Viewing File: /usr/local/cpanel/3rdparty/share/clamav/nc_customsig.yara
rule Curl_email_abuse
{
meta:
description = "Detects obfuscated variable names and curl usage"
date = "2024-11-03"
strings:
$curl_init = "curl_init" nocase
$curl_exec = "curl_exec" nocase
$curl_setopt = "curl_setopt" nocase
$curl_setopt_array = "curl_setopt_array" nocase
$obfuscated_var = /\$R[A-Z0-9]{40,50}/ nocase
// Direct or nested exec checks for potential command execution
$exec_check_nested = /function_exists\s*\(\s*['"]exec['"]\s*\)\s*&&\s*!in_array\s*\(\s*['"]exec['"],\s*array_map\s*\(\s*'trim'\s*,\s*explode\s*\(\s*['"],\s*ini_get\s*\(\s*['"]disable_functions['"]\)\s*\)\s*\)\)/
$exec_direct_call = /exec\s*\(.*\)/
// Obfuscation and encoding functions (temp disabled)
//$eval_function = "eval("
//$base64_decode = "base64_decode("
//$gzuncompress = "gzuncompress("
//$str_rot13 = "str_rot13("
condition:
3 of ($curl_init, $curl_exec, $curl_setopt, $curl_setopt_array) and
$obfuscated_var and
($exec_check_nested or $exec_direct_call)
}
rule Detect_Obfuscated_PHP_Malware_CURL {
meta:
description = "Detects obfuscated PHP malware using CURL functions and hardcoded URLs."
date = "2024-12-25"
version = "1.4"
strings:
$curl_init = "curl_init" nocase
$curl_setopt = "curl_setopt_array" nocase
$curl_exec = "curl_exec" nocase
// $hardcoded_url = /http[s]?:\/\/[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+/ nocase
// $curly_braces = /CURLOPT_URL\s*=>\s*["']http/ nocase
$curl_obfuscated_var = /\$R[A-Z0-9]{40,50}/ nocase
condition:
(all of ($curl_init, $curl_setopt, $curl_exec)) and $curl_obfuscated_var
}
rule Detect_Obfuscated_PHP_Malware_Vars_Loops {
meta:
description = "Detects obfuscated PHP malware variables and suspicious loops. Rewritten to not trigger fasle positives"
date = "2024-12-21"
version = "1.3"
strings:
$cookie_check = /[\$\w]+\s*=\s*\$\_COOKIE\;/
$array_initialization = /\$\w+\s*=\s*array\(\);/
$access = /\$\w+\[\d+\]\[\$\w+\]/
$function_call = /\$\w+\[\d+\]\(\)/
$include_call = /\binclude\s*\(\s*\$\w+\)/
condition:
$cookie_check and
$array_initialization and
$access and
$function_call and
$include_call
}
// rule Detect_Obfuscated_PHP_Malware_Functions {
// meta:
// description = "Detects specific malicious PHP functions."
// date = "2024-12-02"
// version = "1.2"
// strings:
// $is_crawler = "is_crawler" nocase
// $check_refer = "check_refer" nocase
// $eval_with_assert = /eval\((assert|base64_decode)/ nocase
// condition:
// any of ($is_crawler, $check_refer, $eval_with_assert)
// }
// rule Detect_Obfuscated_PHP_Malware_Base64 {
// meta:
// description = "Detects obfuscated PHP malware with base64 decoding, eval, and dynamic execution patterns."
// author = "Assistant Enhanced"
// date = "2024-12-02"
// version = "1.2"
// strings:
// $base64_decode_eval = /base64_decode\([^)]*\);\s*(eval|assert|create_function)/ nocase
// $dynamic_include = /include\s*\([^)]*\)/ nocase
// $dynamic_execution = /\$\w+\s*\(/ nocase
// condition:
// 1 of ($base64_decode_eval, $dynamic_include, $dynamic_execution)
// }
rule TO_38544_Botnet_Binary_ELF
{
meta:
description = "Detects ELF botnet trojan with modified RC4-like encryption and syscall patterns"
author = "Oleg Chesnokov"
date = "2025-03-04"
strings:
// File should start with ELF-magic
$elf_magic = { 7F 45 4C 46 }
// Characteristic strings found during analysis
$xordt = "xordt" nocase
$atauavawh = "ATAUAVAWH" nocase
$ip8 = "8.8.8.8"
$build_id = "52ce76e776ff7c67e51bcb57bc730f61b188600a"
// Simple signature for syscall (0F 05)
$syscall = { 0F 05 }
condition:
filesize < 100KB and
$elf_magic at 0 and
any of ($xordt, $atauavawh, $ip8, $build_id) and
$syscall
}
rule TO_38544_PHP_Backdoor_Backdoor
{
meta:
description = "Detects PHP backdoor using obfuscation techniques"
author = "Oleg Chesnokov"
date = "2025-03-08"
strings:
// PHP file marker
$php_marker = "<?php" nocase
// Backdoor pattern using obfuscation
$cookie_set = "isset($_COOKIE[" nocase
$tempnam = "tempnam(" nocase
$spl_autoload = "spl_autoload_register" nocase
$str_rot13 = "str_rot13" nocase
$base64 = "base64_decode" nocase
$require_exec = "require_once(" nocase
$unlink_exec = "@array_map('unlink'" nocase
$class_parents = "class_parents(" nocase
$strncmp_check = "strncmp(" nocase
// Exclude common false positives
$frameworks = "Symfony" nocase
$wp_plugin = "WordPress Plugin" nocase
$installer = "install.php" nocase
$token_util = "TokenUtil" nocase
$validator = "ValidatorCacheWarmer" nocase
$serializer = "SerializerCacheWarmer" nocase
$php_doc = "phpDocumentor" nocase
$geshi_lib = "GeSHi" nocase
condition:
filesize < 300KB and
$php_marker at 0 and
$cookie_set and
$tempnam and
$spl_autoload and
$base64 and $str_rot13 and
$require_exec and
$unlink_exec and
$class_parents and
$strncmp_check and
not any of ($frameworks, $wp_plugin, $installer, $token_util, $validator, $serializer, $php_doc, $geshi_lib)
}
rule TO_38544_Botnet_Binary_ELFv2
{
meta:
description = "Detects botnet ELF binaries with characteristic short strings and DNS pattern"
author = "Oleg Chesnokov"
date = "2025-06-15"
strings:
$elf_magic = { 7F 45 4C 46 }
$dns8 = "8.8.8.8"
$qr = "QRVW"
$z = "_^ZY"
$lt2 = "<2.t"
$lt1t = "<1.t"
$lt1u = "<1.u"
condition:
// Проверяем размер в диапазоне типичных сэмплов
10KB < filesize and filesize < 20KB and
$elf_magic at 0 and
all of ($dns8, $qr, $z, $lt2, $lt1t, $lt1u)
}
rule TO_38544_Botnet_Binary_ELF_UPX
{
meta:
description = "Detects UPX-packed ELF botnet binaries (variant, Oleg)"
author = "Oleg Chesnokov"
date = "2025-06-15"
strings:
$elf_magic = { 7F 45 4C 46}
$type_exec = { 02 00 } // e_type = EXEC (at offset 0x10)
$upx1 = "UPX!"
$upx2 = "$Info: This file is packed with the UPX executable packer"
$upx3 = "$Id: UPX 3." nocase
$ata = "ATAUAVAW" nocase
$susp1 = "A_A^A"
$susp2 = "]A\\Y[X"
condition:
$elf_magic at 0 and
$type_exec at 0x10 and
(all of ($upx1, $upx2, $upx3) or 2 of ($ata, $susp1, $susp2)) and
filesize < 100KB
}
rule nc_webshell_hex_eval
{
meta:
description = "Webshells separate an or to separate rule"
date = "07-06-2024"
strings:
$hex2bin = "hex2bin" nocase ascii
$eval_bin = "eval('?>'.$bin);" nocase ascii
$hex_pattern = /[a-fA-F0-9]{100,}/
// Hex loader specific
condition:
$hex2bin and $eval_bin and $hex_pattern
}
rule PHP_backdoor_index_and_CURL
{
meta:
description = "Detects PHP loader/backdoor using curl_exec, User-Agent checks, and cURL"
date = "2025-07-08"
filetype = "PHP"
strings:
// Core PHP markers
$php_open = "<?php"
$curl_exec = "curl_exec" nocase
// User-Agent checks
$ua1 = /\\$_SERVER\s*\[\s*['"]HTTP_USER_AGENT['"]\s*\]/ nocase
$ua2 = /getallheaders\s*\(\s*\)/ nocase
$ua3 = /User-Agent/ nocase
$ua4 = /stripos\s*\(\s*\\$_SERVER\s*\[\s*['"]HTTP_USER_AGENT['"]\s*\]/ nocase
// cURL usage
$curl1 = "curl_init" nocase
$curl2 = "curl_setopt" nocase
$curl3 = "curl_close" nocase
// Common stealth
$str1 = "error_reporting(0);" nocase
$str2 = "ob_start()" nocase
$str3 = "ob_end_clean" nocase
condition:
$php_open and
$curl_exec and
any of ($ua1, $ua2, $ua3, $ua4) and
any of ($curl1, $curl2, $curl3) and
all of ($str1, $str2, $str3)
}
rule nc_php_HeavilyObfuscated_f0f3704a6449dd55fcb01835c0420dc5
{
meta:
description = "Heavily obfuscated PHP malware and with high frequency of base64_decode and specific obfuscated call patterns."
author = "Celestino Camacho"
date = "22-07-2025"
md5sum = "f0f3704a6449dd55fcb01835c0420dc5"
strings:
// The most common string, the core of the obfuscation
$b64_func = "base64_decode("
$obf_header = /\bheader\s*\(\s*base64_decode\s*\(/ nocase
$base64_1 = /(\bbase64_decode\b.{1,60}){20,}\bbase64_decode\b/i
$base64_2 = /(base64_decode\(.{6,20}\)\s{0,5},\s{0,5}){60,}base64_decode\(.{6,20}\)/i
// Regex to find the pattern of accessing $_GET or $_SERVER with a decoded key
$get_b64_key = /\$_GET\[base64_decode\s*\(/
$server_b64_key = /\$_SERVER\[base64_decode\s*\(/
// Suspicious actions
$fwrite = "fwrite("
$curl = "curl_init("
$fsock = "fsockopen("
condition:
filesize < 15KB and
(
#b64_func > 20 and $obf_header
or ( #b64_func > 20 and 1 of ($base64_*))
)
or
(
#b64_func > 10 and
all of ($get_b64_key, $server_b64_key) and
any of ($fwrite, $curl, $fsock)
)
}
rule nc_webshell_5d8fbc6f0186052d6f796b32aa01d671{
meta:
description = "Webshells"
author = "Celestino Camacho"
email = "celestino.camacho@namecheap.com"
date = "29-05-2024"
md5sum = "5d8fbc6f0186052d6f796b32aa01d671"
strings:
// Specific patterns
$pattern_1 = /\beval\s*\([^)]*base64_decode/ nocase
$pattern_2 = /\bfile_get_contents\s*\(\s*\$/
$curl_init = "curl_init("
$obfuscation_no_whitespace = /\S{200,}/
condition:
filesize < 5KB and
$pattern_1 and ($pattern_2 or $curl_init)
and $obfuscation_no_whitespace
}
Back to Directory
File Manager