Infinite loop on certain samples with one particular rule. Regex related.

[plusvic]

From wshie...@gmail.com on April 20, 2013 03:26:29

What steps will reproduce the problem? 1. Run the following rule on FLOC-meeting.doc

rule APT1_WEBC2_TABLE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1"

strings:
    $msg1 = "Fail To Execute The Command" wide ascii
    $msg2 = "Execute The Command Successfully" wide ascii
    $gif1 = /\w+\.gif/
    $gif2 = "GIF89" wide ascii
condition:
    3 of them

}

FLOC-meeting.doc is discussed here: http://www.securelist.com/en/analysis/204792265/Red_October_Detailed_Malware_Description_1_First_Stage_of_Attack If you would like a copy of it I can pass it along. For obvious reasons I'm not going to post malware here. It's worth noting that FLOC-meeting is one of a handful of samples commonly available in open source reporting which triggers this.

1. Running the above rule against the sample results in yara entering an infinite loop somewhere deep in PCRE. I can trigger this with PCRE or RE2. What is the expected output? What do you see instead? No output. Yara goes into an infinite loop. Commenting out the rule and running others works fine. This only triggers on certain samples. What version of the product are you using? On what operating system? yara-python on 1.7 on Ubuntu 12.04 and OS X 10.8.3.

Original issue: http://code.google.com/p/yara-project/issues/detail?id=82

[plusvic]

From plus...@gmail.com on May 23, 2013 07:06:01

The problem here is that /\w+.gif/ makes the rule an order of magnitude slower, is not really an infinite loop, but it takes waaaay more time to scan.

Status: Invalid