Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A question about malware signatures contribution #23

Closed
milosdjakonovic opened this issue Jun 12, 2021 · 4 comments
Closed

A question about malware signatures contribution #23

milosdjakonovic opened this issue Jun 12, 2021 · 4 comments
Labels
question Further information is requested

Comments

@milosdjakonovic
Copy link
Contributor

Hi.
Do you accept malware signatures contribution?
If yes, how is that done: are the src/Signatures.php Signatures::$raw and Signatures::$regex what we could update?

Do you enforce limits regarding regex / raw rule length or complexity?

Last but not least, how do I as a contributor prove that the code is malware? Example, a few lines of readable and nicely formatted code (no eval|gunzip|base64_decode crap):

# pseudo - code
if [...] $_GET['username'] === md5([...]) 
move_uploaded_file($_FILES['file']['tmp_name'], $_GET['filename'])

most certainly this does not have to be malware per se, but if I add info that this file suddenly occurred as dodgy WP plugin ("WP plugin"), than it's a different call.
@marcocesarato
Copy link
Owner

marcocesarato commented Jun 12, 2021
edited
Loading

Hi @milosdjakonovic, sure, we accept the contribution for malware signatures. In this case it should be an Exploit (here: https://github.com/marcocesarato/PHP-Antimalware-Scanner/blob/master/src/Exploits.php) with level => Match::WARNING because yes it's a malware, but it may also not be malware. On Exploit there are no limits regarding the limit / complexity of the regular expression but just must to be a valid regex to find a valid exploit.

In this case there are some variables like the filename/username key and check if there is others lines of code between the md5 check and move_uploaded_file.

@milosdjakonovic
Copy link
Contributor Author

Thanks... Now I see the difference. So, Signatures.php for malware and Exploits.php for code often but not exclusively used by malware.

Consider adding mini howto for this subject in README.

@marcocesarato marcocesarato added the question Further information is requested label Jun 13, 2021
@marcocesarato
Copy link
Owner

Hi @milosdjakonovic , I create a small documentation website of the program (a lot of these informations are on README yet).

Here explained in short the differences between definitions: https://marcocesarato.github.io/PHP-Antimalware-Scanner/
And here explained in short how to contribute: https://marcocesarato.github.io/PHP-Antimalware-Scanner/how-contribute/

@milosdjakonovic
Copy link
Contributor Author

Awesome. Malware samples are on the way...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@milosdjakonovic @marcocesarato