From 985dc14691f886663b134d072c73cfde4bff777e Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Fri, 11 May 2018 07:47:02 +0200 Subject: [PATCH] new patterns added --- malware5.pl | 2 ++ malwaresh.pl | 9 +++++--- scan.py | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 3 deletions(-) diff --git a/malware5.pl b/malware5.pl index a226c60..edbfb01 100644 --- a/malware5.pl +++ b/malware5.pl @@ -502,6 +502,8 @@ my @regexen = ( qr/var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i/is, qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{20,})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{20,})\(([A-z0-9]{20,})\,([A-z0-9]{20,})\)\)\;\}\;\?>/is, qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is, + qr/\/\/istart.+?\/\/iend/is, + qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is, ); diff --git a/malwaresh.pl b/malwaresh.pl index b68bc33..e1c491e 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -26,6 +26,7 @@ print "Content-type: text/html\n\n"; my $user = $ARGV[0]; my @regexen = ( + qr/\/\/\s+([A-z0-9]{31})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{31})/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is, qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, @@ -979,12 +980,14 @@ my @regexen = ( qr/\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\#\#\#\#\#\#\#\#\#\#\#e\#\#va\#\#\#\#\#\#\#\#l\#\(\#\#b\#\#\#\#\#a\#\#\#\#\#\#\#\#\#\#\#s\#\#\#\#\#e\#\#6\#\#\#\#4\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\_\#\#d\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#e\#\#c\#o\#\#de\#\#\#\#\#\#\#\(\#\#\\\'.+?\$([A-z0-9]{1,20})\=str\_replace\(\'\#\'\,\s+\'\'\,\s+\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=create\_function\(\'\'\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{20,}).+?eval\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+\?>/is, - qr/\/\/\s+([A-z0-9]{20,})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{20,})/is, - qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{20,})\s+\?>/is, + qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{5,})\s+\?>/is, qr/.+?print\s+\"

\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is, - qr/var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i/is, + qr/var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen.+?clen.+?String\.fromCharCode\(a\.charCodeAt\(.+?unescape.+?document\.write\(\w\)\;<\/script>/is, qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,20})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{1,20})\(([A-z0-9]{1,20})\,([A-z0-9]{1,20})\)\)\;\}\;\?>/is, qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is, + qr/\/\/istart.+?\/\/iend/is, + qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is, + ); my @base64_decodes = ( diff --git a/scan.py b/scan.py index 13f96e8..58e4ed3 100644 --- a/scan.py +++ b/scan.py @@ -223,6 +223,10 @@ scoring = { 'SHELL_COMPACT': (5, u'2eme ligne louche (shell?)'), 'CURL_HTTP': (5, u'téléchargement HTTP'), 'XXTEA_ENCRYPT': (20, u'Code source encode avec XXTEA (possible ransomware)'), + 'ADDED_LATER': (50, u'Strings added from the rest of the scanners'), + 'PHISHING': (10, u'Phishing patterns'), + 'MD5': (20, u'md5 strings used in malware'), + 'SOCIALS': (50, u'Email addresses, links and social networking'), } @@ -487,6 +491,60 @@ def is_hacked(filename): cleanup_available = True if 'eval(xxtea_decrypt(base64_decode(' in l: score.append(('XXTEA_ENCRYPT', '')) + if 'wp_sysoptions' in l: + score.append(('CONCAT_STRING', '')) + if '6006014887a2c09ec470f5b676c8f68a' in l: + score.append(('MD5')) + if 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l: + score.append(('MD5')) + if '5088db39ad7cc4d4fa9f462f74faccb6' in l: + score.append(('MD5')) + if 'eb2d3273ac60f499d82d97da0fa44689' in l: + score.append(('MD5')) + if 'b071e67503e9dcefecafd62e81704ef0' in l: + score.append(('MD5')) + if 'c7a628cba22e28eb17b5f5c6ae2a266a' in l: + score.append(('MD5')) + if 'a13756bf1e2bd46921c135232774fc5f' in l: + score.append(('MD5')) + if '78b45bf662bafae9ac6b66097762c7d5' in l: + score.append(('MD5')) + if 'b0x@hotmail.com' in l: + score.append(('SOCIALS')) + if 'botv3@mrspybotv3.com' in l: + score.append(('SOCIALS')) + if 'sellerolux@gmail.com' in l: + score.append(('SOCIALS')) + if 'nerf.sarcasm007@gmail.com' in l: + score.append(('SOCIALS')) + if 'submit[at]1337day.com' in l: + score.append(('SOCIALS')) + if 'luan.hackingpro123@hotmail.com' in l: + score.append(('SOCIALS')) + if 'Black-ID@W.Cn' in l: + score.append(('SOCIALS')) + if 'facebook.com/007mrspy' in l: + score.append(('SOCIALS')) + if 'Skype: live:zepek_al' in l: + score.append(('SOCIALS')) + if 'facebook.com/luan.santo.5437' in l: + score.append(('SOCIALS')) + if 'Mister Spy' in l: + score.append(('SOCIALS')) + if 'darkshadow-tn' in l: + score.append(('SOCIALS')) + if 'IndoXploit' in l: + score.append(('SOCIALS')) + if 'Black-ID' in l: + score.append(('SOCIALS')) + if 'https://hastebin.com/raw/ifucenaquz' in l: + score.append(('SOCIALS')) + if 'https://hastebin.com/raw/iracirucad' in l: + score.append(('SOCIALS')) + if 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l: + score.append(('SOCIALS')) + if 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l: + score.append(('SOCIALS')) previous_line = l if line_num < 20: