readdir64+readlink)"
 
     filetypes = "so,c"
 
   strings:
-    $dlsym                     = "dlsym" fullword
-    $readdir64                 = "readdir64" fullword
-    $readlink_maybe_not_needed = "readlink"
-    $proc                      = "/proc"
+    $f_dlsym                     = "dlsym" fullword
+    $f_readdir64                 = "readdir64" fullword
+    $f_readlink_maybe_not_needed = "readlink"
+    $f_proc                      = "/proc"
+
+    $not_sbcl = "SBCL_HOME" fullword
 
   condition:
-    filesize < 1MB and uint32(0) == 1179403647 and all of them
+    filesize < 1MB and uint32(0) == 1179403647 and all of ($f*) and none of ($not*)
 }
 
 rule readdir_tcp_wrapper_intercept: high {

rules/exfil/stealer/keylogger.yara

@@ -14,7 +14,7 @@ rule keylogger_discord_telegram: high {
     filesize < 256KB and any of ($http*) and any of ($k*)
 }
 
-rule py_keylogger_pynput_exfil: critical {
+rule py_keylogger_pynput_exfil: high {
   meta:
     description = "listens for keyboard events and exfiltrates them"
     filetypes   = "py"
@@ -33,7 +33,7 @@ rule py_keylogger_pynput_exfil: critical {
     filesize < 256KB and any of ($http*) and all of ($f*)
 }
 
-rule py_keykeyboard_exfil: critical {
+rule py_keykeyboard_exfil: high {
   meta:
     description = "listens for keyboard events and exfiltrates them"
     filetypes   = "py"
@@ -44,7 +44,8 @@ rule py_keykeyboard_exfil: critical {
     $http_Discord   = "Discord"
     $http_keylogger = /[kK]eylogger/
     $http_Telegram  = "Telegram"
-    $f_pynput       = "keyboard" fullword
+    $f_pynput       = "pynput" fullword
+    $f_keyboard     = "keyboard" fullword
     $f_key          = ".name"
     $f_listener     = "on_release"
 

rules/false_positives/py_hatch.yara

@@ -1,7 +1,7 @@
 rule migrate_py: override {
   meta:
-    description     = "migrate.py"
-    setuptools_eval = "medium"
+    description          = "migrate.py"
+    setuptools_eval_high = "medium"
 
   strings:
     $env     = "'_HATCHLING_PORT_ADD_'"

rules/false_positives/setuptools.yara

@@ -1,25 +1,7 @@
-rule test_pyprojecttoml: override {
-  meta:
-    description     = "namespaces.py, test_pyprojecttoml.py"
-    setuptools_eval = "low"
-
-  strings:
-    $example   = "EXAMPLE"
-    $func1     = "def create_example("
-    $func2     = "def verify_example("
-    $func3     = "def test_read_configuration("
-    $import    = "import setuptools"
-    $kv        = "\"pyproject.toml\": EXAMPLE"
-    $pyproject = "pyproject.toml"
-
-  condition:
-    filesize < 16KB and all of them
-}
-
 rule setuptools_namespaces: override {
   meta:
-    description     = "namespaces.py"
-    setuptools_eval = "low"
+    description          = "namespaces.py"
+    setuptools_exec_high = "low"
 
   strings:
     $func1     = "def iter_namespace_pkgs("
@@ -36,30 +18,15 @@ rule setuptools_namespaces: override {
 
 rule numba_support: override {
   meta:
-    description     = "support.py"
-    setuptools_eval = "low"
+    description          = "support.py"
+    setuptools_exec_high = "low"
 
   strings:
     $comment    = "Assorted utilities for use in tests."
-    $gh_issue   = "numba#"
+    $gh_issue   = "numbsa#"
     $import     = "from numba"
     $repository = "https://github.com/numba/numba"
 
   condition:
     filesize < 64KB and all of them
 }
-
-rule setup_pydevd_cython: override {
-  meta:
-    description     = "setup_pydevd_cython.py"
-    setuptools_eval = "low"
-
-  strings:
-    $example = "python setup_pydevd_cython build_ext --inplace"
-    $header  = "A simpler setup version just to compile the speedup module."
-    $import  = "from setuptools import setup"
-    $pydevd  = "pydevd"
-
-  condition:
-    filesize < 16KB and all of them
-}

rules/false_positives/trino_upx.yara

@@ -0,0 +1,21 @@
+rule trino_upx_override: override {
+  meta:
+    description                 = "https://trino.io/ - UPX encrypted and crazy"
+    upx                         = "medium"
+    high_entropy_header         = "medium"
+    normal_elf_high_entropy_7_4 = "medium"
+    obfuscated_elf              = "medium"
+
+  strings:
+    $ = "Go buildinf"
+    $ = "p\tgiNub.com/fdih/"
+    $ = "kTixuOsFBOtGYSTLRLWK6G"
+    $ = "wnwmwkwbqc"
+    $ = "zYna%i%qj%"
+    $ = "kUNKNOWN:$"
+    $ = "q\tcCuXMaxlebo"
+    $ = "lmRnTEOIt"
+
+  condition:
+    filesize > 1MB and filesize < 3MB and 85 % of them
+}

rules/impact/remote_access/py_setuptools.yara

@@ -39,7 +39,7 @@ rule setuptools_homedir: high {
     remote_access_pythonSetup and any of them
 }
 
-rule setuptools_cmd_exec: suspicious {
+rule setuptools_cmd_exec: high {
   meta:
     description = "Python library installer that executes external commands"
 
@@ -51,6 +51,8 @@ rule setuptools_cmd_exec: suspicious {
     $not_comment           = "Editable install to a prefix should be discoverable."
     $not_egg_info_requires = "os.path.join(egg_info_dir, 'requires.txt')"
     $not_requests          = "'Documentation': 'https://requests.readthedocs.io'"
+    $not_sdist_publish     = "python setup.py sdist bdist_wheel"
+    $not_twine_upload      = "twine upload dist/*"
 
   condition:
     remote_access_pythonSetup and any of ($f*) and none of ($not*)
@@ -70,13 +72,46 @@ rule setuptools_cmd_exec_start: critical {
     remote_access_pythonSetup and any of ($f*)
 }
 
-rule setuptools_eval: critical {
+rule setuptools_eval: medium {
   meta:
     description = "Python library installer that evaluates arbitrary code"
 
   strings:
-    $f_sys_val           = /eval\([\"\'\w\ \-\)\/]{0,64}/ fullword
-    $f_subprocess_val    = /exec\([\"\'\/\w\ \-\)]{0,64}/ fullword
+    $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
+
+  condition:
+    remote_access_pythonSetup and any of ($f*)
+}
+
+rule setuptools_eval_high: high {
+  meta:
+    description = "Python library installer that evaluates arbitrary code"
+
+  strings:
+    $f_eval         = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
+    $not_namespaced = /eval\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/
+
+  condition:
+    remote_access_pythonSetup and any of ($f*) and none of ($not*)
+}
+
+rule setuptools_exec: medium {
+  meta:
+    description = "Python library installer that executes arbitrary code"
+
+  strings:
+    $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
+
+  condition:
+    remote_access_pythonSetup and any of ($f*)
+}
+
+rule setuptools_exec_high: high {
+  meta:
+    description = "Python library installer that evaluates arbitrary code"
+
+  strings:
+    $f_exec              = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
     $not_apache          = "# Licensed under the Apache License, Version 2.0 (the \"License\")"
     $not_comment         = "Editable install to a prefix should be discoverable."
     $not_google          = /# Copyright [1-2][0-9]{3} Google Inc/
@@ -86,6 +121,7 @@ rule setuptools_eval: critical {
     $not_pyspark_ioerror = "\"Failed to load PySpark version file for packaging. You must be in Spark's python dir.\""
     $not_requests        = "'Documentation': 'https://requests.readthedocs.io'"
     $not_test_egg_class  = "class TestEggInfo"
+    $not_namespaced      = /exec\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/
 
   condition:
     remote_access_pythonSetup and any of ($f*) and none of ($not*)

rules/malware/family/beurk.yara

@@ -23,12 +23,14 @@ rule beurk_xor: critical linux {
     ref       = "https://github.com/unix-thrust/beurk"
 
   strings:
-    $ = "BEURK" xor(1-31) fullword
-    $ = "BEURK" xor(33-255) fullword
-    $ = "b3urkR0cks" xor(1-31)
-    $ = "b3urkR0cks" xor(33-255)
+    $x_BEURK       = "BEURK" xor(1-31) fullword
+    $x_BEURK2      = "BEURK" xor(33-255) fullword
+    $x_b3urkR0cks  = "b3urkR0cks" xor(1-31)
+    $x_b3urkR0cks2 = "b3urkR0cks" xor(33-255)
+
+    $dlsym = "dlsym" fullword
 
   condition:
-    filesize < 2MB and any of them
+    filesize < 2MB and $dlsym and any of ($x*)
 }
 

rules/persist/shell/bash.yara

@@ -26,9 +26,10 @@ rule bash_persist_persistent: high {
     $ref3 = ".profile"
     $ref4 = ".bashrc"
 
-    $not_bash = "POSIXLY_CORRECT"
-    $not_csh  = ".cshrc" fullword
-    $not_tcsh = "tcsh" fullword
+    $not_bash   = "POSIXLY_CORRECT"
+    $not_csh    = ".cshrc"
+    $not_tcsh   = "tcsh" fullword
+    $not_tcshrc = ".tcshrc"
 
   condition:
     3 of them and none of ($not*)
@@ -56,7 +57,8 @@ rule bash_logout_persist: high {
     $not_bash    = "POSIXLY_CORRECT"
     $not_comment = "# ~/.bash_logout"
     $not_clear   = "/usr/bin/clear_console"
-    $not_csh     = ".cshrc" fullword
+    $not_csh     = ".cshrc"
+    $not_tcshrc  = ".tcshrc"
 
   condition:
     filesize < 2097152 and any of ($ref*) and none of ($not*)

tests/linux/2024.sbcl.market/sbcl.clean.simple

@@ -0,0 +1,24 @@
+# linux/2024.sbcl.market/sbcl.clean: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+crypto/rc4: low
+data/compression/zstd: low
+discover/user/HOME: low
+discover/user/USER: low
+evasion/file/location/var_tmp: medium
+exec/dylib/address_check: low
+exec/dylib/symbol_address: medium
+exec/program: medium
+exec/program/background: low
+exec/shell/echo: medium
+fs/file/delete: low
+fs/file/truncate: low
+fs/link_read: low
+fs/path/dev: medium
+fs/path/tmp: medium
+fs/path/var: low
+fs/permission/modify: low
+fs/proc/self_exe: medium
+fs/symlink_resolve: low
+fs/tempdir/TEMP: low
+net/url/embedded: low

tests/linux/2024.sbcl.market/sbcl.sdiff

@@ -8,7 +8,6 @@ data/compression/zstd
 discover/user/HOME
 discover/user/USER
 evasion/file/location/var_tmp
--evasion/rootkit/userspace
 exec/dylib/address_check
 exec/dylib/symbol_address
 exec/program

tests/linux/clean/eza.simple

@@ -0,0 +1,28 @@
+# linux/clean/eza: medium
+anti-static/elf/multiple: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+credential/server/htpasswd: medium
+credential/shell/bash_history: medium
+credential/ssh/authorized_hosts: medium
+crypto/ed25519: low
+crypto/rc4: low
+data/encoding/base64: low
+discover/user/HOME: low
+evasion/file/prefix: medium
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+fs/link_read: low
+fs/mount: low
+fs/path/etc: low
+fs/path/home_config: low
+fs/proc/self_cgroup: medium
+fs/proc/self_exe: medium
+fs/proc/self_mountinfo: medium
+fs/symlink_resolve: low
+fs/tempdir/TEMP: low
+net/url/embedded: low
+persist/shell/bash: medium
+persist/shell/zsh: medium
+process/multithreaded: low