-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
YARA #84
Comments
pyllyukko
referenced
this issue
Jan 11, 2024
* POSCardStealer_SpyBot.yar: duplicated string identifier "$x1" * DarkCometDownloader.yar: Illegal bytestring character : 1, at line: 9 * invalid hex string "$s1": uneven number of digits in hex string * crime_win32_exe_rat_netwire.yar: duplicated string identifier "$sa" * BADPATCH_PDB.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 486: ordinal not in range(128) * Crime_eyepyramid.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\xad' in position 1301: ordinal not in range(128) * Final1stspy_PDB.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 132: ordinal not in range(128) * MALW_MiniAsp3_mem.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2026' in position 192: ordinal not in range(128) * OSX_Proton_B_systemd.1.yar: UnicodeEncodeError: 'ascii' codec can't encode characters in position 202-203: ordinal not in range(128) * RANSOM_GPGQwerty.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 90: ordinal not in range(128)
pyllyukko
referenced
this issue
Jan 11, 2024
* `embedded_win_api` FPs on header files and is too generic * There was a typo in 8e6456f
pyllyukko
referenced
this issue
Jan 11, 2024
* `ft_*` are quite useless * `mbedded_win_api` triggers on a whole bunch of header files in /usr/include * `shell_functions` triggers on mysql.h, phpcomplete.vim & others * `shell_names` trigger on chkrootkit :) * "r57shell.php" * Also youtube-dl * `DarkComet_Keylogs_Memory` triggers on bunch of header files * `PM_Dyre_Delivery1` trigger on header files * `web_log_review` trigger on header files * `Mozi_Obfuscation_Technique` FPs on /usr/bin/php and other parts of legit PHP * Cerberus FPs on a whole bunch of stuff * `CrowdStrike_CVE_2014_4113` FPs on bunch of `LC_COLLATE` files * `dbgdetect_files` FPs on a whole bunch of legit files * N3utrino FPs on libmariadbd.so.19, mariadbd, libclamav.so.12.0.1 & a whole bunch of others :D * `LinuxDDOS_Agent` FPs against youtube-dl * Actually it looks like youtube-dl is quite good candidate for goodware corpus :) * `shellshock_generic` FPs on /usr/lib64/gcc/x86_64-slackware-linux/11.2.0/include/d/std/algorithm/iteration.d (gcc-gdc package) * `memory_shylock` is too generic. E.g. "$b = /id=[A-F0-9]{32}/" * etc. etc.
pyllyukko
referenced
this issue
Jan 11, 2024
It was removed in upstream: elastic/protections-artifacts@2d6189b
pyllyukko
referenced
this issue
Jan 11, 2024
* xanda's rules made a major impact on the scan. 17m39s vs. ~90m :O * Blacklisted all the rules that contained .*, .+ or .{x,}
pyllyukko
referenced
this issue
Jan 11, 2024
Starting to think whether efb8d9c was a good idea or not. These rules have been tested to trigger against the benignware dataset of chapter 8 of the Malware Data Science book[1]. [1] https://www.malwaredatascience.com/code-and-data
pyllyukko
referenced
this issue
Jan 11, 2024
LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV LibClamAV Error: load_oneyara: error in parsing yara hex string LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.Windows_Trojan_BloodAlchemy_de591c5a LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar, yara rule Windows_Trojan_BloodAlchemy_de591c5a LibClamAV Error: Can't load /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar: Malformed database LibClamAV Error: cli_loaddbdir: error loading database /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar
pyllyukko
referenced
this issue
Jan 11, 2024
False positive: malware_PlugX_config /usr/lib64/libmariadbd.so.19 0x61ba36:$v2b: 68 A0 02 00 00 0x626276:$v2f: 68 24 0D 00 00 0x61ba36:$v2g: 68 A0 02 00 00 0x623e76:$v2h: 68 E4 0A 00 00 0xd2bcc9:$enc3: B8 33 33 33 33 0xd51037:$enc3: BA 33 33 33 33 0xd512af:$enc3: BA 33 33 33 33 0xd6d909:$enc3: B8 33 33 33 33 0xd92cf9:$enc3: BF 33 33 33 33 0xd92e63:$enc3: BF 33 33 33 33 0xcd6f0b:$enc4: BE 44 44 44 44 621c2d446f06b654ee0a2e8c6057a3913ddfbc7d64a747b355106b21dad778115417ad86ac193a39beb604fb19e14e1782536c3ec3985cc70777552a2ce9d221 /usr/lib64/libmariadbd.so.19
pyllyukko
referenced
this issue
Jan 11, 2024
pyllyukko
referenced
this issue
Jan 11, 2024
LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV LibClamAV Error: load_oneyara: error in parsing yara hex string LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.mimikatz LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/kiwi_passwords.yar, yara rule mimikatz
pyllyukko
referenced
this issue
Jan 11, 2024
isExecutable and android_meterpreter rules have a high false positive rate.
pyllyukko
referenced
this issue
Jan 11, 2024
pyllyukko
referenced
this issue
Jan 11, 2024
pyllyukko
referenced
this issue
Jan 11, 2024
pyllyukko
referenced
this issue
Jan 11, 2024
pyllyukko
referenced
this issue
Jan 11, 2024
Of course it might be useful to detect UPX packed files (even though it doesn't necessarily mean they're malicious), but the problem is that this rule might hide a better detection underneath. I ran a test with 592 UPX packed malware samples and the rule hit on 338 of them, which hid plenty of ClamAV's own signatures.
pyllyukko
referenced
this issue
Jan 11, 2024
* https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATPython.yar FPs on a whole bunch of C & C++ sources and headers amongst other benign files. Try scanning /usr/include/ and find out :) * https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Sqlite.yar alerts on anything with "SQLite format 3" * php_uname & php_malfunctions in https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Magento_suspicious.yar are too generic * blackhole_basic in https://github.com/Yara-Rules/rules/blob/master/exploit_kits/EK_Blackhole.yar seems too generic and FPs on files like swig-4.0.2/CHANGES & bison.info.gz * PM_Email_Sent_By_PHP_Script in https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Mailers.yar is too generic (e.g. only having "/usr/bin/php") * https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar is too generic and FPs on files like /usr/lib64/gcc/x86_64-slackware-linux/11.2.0/include/d/core/sys/windows/winuser.d
pyllyukko
added a commit
that referenced
this issue
Jan 13, 2024
* Relates to #84 * .issue=="The regex string has a measurable performance impact" . .level==3 (only the "manitsme" rule)
pyllyukko
referenced
this issue
Jan 14, 2024
It was removed from upstream: elastic/protections-artifacts@8b6b3b3
pyllyukko
added a commit
that referenced
this issue
Jan 31, 2024
It would be nice to have some YARA rule to detect malware like this:
gen_webshells.yar (from Arnims YARA rules) has a detection ( |
pyllyukko
added a commit
that referenced
this issue
Nov 21, 2024
* Removed browser_pass.yar (it is still blacklisted in ignore_list.ign2) * Added apt_cobaltstrike.yar & apt_cobaltstrike_evasive.yar from signature-base * Relates to #84 * Now we should have every CS rule covered from https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
clamav-unofficial-sigs downloads Linux Malware Detect YARA rules ( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jq '.[] | select(.issue=="The regex string has a measurable performance impact")' yaraQA-issues.json
jq '.[] | select(.level>=2)'
/usr
The text was updated successfully, but these errors were encountered: