Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve detection of machO backdoors & stealers #631

Merged
merged 9 commits into from
Nov 16, 2024
Merged

Improve detection of machO backdoors & stealers #631

merged 9 commits into from
Nov 16, 2024

Conversation

tstromberg
Copy link
Collaborator

Based on studying some recent submissions to the Malware Bazaar.

@tstromberg tstromberg marked this pull request as draft November 15, 2024 22:49
@tstromberg tstromberg marked this pull request as ready for review November 16, 2024 01:17
@egibs
Copy link
Member

egibs commented Nov 16, 2024
edited
Loading

It's odd that make integration doesn't seem to be completing with the changes in this branch.

Edit, it finished:

$ go test -timeout 0 ./tests/...
ok  	github.com/chainguard-dev/malcontent/tests	1009.494s

That's strange.

Tests are slow locally, too:

--- PASS: TestSimple/javascript/clean/faker.js (138.85s)
--- PASS: TestSimple/javascript/clean/napi_rs_runtime.js (140.04s)
--- PASS: TestSimple/linux/clean/clickhouse (351.76s)
--- PASS: TestSimple/linux/clean/libgcj.so.17 (70.17s)
--- PASS: TestSimple/linux/clean/libgcj.so.17.0.0 (68.54s)
--- PASS: TestSimple/linux/clean/trivy (109.63s)
--- PASS: TestSimple/linux/clean/wolfictl (67.87s)
--- PASS: TestSimple/macOS/2024.AMOS/Cosmical_setup (96.59s)
--- PASS: TestSimple/macOS/2024.AMOS/FlaUI_Driver (145.44s)
--- PASS: TestSimple/macOS/2024.AMOS/Installer (106.86s)
--- PASS: TestSimple/macOS/2024.AMOS/InstallerCrack (106.53s)
--- PASS: TestSimple/macOS/2024.AMOS/WeChat (106.71s)
--- PASS: TestSimple/macOS/2024.FakeZoom/Zoom (235.95s)
...
--- PASS: TestMarkdown/linux/clean/code-oss (33.84s)
--- PASS: TestMarkdown/linux/clean/pandoc (186.62s)
--- PASS: TestMarkdown/linux/clean/slack (42.93s)
--- PASS: TestMarkdown/linux/clean/trufflehog (33.13s)

PASS
ok  	github.com/chainguard-dev/malcontent/tests	548.563s

From main (same samples as above for a direct comparison except for FakeZoom):

--- PASS: TestSimple/javascript/clean/faker.js (0.57s)
--- PASS: TestSimple/javascript/clean/napi_rs_runtime.js (0.18s)
--- PASS: TestSimple/linux/clean/clickhouse (52.61s)
--- PASS: TestSimple/linux/clean/libgcj.so.17 (22.74s)
--- PASS: TestSimple/linux/clean/libgcj.so.17.0.0 (22.37s)
--- PASS: TestSimple/linux/clean/trivy (59.61s)
--- PASS: TestSimple/linux/clean/wolfictl (25.42s)
--- PASS: TestSimple/macOS/2024.AMOS/Cosmical_setup (0.02s)
--- PASS: TestSimple/macOS/2024.AMOS/FlaUI_Driver (0.02s)
--- PASS: TestSimple/macOS/2024.AMOS/Installer (0.02s)
--- PASS: TestSimple/macOS/2024.AMOS/InstallerCrack (0.02s)
--- PASS: TestSimple/macOS/2024.AMOS/WeChat (0.02s)
...
--- PASS: TestMarkdown/linux/clean/code-oss (14.45s)
--- PASS: TestMarkdown/linux/clean/pandoc (29.06s)
--- PASS: TestMarkdown/linux/clean/slack (18.45s)
--- PASS: TestMarkdown/linux/clean/trufflehog (15.71s)

PASS
ok  	github.com/chainguard-dev/malcontent/tests	352.669s

Running make integration takes ~145 seconds for me; the verbose logging slowed things down a bit.

Seems like a new rule is slowing down scans?

@tstromberg tstromberg requested a review from egibs November 16, 2024 02:19
@tstromberg
Copy link
Collaborator Author

Yeah, it looks like there may be no fast way to match a long string of alphanumeric text. It turns out that compiled regexps are run across all files - not just the ones matching conditions:

https://github.com/Neo23x0/YARA-Performance-Guidelines

@tstromberg
Copy link
Collaborator Author

commit incoming to improve performance ...

@tstromberg
Copy link
Collaborator Author

updated rules are still slower than I like, but they are faster than they were.

there doesn't seem to be a fast way to detect a very large string with YARA :(

@tstromberg
Copy link
Collaborator Author

finished in 6 minutes - not bad! I had to remove a query, but the best improvement was adding a nul character up front to find the start character.

@tstromberg tstromberg merged commit 6cd4c4b into chainguard-dev:main Nov 16, 2024
8 checks passed
tstromberg added a commit to tstromberg/malcontent that referenced this pull request Nov 17, 2024
@tstromberg @egibs
Improve detection of machO backdoors & stealers (chainguard-dev#631)
5eae435 
* improve malicious dmg detection

* Improve detection of machO backdoors & stealers

* improve rules

* update testdata

* update testdata

* tune rules

* tune rules

---------

Co-authored-by: Evan Gibler <[email protected]>
egibs added a commit that referenced this pull request Nov 17, 2024
@tstromberg @egibs
Improve Python detection for EvilDojo666 attack (#635)
1c58757 
* Improve Python detection for EvilDojo666 attack

* Improve detection of machO backdoors & stealers (#631)

* improve malicious dmg detection

* Improve detection of machO backdoors & stealers

* improve rules

* update testdata

* update testdata

* tune rules

* tune rules

---------

Co-authored-by: Evan Gibler <[email protected]>

* Add files, update test data

* Add models.py sample

* improve rule matcha accuracy

* fmt yara

* fix false-positive for versioneer/versioneer.py

---------

Co-authored-by: Evan Gibler <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@egibs egibs egibs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tstromberg @egibs