Rule tuning based on initial Melofee analysis (#622)

Makefile

@@ -3,7 +3,7 @@
 
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= f9198d7c1952b589a1de56515193c79c1b25b4bc
+SAMPLES_COMMIT ?= e5bfacbe59bd9b7889609bf24bd96ed2fb08c784
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install

pkg/action/testdata/scan_archive

@@ -2429,7 +2429,7 @@
                     "RuleName": "linux_adjtimex"
                 },
                 {
-                    "Description": "supports crontab manipulation",
+                    "Description": "lists crontab entries, may also persist",
                     "MatchStrings": [
                         "crontab"
                     ],
@@ -2473,20 +2473,6 @@
                     "ID": "process/create",
                     "RuleName": "syscall_clone"
                 },
-                {
-                    "Description": "sets a custom PATH",
-                    "MatchStrings": [
-                        "/bin:/usr/",
-                        "/sbin:/bin",
-                        "/usr/bin:/sbin",
-                        "PATH"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/executable_path.yara#custom_path",
-                    "ID": "process/executable_path",
-                    "RuleName": "custom_path"
-                },
                 {
                     "Description": "creates a session and sets the process group ID",
                     "MatchStrings": [

rules/anti-behavior/LD_DEBUG.yara

@@ -1,6 +1,6 @@
 rule env_LD_DEBUG: medium {
   meta:
-    description              = "Checks if dynamic linker debugging is enabled"
+    description              = "may check if dynamic linker debugging is enabled"
     hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796"
     hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b"
     hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"

rules/anti-behavior/LD_PROFILE.yara

@@ -1,6 +1,6 @@
 rule env_LD_PROFILE: medium {
   meta:
-    description              = "Checks if dynamic linker profiling is enabled"
+    description              = "may check if dynamic linker profiling is enabled"
     hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796"
     hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b"
     hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"

rules/anti-behavior/anti-debugger.yara

@@ -23,3 +23,26 @@ rule win_debugger_or_vm: medium windows {
   condition:
     filesize < 25MB and 2 of ($debug*) and any of ($cpu*)
 }
+
+rule multiple_linux_methods: high linux {
+  meta:
+    description = "possible debugger detection across multiple methods"
+
+  strings:
+    $ld_profile    = "LD_PROFILE" fullword
+    $ld_debug      = "LD_DEBUG" fullword
+    $proc_exe      = /\/proc\/.{0,5}\/exe/
+    $proc_status   = /\/proc\/.{0,5}\/status/
+    $sys_kern      = "/proc/sys/kernel/osrelease"
+    $sys_device    = "/sys/devices/system/cpu"
+    $sys_cpuinfo   = "/proc/cpuinfo"
+    $not_busybox   = "BusyBox"
+    $not_rtld      = "RTLD_NEXT"
+    $not_rtld2     = "HRTIMER_SOFTIRQ"
+    $not_snapd     = "SNAPD" fullword
+    $not_ld_origin = "LD_ORIGIN_PATH"
+    $not_ld_mask   = "LD_HWCAP_MASK"
+
+  condition:
+    filesize < 8MB and all of ($ld*) and any of ($proc*) and any of ($sys*) and none of ($not*)
+}

rules/anti-static/elf/entropy.yara

@@ -28,3 +28,23 @@ rule normal_elf_high_entropy_7_4: high {
   condition:
     normal_elf and math.entropy(1, filesize) >= 7.4 and none of ($not*)
 }
+
+rule normal_elf_high_entropy_footer_7_4: high {
+  meta:
+    description = "high entropy footer in ELF binary (>7.4)"
+
+  condition:
+    normal_elf and math.entropy(filesize - 8192, filesize) >= 7.4
+}
+
+rule normal_elf_high_entropy_footer_7_4_rc4: critical {
+  meta:
+    description = "high entropy footer in ELF binary (>7.4), likely RC4 encrypted"
+
+  strings:
+    $cmp_e_x_256 = { 81 f? 00 01 00 00 }  // cmp {ebx, ecx, edx}, 256
+    $cmp_r_x_256 = { 48 81 f? 00 01 00 00 }  // cmp {rbx, rcx, …}, 256
+
+  condition:
+    filesize < 25MB and normal_elf and math.entropy(filesize - 8192, filesize) >= 7.4 and any of them
+}

rules/data/builtin/glibc.yara

@@ -0,0 +1,14 @@
+import "elf"
+
+rule elf_with_bundled_glibc: medium {
+  meta:
+    description = "includes bundled copy of glibc"
+
+  strings:
+    $glibc_private  = "GLIBC_PRIVATE"
+    $glibc_tunables = "GLIBC_TUNABLES"
+    $setup_vdso     = "setup_vdso"
+
+  condition:
+    filesize > 1024 and filesize < 25MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and all of them
+}

rules/data/builtin/multiple.yara

@@ -0,0 +1,36 @@
+import "elf"
+
+private rule _bundled_openssl: medium {
+  meta:
+    description = "includes bundled copy of OpenSSL"
+
+  strings:
+    $ref        = "OpenSSL/"
+    $aes_part   = "AES part of OpenSSL"
+    $montgomery = "Montgomery Multiplication for x86_64, CRYPTOGAMS"
+    $rc4        = "RC4 for x86_64, CRYPTOGAMS"
+
+  condition:
+    filesize > 1024 and filesize < 150MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and any of them
+}
+
+private rule _bundled_glibc: medium {
+  meta:
+    description = "includes bundled copy of glibc"
+
+  strings:
+    $glibc_private  = "GLIBC_PRIVATE"
+    $glibc_tunables = "GLIBC_TUNABLES"
+    $setup_vdso     = "setup_vdso"
+
+  condition:
+    filesize > 1024 and filesize < 25MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and all of them
+}
+
+rule elf_with_bundled_glibc_and_openssl: high {
+  meta:
+    description = "includes bundled copy of glibc and OpenSSL"
+
+  condition:
+    _bundled_openssl and _bundled_glibc
+}

rules/data/builtin/openssl.yara

@@ -1,26 +1,15 @@
-rule openssl: medium {
-  meta:
-    description                          = "This binary includes OpenSSL source code"
-    hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a"
-    hash_2023_Linux_Malware_Samples_04b5 = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2"
-    hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73"
-
-  strings:
-    $ref = "OpenSSL/"
+import "elf"
 
-  condition:
-    any of them
-}
-
-rule elf_with_bundled_openssl: high {
+rule openssl: medium {
   meta:
-    hash_2023_Unix_Malware_Bruteforce_4020 = "4020b018fcebf76672af2824636e7948131b313f723adef6cf41ad06bd2c6a6f"
-    hash_2023_Linux_Malware_Samples_24ee   = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819"
-    hash_2023_Linux_Malware_Samples_2f85   = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965"
+    description = "includes bundled copy of OpenSSL"
 
   strings:
-    $aes_part = "AES part of OpenSSL"
+    $ref        = "OpenSSL/"
+    $aes_part   = "AES part of OpenSSL"
+    $montgomery = "Montgomery Multiplication for x86_64, CRYPTOGAMS"
+    $rc4        = "RC4 for x86_64, CRYPTOGAMS"
 
   condition:
-    uint32(0) == 1179403647 and $aes_part
+    filesize > 1024 and filesize < 150MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and any of them
 }

rules/discover/network/interface-list.yara

@@ -15,3 +15,20 @@ rule bsd_ifaddrs: medium {
   condition:
     any of them
 }
+
+rule getifaddrs_avoid_debug: high {
+  meta:
+    description = "list network interfaces, avoids debugging"
+
+  strings:
+    $getifaddrs    = "getifaddrs" fullword
+    $gethostbyname = "gethostbyname"
+    $LD_DEBUG      = "LD_DEBUG"
+    $LD_PROFILE    = "LD_PROFILE"
+    $not_busybox   = "BusyBox" fullword
+    $not_snapd     = "SNAPD" fullword
+    $not_rtld      = "RTLD_NEXT"
+
+  condition:
+    filesize < 10MB and all of ($get*) and all of ($LD*) and none of ($not*)
+}

rules/discover/processes/list.yara

@@ -11,16 +11,28 @@ rule proc_listallpids: medium {
     any of them
 }
 
+rule ps_exec_pipe: critical {
+  meta:
+    description = "gets list of processes, isolating username, pid, ppid, cmdline"
+
+  strings:
+    $ps_ef = /ps -ef {0,2}\| {0,2}awk.{1,16}\$1.{1,5}\$2.{1,4}\$3.{1,4}\$8/
+
+  condition:
+    filesize < 25MB and any of them
+}
+
 rule ps_exec: medium {
   meta:
     pledge                           = "exec"
     syscall                          = "vfork"
     hash_2018_org_logind_ctp_archive = "02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9"
     hash_2022_Gimmick_CorelDRAW      = "2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f"
     hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3"
+    description                      = "executes ps(1) for a list of processes"
 
   strings:
-    $ps_ef     = "ps -ef |"
+    $ps_ef     = "ps -ef"
     $ps__ax    = "ps -ax"
     $ps_ax     = "ps ax"
     $hash_bang = "#!"

rules/discover/system/dev_full.yara

@@ -1,4 +1,4 @@
-rule dev_full: low linux {
+rule dev_full: harmless linux {
   meta:
     description = "tests full disk behavior"
 

rules/evasion/file/location/x11-unix.yara

@@ -4,7 +4,7 @@ rule hidden_x11: high {
     ref         = "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/"
 
   strings:
-    $x11 = /\/tmp\/\.X11-unix.{1,16}/
+    $x11 = /\/tmp\/\.X11-unix\/[\.\w\%\$\{\}\/\-]{1,16}/
 
   condition:
     filesize < 10MB and all of them

rules/evasion/mimicry/fake-process.yara

@@ -64,7 +64,7 @@ rule known_fake_process_names: high {
 
   strings:
     $e_kdevchecker = "kdevchecker" fullword
-    $e_kworkerr    = "kworkerr" fullword
+    $e_kworkerr    = /kworker[a-z]/ fullword
     $e_ksoftriqd   = "ksoftriqd" fullword
     $e_kdevtmpfsi  = "kdevtmpfsi" fullword
     $e_kthreaddk   = "kthreaddk" fullword
@@ -79,7 +79,7 @@ rule multiple_known_fake_process_names: critical {
 
   strings:
     $kdevchecker = "kdevchecker" fullword
-    $kworkerr    = "kworkerr" fullword
+    $e_kworkerr  = /kworker[a-z]/ fullword
     $ksoftriqd   = "ksoftriqd" fullword
     $kdevtmpfsi  = "kdevtmpfsi" fullword
     $kthreaddk   = "kthreaddk" fullword

rules/fs/path/var-profile.yara

@@ -1,6 +1,6 @@
 rule var_profile: medium {
   meta:
-    description = "references '/var/profile', found on routers or embedded systems"
+    description = "references '/var/profile', the default target of LD_PROFILE_OUTPUT"
 
   strings:
     $ref = "/var/profile" fullword

rules/impact/remote_access/backdoor.yara

@@ -85,3 +85,16 @@ rule backdoor_leet: critical {
   condition:
     filesize < 100MB and any of them and not wordlist
 }
+
+rule commands: high {
+  meta:
+    description = "may accept backdoor commands"
+
+  strings:
+    $hide = "hide ok" fullword
+    $show = "show ok" fullword
+    $kill = "kill ok" fullword
+
+  condition:
+    all of them
+}

rules/impact/rootkit/rootkit.yara

@@ -8,11 +8,45 @@ rule linux_kernel_module_getdents64: critical linux {
     filetypes                        = "elf,so"
 
   strings:
-    $getdents64      = "getdents64"
     $register_kprobe = "register_kprobe"
+    $f_getdents64    = "getdents64"
+    $f_filldir64     = "filldir64"
 
   condition:
-    filesize < 1MB and all of them
+    filesize < 1MB and $register_kprobe and any of ($f*)
+}
+
+rule linux_kernel_module_hider: critical linux {
+  meta:
+    description                      = "kernel module that hides files and open ports"
+    ref                              = "https://github.com/m0nad/Diamorphine"
+    hash_2022_LQvKibDTq4_diamorphine = "aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede"
+    hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
+    hash_2023_LQvKibDTq4_diamorphine = "d83f43f47c1438d900143891e7a542d1d24f9adcbd649b7698d8ee7585068039"
+    filetypes                        = "elf,so"
+
+  strings:
+    $register_kprobe = "register_kprobe"
+    $f_getdents64    = "getdents64"
+    $f_filldir64     = "filldir64"
+    $n_tcp4_seq_show = "tcp4_seq_show"
+
+  condition:
+    filesize < 1MB and $register_kprobe and any of ($f*) and any of ($n*)
+}
+
+rule linux_kernel_module_hide_self: critical linux {
+  meta:
+    description = "kernel module that hides itself"
+    filetypes   = "elf,so"
+
+  strings:
+    $register_kprobe = "register_kprobe"
+    $hide_self       = "hide_self"
+    $hide_module     = "hide_module"
+
+  condition:
+    filesize < 1MB and $register_kprobe and any of ($hide*)
 }
 
 rule funky_high_signal_killer: high {

rules/malware/family/melofee.yara

@@ -0,0 +1,28 @@
+rule melofee_2023: critical linux {
+  meta:
+    description = "Melofee rootkit (2023)"
+    ref         = "https://blog.exatrack.com/melofee/"
+
+  strings:
+    $loader = "/etc/intel_audio/audio | xargs kill"
+    $failed = "create rootkit file failed"
+    $insmod = "/sbin/insmod /etc/intel_audio/intel_audio.ko"
+    $lock   = "/var/lock/%s.lock"
+
+  condition:
+    filesize < 5MB and uint32(0) == 1179403647 and 2 of them
+}
+
+rule melofee_2024: critical linux {
+  meta:
+    description = "Melofee rootkit (2024)"
+    ref         = "https://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/"
+
+  strings:
+    $sodl    = "/var/run/nscd/sodl-close.c"
+    $hide_ok = "hide ok"
+    $show_ok = "show ok"
+
+  condition:
+    filesize < 7MB and uint32(0) == 1179403647 and all of them
+}

rules/net/tcp/ssh.yara

@@ -1,13 +1,14 @@
 rule ssh: medium {
   meta:
-    description                      = "Uses SSH (secure shell) service"
+    description                      = "Supports SSH (secure shell)"
     hash_2024_2022_Conti_8b57e96_elf = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201"
     hash_2024_2022_Conti_bb64b27     = "bb64b27bff106d30a7b74b3589cc081c345a2b485a831d7e8c8837af3f238e1e"
     hash_1985_deploy                 = "8729e61daf18a196f7571fa097be32dd7b4dbcc3e3794be1102aa2ad91f4cbe0"
 
   strings:
     $ = "SSH" fullword
     $ = "ssh_packet" fullword
+    $ = "secureShellClient"
 
   condition:
     any of them