Address CRITICAL ELF false-positives in trino, rust, and eza (#718)

* Linux ELF rule adjustments

* rule tuning

* Add Linux tests

* sbcl tuning

rules/evasion/rootkit/userspace.yara

@@ -48,18 +48,20 @@ rule readdir_intercept: high {
 
 rule readdir_dlsym_interceptor: high {
   meta:
-    description = "userland rootkit designed to hide files (readdir)"
+    description = "userland rootkit designed to hide files (readdir64+readlink)"
 
     filetypes = "so,c"
 
   strings:
-    $dlsym                     = "dlsym" fullword
-    $readdir64                 = "readdir64" fullword
-    $readlink_maybe_not_needed = "readlink"
-    $proc                      = "/proc"
+    $f_dlsym                     = "dlsym" fullword
+    $f_readdir64                 = "readdir64" fullword
+    $f_readlink_maybe_not_needed = "readlink"
+    $f_proc                      = "/proc"
+
+    $not_sbcl = "SBCL_HOME" fullword
 
   condition:
-    filesize < 1MB and uint32(0) == 1179403647 and all of them
+    filesize < 1MB and uint32(0) == 1179403647 and all of ($f*) and none of ($not*)
 }
 
 rule readdir_tcp_wrapper_intercept: high {

rules/false_positives/trino_upx.yara

@@ -0,0 +1,21 @@
+rule trino_upx_override: override {
+  meta:
+    description                 = "https://trino.io/ - UPX encrypted and crazy"
+    upx                         = "medium"
+    high_entropy_header         = "medium"
+    normal_elf_high_entropy_7_4 = "medium"
+    obfuscated_elf              = "medium"
+
+  strings:
+    $ = "Go buildinf"
+    $ = "p\tgiNub.com/fdih/"
+    $ = "kTixuOsFBOtGYSTLRLWK6G"
+    $ = "wnwmwkwbqc"
+    $ = "zYna%i%qj%"
+    $ = "kUNKNOWN:$"
+    $ = "q\tcCuXMaxlebo"
+    $ = "lmRnTEOIt"
+
+  condition:
+    filesize > 1MB and filesize < 3MB and 85 % of them
+}

rules/malware/family/beurk.yara

@@ -23,12 +23,14 @@ rule beurk_xor: critical linux {
     ref       = "https://github.com/unix-thrust/beurk"
 
   strings:
-    $ = "BEURK" xor(1-31) fullword
-    $ = "BEURK" xor(33-255) fullword
-    $ = "b3urkR0cks" xor(1-31)
-    $ = "b3urkR0cks" xor(33-255)
+    $x_BEURK       = "BEURK" xor(1-31) fullword
+    $x_BEURK2      = "BEURK" xor(33-255) fullword
+    $x_b3urkR0cks  = "b3urkR0cks" xor(1-31)
+    $x_b3urkR0cks2 = "b3urkR0cks" xor(33-255)
+
+    $dlsym = "dlsym" fullword
 
   condition:
-    filesize < 2MB and any of them
+    filesize < 2MB and $dlsym and any of ($x*)
 }
 

rules/persist/shell/bash.yara

@@ -26,9 +26,10 @@ rule bash_persist_persistent: high {
     $ref3 = ".profile"
     $ref4 = ".bashrc"
 
-    $not_bash = "POSIXLY_CORRECT"
-    $not_csh  = ".cshrc" fullword
-    $not_tcsh = "tcsh" fullword
+    $not_bash   = "POSIXLY_CORRECT"
+    $not_csh    = ".cshrc"
+    $not_tcsh   = "tcsh" fullword
+    $not_tcshrc = ".tcshrc"
 
   condition:
     3 of them and none of ($not*)
@@ -56,7 +57,8 @@ rule bash_logout_persist: high {
     $not_bash    = "POSIXLY_CORRECT"
     $not_comment = "# ~/.bash_logout"
     $not_clear   = "/usr/bin/clear_console"
-    $not_csh     = ".cshrc" fullword
+    $not_csh     = ".cshrc"
+    $not_tcshrc  = ".tcshrc"
 
   condition:
     filesize < 2097152 and any of ($ref*) and none of ($not*)

tests/linux/2024.sbcl.market/sbcl.clean.simple

@@ -0,0 +1,24 @@
+# linux/2024.sbcl.market/sbcl.clean: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+crypto/rc4: low
+data/compression/zstd: low
+discover/user/HOME: low
+discover/user/USER: low
+evasion/file/location/var_tmp: medium
+exec/dylib/address_check: low
+exec/dylib/symbol_address: medium
+exec/program: medium
+exec/program/background: low
+exec/shell/echo: medium
+fs/file/delete: low
+fs/file/truncate: low
+fs/link_read: low
+fs/path/dev: medium
+fs/path/tmp: medium
+fs/path/var: low
+fs/permission/modify: low
+fs/proc/self_exe: medium
+fs/symlink_resolve: low
+fs/tempdir/TEMP: low
+net/url/embedded: low

tests/linux/2024.sbcl.market/sbcl.sdiff

@@ -8,7 +8,6 @@ data/compression/zstd
 discover/user/HOME
 discover/user/USER
 evasion/file/location/var_tmp
--evasion/rootkit/userspace
 exec/dylib/address_check
 exec/dylib/symbol_address
 exec/program

tests/linux/clean/eza.simple

@@ -0,0 +1,28 @@
+# linux/clean/eza: medium
+anti-static/elf/multiple: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+credential/server/htpasswd: medium
+credential/shell/bash_history: medium
+credential/ssh/authorized_hosts: medium
+crypto/ed25519: low
+crypto/rc4: low
+data/encoding/base64: low
+discover/user/HOME: low
+evasion/file/prefix: medium
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+fs/link_read: low
+fs/mount: low
+fs/path/etc: low
+fs/path/home_config: low
+fs/proc/self_cgroup: medium
+fs/proc/self_exe: medium
+fs/proc/self_mountinfo: medium
+fs/symlink_resolve: low
+fs/tempdir/TEMP: low
+net/url/embedded: low
+persist/shell/bash: medium
+persist/shell/zsh: medium
+process/multithreaded: low

tests/linux/clean/kolide/launcher.simple

@@ -0,0 +1,126 @@
+# linux/clean/kolide/launcher: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/keychain: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/public_key: low
+crypto/tls: low
+data/compression/gzip: low
+data/compression/zlib: low
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/hash/blake2b: low
+data/hash/md5: low
+discover/network/netstat: medium
+discover/processes/list: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/user/USER: low
+evasion/file/prefix: medium
+evasion/logging/acct: low
+exec/cmd: medium
+exec/plugin: low
+exec/program: medium
+exec/shell/TERM: low
+exec/shell/command: medium
+exec/system_controls/systemd: medium
+exfil/upload: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/create: medium
+fs/file/delete: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/truncate: low
+fs/file/write: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/path/boot: medium
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/tmp: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
+fs/path/var: low
+fs/path/var_log: medium
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/self_mountinfo: medium
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+hw/dev/block_ice: medium
+impact/remote_access/net_term: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/parse: medium
+net/ip/tcp_state_tracker: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/sftp: medium
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/key_management: low
+os/kernel/netlink: low
+persist/pid_file: medium
+privesc/setuid: low
+privesc/sudo: medium
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low