Closed martiGIT closed 5 years ago
Nice to hear cheers!
I will think about IonCube, but thats a hard nut, I recently use it on some project, but time to time i found decoder so maybe I could find a decode solution (i have ioncube license to test encoded code somehow) could yo send the encrypted part in gist?
And for the .ico issue #36 maybe answer for your go there and place a 👍 :)
scan everything is not a good answer, because this will lead to many false positives and also - bad performance, include icofile encoded in such way (with path masking) is rather scheme that can be taken and use as pattern
please find gist link below to IonCube code
Ohh i misunderstood the .ico pattern, i will make a pattern update for this kind of trick. Could you send me the file in gist as well.
this is the only part common that I mentioned before:
@include "\x2fhome\x2fsite\x2f01_2\x3002/f\x61vico\x6e_e03\x3628.i\x63o";
Pattern added for this include string.
Oh damn this file is not an ionCube encoded, there is an eval: $__lp = fread($__oid, @filesize(__FILE__))) {$__ln = pack("H*", $__ln("/[A-Z,\r,\n]/", "", substr($__lp, 0xb39-0x689)));
so we are okay because we detect it.
And any way this file seems corrupted payload: "pack(): Type H: illegal hex digit" and i found an analysis here https://www.sitelock.com/blog/2018/02/fake-ioncube-malware/
Hi, first thanks for great piece of software, that saved many mandays :)
second I would like to share some examples that also should be considered as malware
IonCube_loader
- frequently malware is encrypted with this kind of popular encoder also this is code example:second, popular malwares includes .ico with php code inside, as part of php. I see that in rules are some include(_GET examples, but this particular example I find malware with this kind of linux find command:
find /var/www -name '*.ico' -exec grep -l "php" {} \;
include example:@include "\x2fhome\x2fsite\x2f01_2\x3002/f\x61vico\x6e_e03\x3628.i\x63o";
following example is semiencoded path:script could check if included file (ico) contains php and then report problem