[Community-sigs] php
Рома Слєпчик
roma at slepchik.com.ua
Fri Aug 4 06:05:17 EDT 2017
Thanks for spending your time and explaining how it work.
2017-08-03 19:29 GMT+03:00 Matthew Molyett <mmolyett at sourcefire.com>:
> For my own use, I would start from
>
> Html.Packed.PhpInjection;Engine:81-255,Target:0;1;0:
> 3c3f70687020{4000-}3f3e0a;0/<\?php[^\x0A]{4000,}\?>/
>
> Where:
>
> VIRUS NAME: Html.Packed.PhpInjection
> TDB: Engine:81-255,Target:0
> LOGICAL EXPRESSION: 1
> * SUBSIG ID 0
> +-> OFFSET: 0
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> <?php {WILDCARD_ANY_STRING(LENGTH>=4000)}?>
>
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> +-> TRIGGER: 0
> +-> REGEX: <\?php[^\x0A]{4000,}\?>
> +-> CFLAGS: (null)
>
> Engine 81 is required for the PCRE-style ldb signature.
> Target type 0 is required for the detection of newline characters. ClamAV
> normalizes HTML (type 3) and ASCII text (type 7) files such that sequences
> of white space are replaced with single spaces.
> LOGICAL EXPRESSION: 1 is used to set the PCRE rule as the final
> determination for alerting.
> SUBSIG ID 1 TRIGGER: 0 is used to make your 3c3f70687020{4000-}3f3e0a be a
> precondition on the further scanning.
> SUBSIG ID 1 REGEX is used to make sure that none of those 4000 characters
> are newline 0x0A.
>
> I added SUBSIG ID 0 OFFSET: 0 to require the <?php to occur at byte 0
> within the file, to have it only check the first line.
>
> As proposed, the detection signature is likely too broad for inclusion as
> an official signature, but hopefully this helps you with your local Clam AV
> usage and future signature creation.
>
> On Thu, Aug 3, 2017 at 7:46 AM, Рома Слєпчик <roma at slepchik.com.ua> wrote:
>
> > hi.
> > i try write signature for php inject with base64 encode and need some
> help.
> > all injections always insert into first line of file and have size more
> > 4000 symbols begin with <?php and close ?>. i try use sig
> > 3c3f70687020{4000-}3f3e0a but it not work, because into 4000- include 0a.
> > how can stop check file after first match 0a? or how can i check only
> first
> > line of file?
> > add example file https://www.dropbox.com/s/
> ppzgf6aa1hqk60y/object.php?dl=0
> >
> > i can write sig for this injection but new injections always change.
> stable
> > always more 4000 symbols and <?php ?>
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
>
>
>
> --
>
> Matthew Molyett
> Malware Researcher
>
> mmolyett at cisco.com
> Phone: (410) 309-4834
> Mobile: (410) 674-2049
>
> Cisco.com - http://www.cisco.com
>
> This email may contain confidential and privileged material for the sole
> use of the intended recipient. Any review, use, distribution or disclosure
> by others is strictly prohibited. If you are not the intended recipient (or
> authorized to receive for the recipient), please contact the sender by
> reply email and delete all copies of this message.
>
> For corporate legal information go to:
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
--
С любовью и терпением Роман
jabber: roma at slepchik.com.ua
skype: zysylcheg
More information about the Community-sigs
mailing list