Improve the accuracy of the Python dropper rules

chainguard-dev · Apr 14, 2024 · efd17b3 · efd17b3
1 parent 603823c
commit efd17b3
Showing 1 changed file with 15 additions and 15 deletions.
diff --git a/rules/combo/dropper/python.yara b/rules/combo/dropper/python.yara
@@ -3,17 +3,17 @@ rule http_open_write_system : suspicious {
   	description = "may fetch and execute programs from the internet"
   strings:
 	$http = "http"
-	$http_requests = "requests.get"
-	$http_urrlib = "urllib.request"
-	$http_urlopen = "urlopen"
+	$http_requests = "requests.get" fullword
+	$http_urrlib = "urllib.request" fullword
+	$http_urlopen = "urlopen" fullword
 
-	$open = "open("
+	$open = "open(" fullword
 
-	$write = "write("
+	$write = "write(" fullword
 
-	$system = "os.system("
-	$sys_popen = "os.popen"
-	$sys_sub = "subprocess."
+	$system = "os.system" fullword
+	$sys_popen = "os.popen" fullword
+	$sys_sub = "subprocess" fullword
   condition:
     filesize < 16384 and any of ($h*) and $open and $write and any of ($sys*)
 }
@@ -23,15 +23,15 @@ rule setuptools_dropper : critical {
 		description = "setuptools script that downloads and executes content"
 	strings:
 		$setup = "setup("
-		$setuptools = "setuptools"
+		$setuptools = "setuptools" fullword
 
-		$http_requests = "requests.get"
-		$http_urrlib = "urllib.request"
-		$http_urlopen = "urlopen"
+		$http_requests = "requests.get" fullword
+		$http_urrlib = "urllib.request" fullword
+		$http_urlopen = "urlopen" fullword
 
-		$system = "os.system("
-		$sys_popen = "os.popen"
-		$sys_sub = "subprocess."
+		$system = "os.system" fullword
+		$sys_popen = "os.popen" fullword
+		$sys_sub = "subprocess" fullword
 
 	condition:
 		all of ($setup*) and any of ($http*) and any of ($sys*)