From ff9ea831d5a29f1adc3ec48006c470b1a8b59029 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Str=C3=B6mberg?= <t+github@chainguard.dev>
Date: Tue, 17 Dec 2024 17:50:57 -0500
Subject: [PATCH] Address CRITICAL ELF false-positives in trino, rust, and eza
 (#718)

* Linux ELF rule adjustments

* rule tuning

* Add Linux tests

* sbcl tuning
---
 rules/evasion/rootkit/userspace.yara          |  14 +-
 rules/false_positives/trino_upx.yara          |  21 ++
 rules/malware/family/beurk.yara               |  12 +-
 rules/persist/shell/bash.yara                 |  10 +-
 .../linux/2024.sbcl.market/sbcl.clean.simple  |  24 ++
 tests/linux/2024.sbcl.market/sbcl.sdiff       |   1 -
 tests/linux/clean/eza.simple                  |  28 +++
 tests/linux/clean/kolide/launcher.simple      | 126 +++++++++++
 tests/linux/clean/kolide/osqueryd.simple      | 212 ++++++++++++++++++
 .../rust_libtest-350a2b8f7a4551b7.so.simple   |   7 +
 .../clean/trino.linux-amd64.launcher.simple   |  14 ++
 .../clean/trino.linux-arm64.launcher.simple   |  12 +
 .../clean/trino.linux-ppc64le.launcher.simple |  10 +
 13 files changed, 475 insertions(+), 16 deletions(-)
 create mode 100644 rules/false_positives/trino_upx.yara
 create mode 100644 tests/linux/2024.sbcl.market/sbcl.clean.simple
 create mode 100644 tests/linux/clean/eza.simple
 create mode 100644 tests/linux/clean/kolide/launcher.simple
 create mode 100644 tests/linux/clean/kolide/osqueryd.simple
 create mode 100644 tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple
 create mode 100644 tests/linux/clean/trino.linux-amd64.launcher.simple
 create mode 100644 tests/linux/clean/trino.linux-arm64.launcher.simple
 create mode 100644 tests/linux/clean/trino.linux-ppc64le.launcher.simple

diff --git a/rules/evasion/rootkit/userspace.yara b/rules/evasion/rootkit/userspace.yara
index 65e3193ef..eb371f23f 100644
--- a/rules/evasion/rootkit/userspace.yara
+++ b/rules/evasion/rootkit/userspace.yara
@@ -48,18 +48,20 @@ rule readdir_intercept: high {
 
 rule readdir_dlsym_interceptor: high {
   meta:
-    description = "userland rootkit designed to hide files (readdir)"
+    description = "userland rootkit designed to hide files (readdir64+readlink)"
 
     filetypes = "so,c"
 
   strings:
-    $dlsym                     = "dlsym" fullword
-    $readdir64                 = "readdir64" fullword
-    $readlink_maybe_not_needed = "readlink"
-    $proc                      = "/proc"
+    $f_dlsym                     = "dlsym" fullword
+    $f_readdir64                 = "readdir64" fullword
+    $f_readlink_maybe_not_needed = "readlink"
+    $f_proc                      = "/proc"
+
+    $not_sbcl = "SBCL_HOME" fullword
 
   condition:
-    filesize < 1MB and uint32(0) == 1179403647 and all of them
+    filesize < 1MB and uint32(0) == 1179403647 and all of ($f*) and none of ($not*)
 }
 
 rule readdir_tcp_wrapper_intercept: high {
diff --git a/rules/false_positives/trino_upx.yara b/rules/false_positives/trino_upx.yara
new file mode 100644
index 000000000..382b1f9ab
--- /dev/null
+++ b/rules/false_positives/trino_upx.yara
@@ -0,0 +1,21 @@
+rule trino_upx_override: override {
+  meta:
+    description                 = "https://trino.io/ - UPX encrypted and crazy"
+    upx                         = "medium"
+    high_entropy_header         = "medium"
+    normal_elf_high_entropy_7_4 = "medium"
+    obfuscated_elf              = "medium"
+
+  strings:
+    $ = "Go buildinf"
+    $ = "p\tgiNub.com/fdih/"
+    $ = "kTixuOsFBOtGYSTLRLWK6G"
+    $ = "wnwmwkwbqc"
+    $ = "zYna%i%qj%"
+    $ = "kUNKNOWN:$"
+    $ = "q\tcCuXMaxlebo"
+    $ = "lmRnTEOIt"
+
+  condition:
+    filesize > 1MB and filesize < 3MB and 85 % of them
+}
diff --git a/rules/malware/family/beurk.yara b/rules/malware/family/beurk.yara
index 815a2d848..2b2de8c51 100644
--- a/rules/malware/family/beurk.yara
+++ b/rules/malware/family/beurk.yara
@@ -23,12 +23,14 @@ rule beurk_xor: critical linux {
     ref       = "https://github.com/unix-thrust/beurk"
 
   strings:
-    $ = "BEURK" xor(1-31) fullword
-    $ = "BEURK" xor(33-255) fullword
-    $ = "b3urkR0cks" xor(1-31)
-    $ = "b3urkR0cks" xor(33-255)
+    $x_BEURK       = "BEURK" xor(1-31) fullword
+    $x_BEURK2      = "BEURK" xor(33-255) fullword
+    $x_b3urkR0cks  = "b3urkR0cks" xor(1-31)
+    $x_b3urkR0cks2 = "b3urkR0cks" xor(33-255)
+
+    $dlsym = "dlsym" fullword
 
   condition:
-    filesize < 2MB and any of them
+    filesize < 2MB and $dlsym and any of ($x*)
 }
 
diff --git a/rules/persist/shell/bash.yara b/rules/persist/shell/bash.yara
index 83b895b91..374d3d31b 100644
--- a/rules/persist/shell/bash.yara
+++ b/rules/persist/shell/bash.yara
@@ -26,9 +26,10 @@ rule bash_persist_persistent: high {
     $ref3 = ".profile"
     $ref4 = ".bashrc"
 
-    $not_bash = "POSIXLY_CORRECT"
-    $not_csh  = ".cshrc" fullword
-    $not_tcsh = "tcsh" fullword
+    $not_bash   = "POSIXLY_CORRECT"
+    $not_csh    = ".cshrc"
+    $not_tcsh   = "tcsh" fullword
+    $not_tcshrc = ".tcshrc"
 
   condition:
     3 of them and none of ($not*)
@@ -56,7 +57,8 @@ rule bash_logout_persist: high {
     $not_bash    = "POSIXLY_CORRECT"
     $not_comment = "# ~/.bash_logout"
     $not_clear   = "/usr/bin/clear_console"
-    $not_csh     = ".cshrc" fullword
+    $not_csh     = ".cshrc"
+    $not_tcshrc  = ".tcshrc"
 
   condition:
     filesize < 2097152 and any of ($ref*) and none of ($not*)
diff --git a/tests/linux/2024.sbcl.market/sbcl.clean.simple b/tests/linux/2024.sbcl.market/sbcl.clean.simple
new file mode 100644
index 000000000..07b00a26f
--- /dev/null
+++ b/tests/linux/2024.sbcl.market/sbcl.clean.simple
@@ -0,0 +1,24 @@
+# linux/2024.sbcl.market/sbcl.clean: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+crypto/rc4: low
+data/compression/zstd: low
+discover/user/HOME: low
+discover/user/USER: low
+evasion/file/location/var_tmp: medium
+exec/dylib/address_check: low
+exec/dylib/symbol_address: medium
+exec/program: medium
+exec/program/background: low
+exec/shell/echo: medium
+fs/file/delete: low
+fs/file/truncate: low
+fs/link_read: low
+fs/path/dev: medium
+fs/path/tmp: medium
+fs/path/var: low
+fs/permission/modify: low
+fs/proc/self_exe: medium
+fs/symlink_resolve: low
+fs/tempdir/TEMP: low
+net/url/embedded: low
diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff
index fb3cc46aa..0d81f2098 100644
--- a/tests/linux/2024.sbcl.market/sbcl.sdiff
+++ b/tests/linux/2024.sbcl.market/sbcl.sdiff
@@ -8,7 +8,6 @@ data/compression/zstd
 discover/user/HOME
 discover/user/USER
 evasion/file/location/var_tmp
--evasion/rootkit/userspace
 exec/dylib/address_check
 exec/dylib/symbol_address
 exec/program
diff --git a/tests/linux/clean/eza.simple b/tests/linux/clean/eza.simple
new file mode 100644
index 000000000..114eb2ec6
--- /dev/null
+++ b/tests/linux/clean/eza.simple
@@ -0,0 +1,28 @@
+# linux/clean/eza: medium
+anti-static/elf/multiple: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+credential/server/htpasswd: medium
+credential/shell/bash_history: medium
+credential/ssh/authorized_hosts: medium
+crypto/ed25519: low
+crypto/rc4: low
+data/encoding/base64: low
+discover/user/HOME: low
+evasion/file/prefix: medium
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+fs/link_read: low
+fs/mount: low
+fs/path/etc: low
+fs/path/home_config: low
+fs/proc/self_cgroup: medium
+fs/proc/self_exe: medium
+fs/proc/self_mountinfo: medium
+fs/symlink_resolve: low
+fs/tempdir/TEMP: low
+net/url/embedded: low
+persist/shell/bash: medium
+persist/shell/zsh: medium
+process/multithreaded: low
diff --git a/tests/linux/clean/kolide/launcher.simple b/tests/linux/clean/kolide/launcher.simple
new file mode 100644
index 000000000..6ddd68735
--- /dev/null
+++ b/tests/linux/clean/kolide/launcher.simple
@@ -0,0 +1,126 @@
+# linux/clean/kolide/launcher: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/keychain: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/public_key: low
+crypto/tls: low
+data/compression/gzip: low
+data/compression/zlib: low
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/hash/blake2b: low
+data/hash/md5: low
+discover/network/netstat: medium
+discover/processes/list: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/user/USER: low
+evasion/file/prefix: medium
+evasion/logging/acct: low
+exec/cmd: medium
+exec/plugin: low
+exec/program: medium
+exec/shell/TERM: low
+exec/shell/command: medium
+exec/system_controls/systemd: medium
+exfil/upload: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/create: medium
+fs/file/delete: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/truncate: low
+fs/file/write: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/path/boot: medium
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/tmp: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
+fs/path/var: low
+fs/path/var_log: medium
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/self_mountinfo: medium
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+hw/dev/block_ice: medium
+impact/remote_access/net_term: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/parse: medium
+net/ip/tcp_state_tracker: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/sftp: medium
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/key_management: low
+os/kernel/netlink: low
+persist/pid_file: medium
+privesc/setuid: low
+privesc/sudo: medium
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low
diff --git a/tests/linux/clean/kolide/osqueryd.simple b/tests/linux/clean/kolide/osqueryd.simple
new file mode 100644
index 000000000..a5b4f62f8
--- /dev/null
+++ b/tests/linux/clean/kolide/osqueryd.simple
@@ -0,0 +1,212 @@
+# linux/clean/kolide/osqueryd: medium
+anti-static/elf/multiple: medium
+anti-static/obfuscation/obfuscate: low
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+collect/databases/leveldb: medium
+collect/databases/sqlite: medium
+credential/cloud/aws: medium
+credential/keychain: medium
+credential/password: low
+credential/shell/bash_history: medium
+credential/shell/zsh_history: medium
+credential/sniffer/bpf: medium
+credential/ssh/authorized_hosts: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ed25519: low
+crypto/gost89: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/tls: low
+data/base64/decode: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/pem_private_key: medium
+data/encoding/base64: low
+data/hash/blake2b: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/hash/whirlpool: medium
+data/random/insecure: low
+discover/cloud/google_metadata: low
+discover/components/docker: medium
+discover/group/lookup: medium
+discover/network/interface: low
+discover/network/interface_list: medium
+discover/network/mac_address: medium
+discover/process/name: medium
+discover/process/parent: low
+discover/process/runtime_deps: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/machine_id: low
+discover/system/platform: low
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: low
+evasion/bypass_security/linux/iptables: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
+evasion/hide_artifacts/pivot_root: medium
+evasion/logging/acct: low
+evasion/logging/current_logins: medium
+evasion/logging/dev_log: medium
+evasion/process_injection/ptrace: medium
+evasion/process_injection/readelf: medium
+exec/conditional/LANG: low
+exec/dylib/address_check: low
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/reconfigure/hostname_set: low
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/arbitrary_command_dev_null: medium
+exec/shell/echo: medium
+exec/shell/exec: medium
+exec/shell/ignore_output: medium
+exec/system_controls/apparmor: medium
+exec/system_controls/systemd: low
+exec/tty/vhangup: low
+exfil/collection: medium
+fs/attributes/remove: medium
+fs/attributes/set: medium
+fs/blkid: low
+fs/directory/create: low
+fs/directory/remove: low
+fs/event_monitoring: low
+fs/fifo_create: low
+fs/file/capabilities_set: low
+fs/file/delete: medium
+fs/file/delete_forcibly: low
+fs/file/flags_change: low
+fs/file/open: low
+fs/file/open_by_handle: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/loopback: medium
+fs/mount: low
+fs/mounts_read: medium
+fs/node_create: low
+fs/path/boot: medium
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/from_cookie: low
+fs/path/home: low
+fs/path/home_config: low
+fs/path/root: medium
+fs/path/tmp: medium
+fs/path/users: medium
+fs/path/usr_bin: low
+fs/path/usr_lib_python: medium
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
+fs/path/var: low
+fs/path/var_log: medium
+fs/path/windows_root: low
+fs/permission/chown: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/cpuinfo: medium
+fs/proc/meminfo: medium
+fs/proc/mounts: medium
+fs/proc/self_exe: medium
+fs/proc/self_mountinfo: medium
+fs/proc/self_status: medium
+fs/proc/stat: medium
+fs/quota_manipulate: low
+fs/swap/off: low
+fs/swap/on: low
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempfile: low
+fs/unmount: low
+fs/watch: low
+hw/cpu: medium
+hw/dev/block_ice: medium
+hw/dev/diskmapper: medium
+hw/dev/mapper: medium
+impact/degrade/linux_paths: medium
+impact/infection/worm: medium
+impact/reboot: low
+impact/remote_access/heartbeat: medium
+impact/remote_access/iptables: medium
+lateral/scan/tool: medium
+mem/anonymous_file: medium
+net/dns/txt: low
+net/http/2: low
+net/http/accept: low
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/websocket: medium
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/resolve: low
+net/ip/send_unicast: low
+net/ip/string: medium
+net/ip/syncookie: medium
+net/proxy/socks5: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/rpc/ntlm: medium
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/pair: medium
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/reuseport: medium
+net/socket/send: low
+net/tcp/ssh: medium
+net/url/embedded: medium
+net/url/encode: medium
+os/fd/epoll: low
+os/fd/read: low
+os/fd/sendfile: low
+os/kernel/key_management: low
+os/kernel/netlink: low
+os/kernel/opencl: medium
+os/kernel/perfmon: low
+os/kernel/seccomp: low
+os/time/clock_set: low
+persist/cron/tab: medium
+persist/kernel_module/symbol_lookup: medium
+persist/kernel_module/unload: medium
+persist/pid_file: medium
+persist/ssh_authorized_keys: medium
+privesc/setuid: low
+process/chroot: low
+process/create: low
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low
+process/name_set: medium
+process/namespace_set: low
+process/unshare: low
+sus/intercept: medium
diff --git a/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple b/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple
new file mode 100644
index 000000000..a46fa6fc2
--- /dev/null
+++ b/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple
@@ -0,0 +1,7 @@
+# linux/clean/rust_libtest-350a2b8f7a4551b7.so: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+discover/process/runtime_deps: medium
+exec/program: medium
+fs/path/etc: low
+net/url/embedded: low
diff --git a/tests/linux/clean/trino.linux-amd64.launcher.simple b/tests/linux/clean/trino.linux-amd64.launcher.simple
new file mode 100644
index 000000000..24bbc955f
--- /dev/null
+++ b/tests/linux/clean/trino.linux-amd64.launcher.simple
@@ -0,0 +1,14 @@
+# linux/clean/trino.linux-amd64.launcher: medium
+anti-static/elf/content: medium
+anti-static/elf/entropy: medium
+anti-static/elf/header: medium
+anti-static/elf/multiple: medium
+anti-static/packer/upx: medium
+c2/addr/url: low
+c2/tool_transfer/arch: low
+crypto/aes: low
+data/compression/gzip: low
+fs/proc/self_exe: medium
+net/dns/txt: low
+net/http/post: medium
+net/url/embedded: low
diff --git a/tests/linux/clean/trino.linux-arm64.launcher.simple b/tests/linux/clean/trino.linux-arm64.launcher.simple
new file mode 100644
index 000000000..5a2e5bbc4
--- /dev/null
+++ b/tests/linux/clean/trino.linux-arm64.launcher.simple
@@ -0,0 +1,12 @@
+# linux/clean/trino.linux-arm64.launcher: medium
+anti-static/elf/content: medium
+anti-static/elf/entropy: medium
+anti-static/elf/header: medium
+anti-static/elf/multiple: medium
+anti-static/packer/upx: medium
+c2/addr/url: low
+crypto/aes: low
+fs/path/users: medium
+fs/proc/self_exe: medium
+net/dns/txt: low
+net/url/embedded: low
diff --git a/tests/linux/clean/trino.linux-ppc64le.launcher.simple b/tests/linux/clean/trino.linux-ppc64le.launcher.simple
new file mode 100644
index 000000000..7a9e6ab00
--- /dev/null
+++ b/tests/linux/clean/trino.linux-ppc64le.launcher.simple
@@ -0,0 +1,10 @@
+# linux/clean/trino.linux-ppc64le.launcher: medium
+anti-static/elf/content: medium
+anti-static/elf/entropy: medium
+anti-static/elf/header: medium
+anti-static/elf/multiple: medium
+anti-static/packer/upx: medium
+c2/addr/url: low
+net/dns/txt: low
+net/http/post: medium
+net/url/embedded: low