Teach malcontent about more Python maliciousness (#639)

* Teach malcontent about more Python maliciousness * refresh testdata * rule tuning * Update third-party rules as of 2024-11-18 (#641) Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com> * Don't consider .mdiff or .sdiff files in discoverTestData (#637) Signed-off-by: egibs <[email protected]> * update sample commit * update testdata * rule tuning --------- Signed-off-by: egibs <[email protected]> Co-authored-by: octo-sts[bot] <157150467+octo-sts[bot]@users.noreply.github.com> Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Evan Gibler <[email protected]>
chainguard-dev · Nov 18, 2024 · 24e39d3 · 24e39d3
1 parent 16cfd8b
commit 24e39d3
Show file tree

Hide file tree

Showing 175 changed files with 1,207 additions and 118 deletions.
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= 8c02e6ef4d3a67e4e45f58e1b1b05a586e8bc24f
+SAMPLES_COMMIT ?= 35fa24a7f08b2363b0f4df9b86d6ecee7a0f6ead
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
@@ -196,15 +196,15 @@
                     "RuleName": "crypto_aes"
                 },
                 {
-                    "Description": "Uses crypto/cipher",
+                    "Description": "mentions 'ciphertext'",
                     "MatchStrings": [
-                        "XORKeyStream"
+                        "ciphertext"
                     ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#go_cipher",
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext",
                     "ID": "crypto/cipher",
-                    "RuleName": "go_cipher"
+                    "RuleName": "ciphertext"
                 },
                 {
                     "Description": "Uses the Go crypto/ecdsa library",
@@ -1740,6 +1740,18 @@
                     "ID": "fs/symlink_resolve",
                     "RuleName": "realpath"
                 },
+                {
+                    "Description": "temp",
+                    "MatchStrings": [
+                        "getenv",
+                        "temp"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp",
+                    "ID": "fs/tempdir/TEMP",
+                    "RuleName": "temp"
+                },
                 {
                     "Description": "Uses mktemp to create temporary files",
                     "MatchStrings": [
@@ -1904,7 +1916,7 @@
                     "RuleName": "content_type"
                 },
                 {
-                    "Description": "makes HTTP requests with basic authentication",
+                    "Description": "makes HTTP requests with Bearer authentication",
                     "MatchStrings": [
                         "WWW-Authenticate",
                         "Www-Authenticate",
@@ -1945,7 +1957,8 @@
                     "MatchStrings": [
                         "POST",
                         "application/json",
-                        "application/x-www-form-urlencoded"
+                        "application/x-www-form-urlencoded",
+                        "post"
                     ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
@@ -2003,6 +2016,17 @@
                     "ID": "net/ip",
                     "RuleName": "packets"
                 },
+                {
+                    "Description": "connects to an arbitrary hostname:port",
+                    "MatchStrings": [
+                        "host to transport"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port",
+                    "ID": "net/ip/host_port",
+                    "RuleName": "host_port"
+                },
                 {
                     "Description": "parses IP address (IPv4 or IPv6)",
                     "MatchStrings": [

diff --git a/rules/anti-static/base64/import.yara b/rules/anti-static/base64/import.yara
@@ -0,0 +1,19 @@
+rule b64_as_int: critical {
+  meta:
+    description = "hides term 'base64' within an integer array"
+
+  strings:
+    $f_decode = "decode"
+    $f_ord    = "ord"
+
+    $ib = "98,"
+    $ia = "97,"
+    $is = "115,"
+    $ie = "101,"
+    $i6 = "54,"
+    $i4 = "52"
+
+  condition:
+    any of ($f*) and all of ($i*) and @ia > @ib and @is > @ia and @ie > @is and @i6 > @ie and @i4 > @i6 and @i6 - @ib <= 48
+
+}
diff --git a/rules/anti-static/obfuscation/hex.yara b/rules/anti-static/obfuscation/hex.yara
@@ -55,3 +55,18 @@ rule hex_parse_base64_high: high {
     filesize < 32KB and any of ($lang*) and any of ($b*) and none of ($not*)
 }
 
+rule mega_string: high {
+  meta:
+    description = "python script decodes large hexadecimal string"
+
+  strings:
+    $unhexlify            = "unhexlify"
+    $hex_multiline_single = /= {0,2}'''[\/\da-fA-F]{1024}/
+    $hex_multiline_double = /= {0,2}"""[\/\da-fA-F]{1024}/
+    $hex_line_single      = /= '[\/\da-fA-F]{1024}/
+    $hex_line_double      = /= "[\/\da-fA-F]{1024}/
+
+  condition:
+    filesize < 5MB and $unhexlify and any of ($hex*)
+
+}