mustangV / yara-project

Automatically exported from code.google.com/p/yara-project
Apache License 2.0
0 stars 0 forks source link

Infinite loop on certain samples with one particular rule. Regex related. #82

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Run the following rule on FLOC-meeting.doc

rule APT1_WEBC2_TABLE
{
    meta:
        author = "AlienVault Labs"
        info = "CommentCrew-threat-apt1"

    strings:
        $msg1 = "Fail To Execute The Command" wide ascii
        $msg2 = "Execute The Command Successfully" wide ascii
        $gif1 = /\w+\.gif/
        $gif2 = "GIF89" wide ascii
    condition:
        3 of them
}

FLOC-meeting.doc is discussed here: 
http://www.securelist.com/en/analysis/204792265/Red_October_Detailed_Malware_Des
cription_1_First_Stage_of_Attack

If you would like a copy of it I can pass it along. For obvious reasons I'm not 
going to post malware here. It's worth noting that FLOC-meeting is one of a 
handful of samples commonly available in open source reporting which triggers 
this.

2. Running the above rule against the sample results in yara entering an 
infinite loop somewhere deep in PCRE. I can trigger this with PCRE or RE2.

What is the expected output? What do you see instead?

No output. Yara goes into an infinite loop. Commenting out the rule and running 
others works fine. This only triggers on certain samples.

What version of the product are you using? On what operating system?

yara-python on 1.7 on Ubuntu 12.04 and OS X 10.8.3.

Original issue reported on code.google.com by wshie...@gmail.com on 20 Apr 2013 at 1:26

GoogleCodeExporter commented 8 years ago
The problem here is that /\w+\.gif/ makes the rule an order of magnitude 
slower, is not really an infinite loop, but it takes waaaay more time to scan.

Original comment by plus...@gmail.com on 23 May 2013 at 2:06