[Community-sigs] php

Thu Aug 3 12:29:58 EDT 2017

For my own use, I would start from

Html.Packed.PhpInjection;Engine:81-255,Target:0;1;0:3c3f70687020{4000-}3f3e0a;0/<\?php[^\x0A]{4000,}\?>/

Where:

VIRUS NAME: Html.Packed.PhpInjection
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 1
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
<?php {WILDCARD_ANY_STRING(LENGTH>=4000)}?>

 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
     +-> TRIGGER: 0
     +-> REGEX: <\?php[^\x0A]{4000,}\?>
     +-> CFLAGS: (null)

Engine 81 is required for the PCRE-style ldb signature.
Target type 0 is required for the detection of newline characters. ClamAV
normalizes HTML (type 3) and ASCII text (type 7) files such that sequences
of white space are replaced with single spaces.
LOGICAL EXPRESSION: 1 is used to set the PCRE rule as the final
determination for alerting.
SUBSIG ID 1 TRIGGER: 0 is used to make your 3c3f70687020{4000-}3f3e0a be a
precondition on the further scanning.
SUBSIG ID 1 REGEX is used to make sure that none of those 4000 characters
are newline 0x0A.

I added SUBSIG ID 0 OFFSET: 0 to require the <?php to occur at byte 0
within the file, to have it only check the first line.

As proposed, the detection signature is likely too broad for inclusion as
an official signature, but hopefully this helps you with your local Clam AV
usage and future signature creation.

On Thu, Aug 3, 2017 at 7:46 AM, Рома Слєпчик <roma at slepchik.com.ua> wrote:

> hi.
> i try write signature for php inject with base64 encode and need some help.
> all injections always insert into first line of file and have size more
> 4000 symbols begin with <?php and close ?>. i try use sig
> 3c3f70687020{4000-}3f3e0a but it not work, because into 4000- include 0a.
> how can stop check file after first match 0a? or how can i check only first
> line of file?
> add example file https://www.dropbox.com/s/ppzgf6aa1hqk60y/object.php?dl=0
>
> i can write sig for this injection but new injections always change. stable
> always more 4000 symbols and <?php  ?>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

-- 

Matthew Molyett
Malware Researcher

mmolyett at cisco.com
Phone:  (410) 309-4834
Mobile: (410) 674-2049

Cisco.com - http://www.cisco.com

This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html