Merge pull request #77 from tstromberg/main

Rule tuning from PyPI & Homebrew analysis
chainguard-dev · Mar 29, 2024 · 9a80795 · 9a80795
2 parents eb2a142 + 9857537
commit 9a80795
Show file tree

Hide file tree

Showing 49 changed files with 326 additions and 72 deletions.
diff --git a/pkg/action/scan.go b/pkg/action/scan.go
@@ -86,6 +86,9 @@ func Scan(c Config) (*bincapz.Report, error) {
 				klog.Errorf("scan path: %v", err)
 				continue
 			}
+			if fr == nil {
+				continue
+			}
 			if c.Renderer != nil {
 				if err := c.Renderer.File(*fr); err != nil {
 					return r, fmt.Errorf("render: %w", err)

diff --git a/rules/admin/package-install.yara b/rules/admin/package-install.yara
@@ -39,8 +39,10 @@ rule apt_get_installer : suspicious {
 	description = "Installs software using apt-get"
   strings:
     $val = /apt-get install[ \w\-\_%]{0,32}/
+
+	$foo = "install foo"
   condition:
-	$val
+	$val and not $foo
 }
 
 rule apk_installer : suspicious {

diff --git a/rules/admin/sudoers-edit.yara b/rules/admin/sudoers-edit.yara
@@ -1,12 +1,14 @@
 
 rule sudo_editor : suspicious {
   meta:
+	description = "references /etc/sudoers"
     hash_2020_FinSpy_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0"
     hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5"
   strings:
     $etc_sudoers = "/etc/sudoers"
     $nopasswd = "NOPASSWD:"
 	$not_sample = "sudoers man page"
+	$not_vim = "VIMRUNTIME"
   condition:
-    filesize < 5242880 and ($etc_sudoers or $nopasswd) and not $not_sample
+    filesize < 5242880 and ($etc_sudoers or $nopasswd) and none of ($not*)
 }
diff --git a/rules/combo/backdoor/net_exec.yara b/rules/combo/backdoor/net_exec.yara
@@ -88,7 +88,7 @@ rule exec_getprog_socket_waitpid_combo {
 }
 
 
-rule exec_chdir_and_socket : suspicious {
+rule exec_chdir_and_socket : notable {
   strings:
     $socket = "socket" fullword
     $chdir = "chdir" fullword

diff --git a/rules/combo/backdoor/net_term.yara b/rules/combo/backdoor/net_term.yara
@@ -10,7 +10,7 @@ rule readdir_openpty_socket : suspicious {
 		all of them in (1200..3000)
 }
 
-rule pseudoterminal_tunnel : critical {
+rule pseudoterminal_tunnel : suspicious {
 	meta:
 		description = "accesses pseudoterminals and sets up a tunnel"
 	strings:
@@ -19,8 +19,10 @@ rule pseudoterminal_tunnel : critical {
 
 		$t = "tunnel" fullword
 		$t2 = "TUNNEL" fullword
+
+		$not_qemu = "QEMU_IS_ALIGNED"
 	condition:
-		any of ($p*) and any of ($t*)
+		any of ($p*) and any of ($t*) and none of ($not_qemu*)
 }
 
 

diff --git a/rules/combo/backdoor/php.yara b/rules/combo/backdoor/php.yara
@@ -69,8 +69,10 @@ rule php_bin_hashbang : critical {
   strings:
     $x_php = "<?php"
     $script = "#!/bin/"
+
+	$not_php = "PHP_VERSION_ID"
   condition:
-    $script and any of ($x*)
+    $script and any of ($x*) and none of ($not*)
 }
 
 rule php_urlvar_recon_exec : critical {
@@ -91,8 +93,10 @@ rule php_urlvar_recon_exec : critical {
     $f_phpinfo = "phpinfo("
     $x_GET = "_GET"
     $x_POST = "_POST"
+
+	$not_php = "PHP_VERSION_ID"
   condition:
-    any of ($e*) and any of ($f*) and any of ($x*)
+    any of ($e*) and any of ($f*) and any of ($x*) and none of ($not*)
 }
 
 rule php_system_to_perl {
@@ -111,13 +115,15 @@ rule php_eval_gzinflate_base64_backdoor : critical {
     hash_2023_0xShell_lndex = "9b073472cac7f3f8274165a575e96cfb4f4eb38471f6a8e57bb9789f3f307495"
     hash_2023_0xShell_lndex = "9b073472cac7f3f8274165a575e96cfb4f4eb38471f6a8e57bb9789f3f307495"
   strings:
-    $eval = "eval("
-    $html_special = "htmlspecialchars_decode"
-    $gzinflate = "gzinflate("
-    $base64_decode = "base64_decode"
+    $f_eval = "eval("
+    $f_html_special = "htmlspecialchars_decode"
+    $f_gzinflate = "gzinflate("
+    $f_base64_decode = "base64_decode"
+
+	$not_php = "PHP_FLOAT_DIG" fullword
   condition:
-    all of them
-}
+    all of ($f*) and none of ($not*)
+ }
 
 
 rule php_obfuscated_with_hex_characters : critical {
@@ -214,11 +220,15 @@ rule php_insecure_curl_uploader : critical {
     hash_2023_0xShell_f = "9ce3da0322ee42e9119abb140b829efc3c94ea802df7a6f3968829645e1a5330"
   strings:
     $CURLOPT_SSL_VERIFYPEER = "CURLOPT_SSL_VERIFYPEER"
+	$php = "<?php"
+
     $f_file_get_contents = "file_get_contents"
     $f_eval = "eval"
     $f_stream_get_contents = "stream_get_contents"
+
+	$not_php = "PHP_VERSION_ID"
   condition:
-    $CURLOPT_SSL_VERIFYPEER and any of ($f*)
+    $CURLOPT_SSL_VERIFYPEER and $php and any of ($f*) and none of ($not*)
 }
 
 rule php_eval_get_contents : critical {

diff --git a/rules/combo/backdoor/py_setuptools.yara b/rules/combo/backdoor/py_setuptools.yara
@@ -0,0 +1,79 @@
+import "math"
+
+rule setuptools_cmd_exec : suspicious {
+	meta:
+		description = "Python library installer that executes external commands"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_sys_val = /os.system\([\"\'\w\ \-\)\/]{0,64}/
+		$s_subprocess_val = /subprocess.\w{0,32}\([\"\'\/\w\ \-\)]{0,64}/
+		$s_import = "import subprocess"
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
+
+rule setuptools_eval : critical {
+	meta:
+		description = "Python library installer that evaluates arbitrary code"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_sys_val = /eval\([\"\'\w\ \-\)\/]{0,64}/ fullword
+		$s_subprocess_val = /exec\([\"\'\/\w\ \-\)]{0,64}/ fullword
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
+
+rule setuptools_url_access : suspicious {
+	meta:
+		description = "Python library installer that accesses external URLs"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_requests = /requests.get\([\"\'\w\ \-\)\/]{0,64}/
+		$s_urlopen = /urlopen\([\"\'\w\ \-\)\/]{0,64}/
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
+
+
+
+rule setuptools_random : critical {
+	meta:
+		description = "Python library installer that exhibits random behavior"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_sys_val = "import random" fullword
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
+
+
+
+rule setuptools_builtins : notable {
+	meta:
+		description = "Python library installer that directly references builtins"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_sys_val = "__builtins__" fullword
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
diff --git a/rules/combo/dropper/bash.yara b/rules/combo/dropper/bash.yara
@@ -7,9 +7,9 @@ rule fetch_chmod_run_oneliner_value : critical {
 		any of them
 }
 
-rule curl_chmod_relative_run : suspicious {
+rule curl_chmod_relative_run : notable {
   meta:
-	description = "fetches file, makes it executable, runs it"
+	description = "may fetch file, make it executable, and run it"
   strings:
 	$chmcurlod = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
 	$chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/
@@ -18,9 +18,9 @@ rule curl_chmod_relative_run : suspicious {
 	all of them
 }
 
-rule wget_chmod_relative_run : suspicious {
+rule wget_chmod_relative_run : notable {
   meta:
-	description = "fetches file, makes it executable, runs it"
+	description = "may fetch file, make it executable, and run it"
   strings:
 	$chmcurlod = /wget [\-\w \$\@\{\w\/\.\:]{0,96}/
 	$chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/

diff --git a/rules/combo/dropper/python.yara b/rules/combo/dropper/python.yara
@@ -12,3 +12,15 @@ rule http_open_write_system : suspicious {
   condition:
     filesize < 16384 and any of ($h*) and $open and $write and any of ($sys*)
 }
+
+rule setuptools_dropper : critical {
+	meta:
+		description = "setuptools script that downloads and executes content"
+	strings:
+		$setup = "setup("
+		$setuptools = "setuptools"
+		$requests = "requests.get"
+		$os_sys = "os.system"
+	condition:
+		all of them
+}
diff --git a/rules/combo/net/tunnel_proxy.yara b/rules/combo/net/tunnel_proxy.yara
@@ -1,4 +1,4 @@
-rule tunnel_proxy : suspicious {
+rule tunnel_proxy : notable {
   meta:
 	description = "network tunnel proxy"
   strings:

diff --git a/rules/combo/recon/system_network.yara b/rules/combo/recon/system_network.yara
@@ -1,4 +1,4 @@
-rule recon_commands : suspicious {
+rule basic_recon : notable {
   meta:
     hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05"
     hash_2017_Perl_FruitFly_afpscan = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55"
@@ -12,8 +12,30 @@ rule recon_commands : suspicious {
     $c_whoami = "whoami" fullword
     $c_id = "id" fullword
     $c_hostname = "hostname" fullword
-    $c_ifconfig = "ifconfig" fullword
     $c_uname = "uname -a"
+	$c_ip_addr = "ip addr" fullword
+    $not_usage = "Usage: inet"
+    $not_apple_smb = "com.apple.smbd"
+    $not_bashopts = "BASHOPTS"
+    $not_private = "/System/Library/PrivateFrameworks/"
+	$not_license = "For license information please see"
+  condition:
+    filesize < 26214400 and 3 of ($c*) and none of ($not*)
+}
+
+
+rule invasive_recon : notable {
+  meta:
+    hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05"
+    hash_2017_Perl_FruitFly_afpscan = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55"
+    hash_2021_ANDR_miner_eomap = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76"
+    hash_2021_ADR_CoinMiner_nutar = "fb6b327104eb37d42f83b552430ef9b1e45ee49c737d562876650d75e3a88e57"
+    hash_2023_Sodinokibi = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5"
+    hash_2023_Linux_Malware_Samples_2c98 = "2c98b196a51f737f29689d16abeea620b0acfa6380bdc8e94a7a927477d81e3a"
+    hash_2023_Linux_Malware_Samples_3ffc = "3ffc2327a5dd17978f62c44807e5bf9904bcdef222012a11e48801faf6861a67"
+    hash_2023_Linux_Malware_Samples_564a = "564a666d0a7efc39c9d53f5c6c4d95d5f7f6b7bff2dc9aa3c871f8c49650a99b"
+  strings:
+    $c_ifconfig = "ifconfig" fullword
     $c_lspi = "lspci"
 	$c_ufw = "ufw status"
 	$c_sudo = "sudo -l"
@@ -26,5 +48,5 @@ rule recon_commands : suspicious {
     $not_private = "/System/Library/PrivateFrameworks/"
 	$not_license = "For license information please see"
   condition:
-    filesize < 26214400 and 3 of ($c*) and none of ($not*)
+    filesize < 26214400 and any of ($c*) and none of ($not*)
 }
diff --git a/rules/combo/recon/upload_sysinfo.yara b/rules/combo/recon/upload_sysinfo.yara
@@ -1,9 +1,10 @@
-rule sw_vers_and_libcurl : suspicious macos {
+rule sw_vers_and_libcurl : notable {
   meta:
+	description = "fetches macOS system version and uses libcurl"
     hash_2023_KandyKorn_kandykorn = "927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6"
     hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea"
   strings:
-    $sw_vers = "sw_vers"
+    $sw_vers = "sw_vers" fullword
     $bin_zsh = "libcurl"
   condition:
     all of them

diff --git a/rules/combo/stealer/browser.yara b/rules/combo/stealer/browser.yara
@@ -73,4 +73,4 @@ rule multiple_browser_refs : suspicious {
 	$b_Chrome = "Chrome"
   condition:
     any of ($h*) and any of ($z*) and 2 of ($b*)
-}
+}
diff --git a/rules/combo/stealer/discord.yara b/rules/combo/stealer/discord.yara
@@ -3,7 +3,7 @@ rule discord_password_post_chat : suspicious {
 	description = "gets passwords, makes HTTP requests, and uses Discord"
   strings:
 	$c1 = "discordapp.com"
-	$c2 = "Discord"
+//	$c2 = "Discord"
 
 	$h1 = "get("
 	$h2 = "post("

diff --git a/rules/combo/stealer/ssh.yara b/rules/combo/stealer/ssh.yara
@@ -1,5 +1,7 @@
 
-rule tar_ssh_net : suspicious {
+rule tar_ssh_net : notable {
+  meta:
+	description = "possible SSH stealer"
   strings:
 	$s_curl = "curl" fullword
 	$s_wget = "wget" fullword

diff --git a/rules/combo/stealer/wallet.yara b/rules/combo/stealer/wallet.yara
@@ -14,6 +14,7 @@ rule crypto_stealer : critical {
 	$w_ms = "MonstraWallet"
 	$w_oa = "OasisWallet"
 	$w_bn = "BinanceChain"
+	$w_ir = "Iridium"
 	$w_tl = "TronLink" 
 	$w_hycon = "Hycon L"
 	$w_coin = "Coinbas"

diff --git a/rules/evasion/base64-python.yara b/rules/evasion/base64-python.yara
@@ -0,0 +1,17 @@
+rule base64_http_val : critical {
+    meta:
+        description = "contains base64 Python code"
+    strings:
+		$exec = "exec(" base64
+		$eval = "eval(" base64
+		$import = "__import__" base64
+		$importlib = "importlib" base64
+		$import_module = "import_module" base64
+		$urllib = "urllib.request" base64
+		$requests_get = "requests.get" base64
+		$urlopen = "urlopen" base64
+		$read = "read()" base64
+		$decode = "decode()" base64
+    condition:
+        2 of them
+}
diff --git a/rules/evasion/binary-opaque.yara b/rules/evasion/binary-opaque.yara
@@ -1,4 +1,4 @@
-rule opaque_binary : suspicious {
+rule opaque_binary : notable {
   meta:
     hash_2023_MacOS_applet = "54db4cc34db4975a60c919cd79bb01f9e0c3e8cf89571fee09c75dfff77a0bcd"
     hash_2021_CDDS_arch = "a63466d09c3a6a2596a98de36083b6d268f393a27f7b781e52eeb98ae055af97"
@@ -12,6 +12,8 @@ rule opaque_binary : suspicious {
     $word_with_spaces = /[a-z]{2,} [a-z]{2,}/
 	$not_gmon_start = "__gmon_start__"
 	$not_usage = "usage:" fullword
+	$not_usage2 = "Usage:" fullword
+	$not_USAGE = "USAGE:" fullword
 	$not_java = "java/lang"
   condition:
 	// matches elf or macho

diff --git a/rules/evasion/bitwise_math.yara b/rules/evasion/bitwise_math.yara
@@ -0,0 +1,9 @@
+
+rule excessive_bitwise_math : notable {
+  meta:
+	description = "excessive use of bitwise math"
+  strings:
+	$x = /\-{0,1}\d{1,8} \<\< \-{0,1}\d{1,8}/
+condition:
+   filesize < 128000 and #x > 10
+}
diff --git a/rules/evasion/content-length-0.yara b/rules/evasion/content-length-0.yara
@@ -1,4 +1,4 @@
-rule content_length_0 : suspicious {
+rule content_length_0 : notable {
   meta:
 	description = "Sets HTTP content length to zero"
   strings: