forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ELF malware detection improvements based on Wolfsbane analysis (chain…
…guard-dev#680) * libselinux.so tuning * Finish libselinux.so analysis * Finish libselinux.so analysis * add missing files * Finish dbus analysis * Finish dbus analysis * Finish dbus analysis * add rules * fix yara compile errors (duplicated rule names) * Update testdata --------- Signed-off-by: Evan Gibler <[email protected]> Co-authored-by: Evan Gibler <[email protected]>
- Loading branch information
1 parent
3903332
commit c234760
Showing
111 changed files
with
758 additions
and
163 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
import "elf" | ||
|
||
rule multiple_elf: medium { | ||
meta: | ||
description = "multiple ELF binaries within an ELF binary" | ||
|
||
strings: | ||
$elf_head = "\x7fELF" | ||
condition: | ||
uint32(0) == 1179403647 and #elf_head > 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
rule hidden_literals: medium { | ||
meta: | ||
description = "references hidden literals" | ||
|
||
strings: | ||
$ref = "hidden_literals" | ||
condition: | ||
filesize < 10MB and $ref | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
rule xor_paths: high { | ||
meta: | ||
description = "paths obfuscated using xor" | ||
|
||
strings: | ||
$dev_shm = "/dev/shm" xor(1-31) | ||
$dev_shm2 = "/dev/shm" xor(33-255) | ||
$dev_null = "/dev/null" xor(1-31) | ||
$dev_null2 = "/dev/null" xor(33-255) | ||
$dev_stdin = "/dev/stdin" xor(1-31) | ||
$dev_stdin2 = "/dev/stdin" xor(33-255) | ||
$dev_stderr = "/dev/stderr" xor(1-31) | ||
$dev_stderr2 = "/dev/stderr" xor(33-255) | ||
$proc_net_tcp = "/proc/net/tcp" xor(1-31) | ||
$proc_net_tcp2 = "/proc/net/tcp" xor(33-255) | ||
$var_log_wtmp = "/var/log/wtmp" xor(1-31) | ||
$var_log_wtmp2 = "/var/log/wtmp" xor(33-255) | ||
$var_run_utmp = "/var/run/utmp" xor(1-31) | ||
$var_run_utmp2 = "/var/run/utmp" xor(33-255) | ||
$usr_bin = "/usr/bin" xor(1-31) | ||
$usr_sbin = "/usr/sbin" xor(1-31) | ||
$var_tmp = "/var/tmp" xor(1-31) | ||
$var_run = "/var/run" xor(1-31) | ||
$usr_bin2 = "/usr/bin" xor(33-255) | ||
$usr_sbin2 = "/usr/sbin" xor(33-255) | ||
$var_tmp2 = "/var/tmp" xor(33-255) | ||
$var_run2 = "/var/run" xor(33-255) | ||
condition: | ||
filesize < 10MB and any of them | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
rule xor_terms: high { | ||
meta: | ||
description = "terms obfuscated using xor" | ||
|
||
strings: | ||
$LIBRARY = "LIBRARY" xor(1-31) | ||
$LIBRARY2 = "LIBRARY" xor(33-255) | ||
$INFECT = "INFECT" xor(1-31) | ||
$INFECT2 = "INFECT" xor(33-255) | ||
$MAGIC = "MAGIC" xor(1-31) | ||
$MAGIC2 = "MAGIC" xor(33-255) | ||
$plugin = "plugin" xor(1-31) | ||
$plugin2 = "plugin2" xor(33-255) | ||
$debug = "debug" xor(1-31) | ||
$debug2 = "debug2" xor(33-255) | ||
$evil = " evil " xor(1-31) | ||
$evil2 = " evil " xor(33-255) | ||
$environ = "environ" xor(1-31) | ||
$environ2 = "environ" xor(33-255) | ||
$xterm = "xterm" xor(1-31) | ||
$xterm2 = "xterm" xor(33-255) | ||
condition: | ||
filesize < 5MB and any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.