Bump yara-x to 1.3.0; refactor slow rules to account for MAX_ATOMS_PER_REGEXP increase (#1030)

* Bump yara-x to 1.3.0

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Consolidate and refactor slow rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

.github/workflows/codeql.yaml

@@ -36,7 +36,7 @@ jobs:
           fetch-tags: true
           repository: virusTotal/yara-x
           path: yara-x
-          ref: refs/tags/v1.2.1
+          ref: refs/tags/v1.3.0
       - name: Install Rust for yara-x-capi
         uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
         with:

Makefile

@@ -5,7 +5,7 @@
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
 SAMPLES_COMMIT ?= f948cfd0f9d2a35a2452fe43ea4d094979652103
 YARA_X_REPO ?= virusTotal/yara-x
-YARA_X_COMMIT ?= 02d649bd1ff35789757a515d0fd3bbdfaf411ef3
+YARA_X_COMMIT ?= ad1a45957ca12397b1ebe9052ce4b50b3b55f518
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install
@@ -52,17 +52,17 @@ $(GOLANGCI_LINT_BIN):
 	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(LINT_ROOT)/out/linters $(GOLANGCI_LINT_VERSION)
 	mv $(LINT_ROOT)/out/linters/golangci-lint $@
 
-YARA_X_VERSION ?= v1.2.1
+YARA_X_VERSION ?= v1.3.0
 YARA_X_SHA :=
 ifeq ($(LINT_OS),Darwin)
 	ifeq ($(shell uname -m),arm64)
 		LINT_ARCH = aarch64
-		YARA_X_SHA = b85ae01e5d16f99f84613e688a05986a56b5c849148895a74ee80115cb6acdad
+		YARA_X_SHA = 4486718b3ef6e63192a8a18a171e49bdd48e9870053c5cab5cc799c7c48579b4
 	else
-		YARA_X_SHA = f4fb8a75af3a82a7377758d6dc09c2d46c230d26d83991a4c27e93c17dae78e9
+		YARA_X_SHA = d7617bd8a7b5e1f1ed6d3d82474958bd429a0f4dcebc5d05cf3be8e95d48098c
 	endif
 else
-	YARA_X_SHA = 8f018934fe80a5428bca0fcb4778e188210e77f03b1507bbbfb4b1e30af3051f
+	YARA_X_SHA = 26b11fc4390e49752e069c6d2703a46b5c68aac8f5b2a2a81117a5d7705e6813
 endif
 YARA_X_BIN := $(LINT_ROOT)/out/linters/yr-$(YARA_X_VERSION)-$(LINT_ARCH)
 $(YARA_X_BIN):

README.md

@@ -123,7 +123,7 @@ Requirements:
 * [pkgconf](http://pkgconf.org/) - required by Go to find C dependencies, included in many UNIX distributions
 * [libssl-dev](https://packages.debian.org/buster/libssl-dev) package
 
-To install yara-x, first install Rust and then run `make install-yara-x` which will clone the yara-x repository and install yara-x's dependenicies and its C API.
+To install yara-x, first install Rust and then run `make install-yara-x` which will clone the yara-x repository and install yara-x's dependencies and its C API.
 
 ### Building locally in Debian/Ubuntu
 
@@ -132,11 +132,11 @@ To install yara-x, first install Rust and then run `make install-yara-x` which w
    ```bash
    sudo apt-get install -y pkgconf libssl-dev
    ```
-   
+
    Make sure [Go](https://go.dev/doc/install) and [Rust](https://www.rust-lang.org/tools/install) are installed
 
 2. Run `make install-yara-x` to build the yara-x C API. (The
-   `yara_xcapi.pc` file will be generated under `./out/lib/pkgconfig`. 
+   `yara_xcapi.pc` file will be generated under `./out/lib/pkgconfig`.
    For more information about the yara-x C API, reference the documentation here: https://virustotal.github.io/yara-x/docs/api/c/c-/#building-the-c-library.).
 
 3. Build the malcontent binary with:

go.mod

@@ -5,7 +5,7 @@ go 1.24.0
 toolchain go1.24.1
 
 require (
-	github.com/VirusTotal/yara-x/go v1.2.1
+	github.com/VirusTotal/yara-x/go v1.3.0
 	github.com/agext/levenshtein v1.2.3
 	github.com/cavaliergopher/cpio v1.0.1
 	github.com/cavaliergopher/rpm v1.3.0

go.sum

@@ -1,5 +1,5 @@
-github.com/VirusTotal/yara-x/go v1.2.1 h1:eOFTHXW7GKEQ7JfvJ6XzMMYcAMDg9FqcpJBSV1EIioQ=
-github.com/VirusTotal/yara-x/go v1.2.1/go.mod h1:lgXP/nkYX349MVowrtTtU5hzMdCOWQLv3+wKll9+0F8=
+github.com/VirusTotal/yara-x/go v1.3.0 h1:A2KXaJDC4ktRc6FHn45onmFE++n9hwz4iW/5cRae3UA=
+github.com/VirusTotal/yara-x/go v1.3.0/go.mod h1:lgXP/nkYX349MVowrtTtU5hzMdCOWQLv3+wKll9+0F8=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=

rules/anti-static/obfuscation/js.yara

@@ -340,40 +340,43 @@ rule high_entropy_charAt: medium {
 
 rule charAt_long_string: medium {
   meta:
-    description = "uses charAt/substr/join loops with a long variable"
+    description = "charAt/substr operations with long strings"
     filetypes   = "js,ts"
 
   strings:
-    $s_charAt   = "charAt("
-    $s_substr   = "substr("
-    $s_join     = "join("
-    $s_function = /function\s{0,2}\(/
-    $s_for      = /for\s{0,2}\(/
+    $charAt = "charAt("
+    $substr = "substr("
+    $join   = "join("
+    $func   = "function"
+    $for    = "for"
 
-    $long_string  = /\([\'\"]\w{32,1024}[\"\']\)/
-    $long_garbage = /['"][\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{16,256}[\s\%\$]{1,2}[\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{0,256}/
+    $long1 = /["'][a-zA-Z0-9]{32,}["']/
+    $long2 = /["']\w{50,}["']/
 
   condition:
-    all of ($s*) and any of ($long*)
+    2 of ($charAt, $substr, $join) and
+    $func and $for and
+    any of ($long*)
 }
 
-rule charAt_long_vars: medium {
+rule charAt_multiple_suspicious: medium {
   meta:
-    description = "uses charAt/substr/join loops with long variables"
+    description = "Multiple suspicious string patterns with charAt operations"
     filetypes   = "js,ts"
 
   strings:
-    $s_charAt   = "charAt("
-    $s_substr   = "substr("
-    $s_join     = "join("
-    $s_function = /function\s{0,2}\(/
-    $s_for      = /for\s{0,2}\(/
+    $charAt = "charAt("
+    $substr = "substr("
+    $join   = "join("
 
-    $long_string  = /\([\'\"]\w{32,1024}[\"\']\)/
-    $long_garbage = /['"][\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{16,256}[\s\%\$]{1,2}[\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{0,256}/
+    $susp1 = /["'][a-zA-Z0-9]{32,}["']/
+    $susp2 = /["'][!@#$%^&*(){}\[\]]{8,}["']/
+    $susp3 = /["'][0-9a-fA-F]{32,}["']/
+    $susp4 = /["'][a-zA-Z0-9+\/=]{50,}["']/
 
   condition:
-    all of ($s*) and (#long_string + #long_garbage) > 3
+    2 of ($charAt, $substr, $join) and
+    #susp1 + #susp2 + #susp3 + #susp4 > 3
 }
 
 rule obfuscated_require: high {

rules/anti-static/obfuscation/math.yara

@@ -24,34 +24,46 @@ rule js_long_dumb_math: critical {
 
 rule js_junk_math: medium {
   meta:
-    description = "suspicious junk math"
-    filetypes   = "js,ts"
+    description   = "suspicious junk math operations with charAt"
+    filetypes     = "js,ts"
+    severity_note = "1-2 patterns = medium, 3+ patterns = high"
 
   strings:
-    $charAt                     = "charAt"
-    $m_subtract_var             = /\s\w{1,16}\s{0,2}=\s{0,2}\d{0,8}\s{0,2}-\s{0,2}\d{1,8};/
-    $m_var_int                  = /var\s{1,16}\w{0,16}\s{0,2}=\s{0,2}\d{3,16};/
-    $m_paren_add                = /\(\w{0,8}\s{0,2}\+\s{0,2}\d{1,16}\)/
-    $m_paren_long_remainder     = /\(\w{0,8}\s{0,2}%\s{0,2}\d{4,16}\)/
-    $m_tiny_vars_long_remainder = /\w{0,2}\s{0,2}=\s{0,2}\(\w + \w\) % \d{4,16};/
+    $charAt = "charAt"
+
+    $m_subtract  = /\s\w{1,16}\s?=\s?\d{0,8}\s?-\s?\d{2,8};/
+    $m_var_int   = /var\s+\w{1,16}\s?=\s?\d{3,16};/
+    $m_paren_add = /\(\w{1,8}\s?\+\s?\d{2,16}\)/
+    $m_paren_rem = /\(\w{1,8}\s?%\s?\d{4,16}\)/
+    $m_tiny_rem  = /\w{1,2}\s?=\s?\(\w\s?\+\s?\w\)\s?%\s?\d{4,16};/
 
   condition:
-    $charAt and 2 of ($m*)
+    $charAt and any of ($m*)
 }
 
-rule js_junk_math_high: high {
+rule sketchy_math_conversions: medium {
   meta:
-    description = "multiple examples of suspicious junk math"
+    description = "complex math with parseInt or fromCharCode conversions"
     filetypes   = "js,ts"
 
   strings:
-    $charAt                     = "charAt"
-    $m_subtract_var             = /\s\w{1,16}\s{0,2}=\s{0,2}\d{0,8}\s{0,2}-\s{0,2}\d{2,8};/
-    $m_var_int                  = /var\s{1,16}\w{0,16}\s{0,2}=\s{0,2}\d{3,16};/
-    $m_paren_add                = /\(\w{0,8}\s{0,2}\+\s{0,2}\d{2,16}\)/
-    $m_paren_long_remainder     = /\(\w{0,8}\s{0,2}%\s{0,2}\d{4,16}\)/
-    $m_tiny_vars_long_remainder = /\w{0,2}\s{0,2}=\s{0,2}\(\w + \w\) % \d{4,16};/
+    $f_parseInt     = "parseInt"
+    $f_fromCharCode = "fromCharCode"
+
+    $math1 = /\d{2,16}[\+\-\*\/]\w{1,8}/
+    $math2 = /\w{1,8}[\+\-\*\/]\d{2,16}/
+
+    $xor1 = /\d{2,16}\^\w{1,8}/
+    $xor2 = /\w{1,8}\^\d{2,16}/
+
+    $complex_math = /[\(\[][\w\d\s\+\-\*\/\^]{10,50}[\)\]]/
 
   condition:
-    $charAt and 3 of ($m*)
+    filesize < 1MB and
+    ($f_parseInt or $f_fromCharCode) and
+    (
+      (#math1 + #math2 > 5) or
+      (#xor1 + #xor2 > 2) or
+      #complex_math > 3
+    )
 }

rules/anti-static/obfuscation/reverse.yara

@@ -10,27 +10,22 @@ rule string_reversal: medium {
     any of them
 }
 
-rule function_reversal: high {
+rule js_function_reversal: high {
   meta:
-    description = "reversed function definition"
+    description = "reversed javascript function calls"
     filetypes   = "js,ts"
 
   strings:
-    $ref = /n.{0,3}o.{0,3}i.{0,3}t.{0,3}c.{0,3}n.{0,3}u.{0,3}f/
+    $function_rev1 = "noitcnuf"
+    $function_rev2 = { 6E 6F 69 74 63 6E 75 66 }
 
-  condition:
-    filesize < 1MB and any of them
-}
-
-rule js_reversal: high {
-  meta:
-    description = "multiple reversed javascript calls"
-    filetypes   = "js,ts"
-
-  strings:
-    $ref  = /n.{0,3}o.{0,3}i.{0,3}t.{0,3}c.{0,3}n.{0,3}u.{0,3}f/
-    $ref2 = /n.{0,3}r.{0,3}u.{0,3}t.{0,3}e.{0,3}r/
+    $function_dots = /no\.?i\.?t\.?c\.?n\.?u\.?f/
+    $return_rev    = "nruter"
+    $return_dots   = /nr\.?u\.?t\.?e\.?r/
 
   condition:
-    filesize < 1MB and all of them
+    filesize < 1MB and (
+      ($function_rev1 or $function_rev2) and ($return_rev or $return_dots) or
+      ($function_dots and $return_dots)
+    )
 }

rules/anti-static/obfuscation/strtoi.yara

@@ -1,17 +1,3 @@
-rule sketchy_fromCharCode_math: medium {
-  meta:
-    description = "complex math and utf16 code unit conversion"
-    filetypes   = "js,ts"
-
-  strings:
-    $m1             = /\d{2,16}[\-\+\*\^]\w{1,8}/
-    $m2             = /\w{1,8}[\-\+\*\^]\d{2,16}/
-    $f_fromCharCode = "fromCharCode"
-
-  condition:
-    filesize < 1MB and any of ($f*) and ((#m1 > 5) or (#m2 > 5))
-}
-
 rule static_charcode_math: high {
   meta:
     description = "assembles strings from character codes and static integers"