chore: reduce FPs in decode-and-execute by removing file write and network connection sinks (#1237)

Remove network connection and file write sinks from the obfuscation decode-and-execute Semgrep rules to reduce false positives.

Signed-off-by: Carl Flottmann <[email protected]>

Author: art1f1c3R

src/macaron/resources/pypi_malware_rules/obfuscation.yaml

@@ -111,135 +111,6 @@ rules:
 
   pattern-sinks:
   - pattern-either:
-        # remote connection
-        # using socket module
-    - patterns:
-      - pattern-either:
-        - patterns:
-          - pattern-either:
-            - pattern-inside: |
-                $SOC = socket.socket(...)
-                ...
-            - pattern-inside: |
-                with socket.socket(...) as $SOC:
-                    ...
-          - pattern-either:
-            - pattern-inside: |
-                $SOC.connect(...)
-                ...
-            - pattern-inside: |
-                $SOC.connect_ex(...)
-                ...
-            - pattern-inside: |
-                $SOC.bind(...)
-                ...
-            # socket.socket and socket.connect in one call
-        - pattern-inside: |
-            $SOC = socket.create_connection(...)
-            ...
-        - pattern-inside: |
-            with socket.create_connection(...) as $SOC:
-                ...
-           # socket.socket and socket.bind in one call
-        - pattern-inside: |
-            $SOC = socket.create_server(...)
-            ...
-        - pattern-inside: |
-            with socket.create_server(...) as $SOC:
-                ...
-      - pattern-either:
-            # Assume that .accept, .listen was called somewhere if needed
-        - pattern: $SOC.send(...)
-        - pattern: $SOC.recv(...)
-        - pattern: $SOC.recvfrom(...)
-        - pattern: $SOC.recvmsg(...)
-        - pattern: $SOC.recvmsg_into(...)
-        - pattern: $SOC.recvfrom_into(...)
-        - pattern: $SOC.recv_into(...)
-        - pattern: $SOC.sendall(...)
-        - pattern: $SOC.sendto(...)
-        - pattern: $SOC.sendmsg(...)
-        - pattern: $SOC.sendmsg_afalg(...)
-        - pattern: $SOC.sendfile(...)
-        # using requests module
-    - pattern: requests.get(...)
-    - pattern: requests.post(...)
-    - pattern: requests.put(...)
-    - pattern: requests.delete(...)
-    - pattern: requests.head(...)
-    - pattern: requests.options(...)
-    - pattern: requests.patch(...)
-    - pattern: requests.Session(...).get(...)
-    - pattern: requests.Session(...).delete(...)
-    - pattern: requests.Session(...).head(...)
-    - pattern: requests.Session(...).options(...)
-    - pattern: requests.Session(...).patch(...)
-    - pattern: requests.Session(...).post(...)
-    - pattern: requests.Session(...).put(...)
-    - pattern: requests.Session(...).request(...)
-    - pattern: requests.Session(...).send(...)
-    - pattern: requests.Request(...)
-        # using urllib3 module
-    - pattern: urllib3.request(...)
-    # object creation here is included as decoded values may be passed as parameters
-    - pattern: urllib3.PoolManager(...)
-    - pattern: urllib3.PoolManager(...).request(...)
-    - pattern: urllib3.PoolManager(...).request_encode_body(...)
-    - pattern: urllib3.PoolManager(...).request_encode_url(...)
-    - pattern: urllib3.PoolManager(...).urlopen(...)
-    - pattern: urllib3.HTTPConnectionPool(...)
-    - pattern: urllib3.HTTPConnectionPool(...).urlopen(...)
-    - pattern: urllib3.HTTPConnectionPool(...).request(...)
-    - pattern: urllib3.HTTPConnectionPool(...).request_encode_body(...)
-    - pattern: urllib3.HTTPConnectionPool(...).request_encode_url(...)
-    - pattern: urllib3.HTTPSConnectionPool(...)
-    - pattern: urllib3.HTTPSConnectionPool(...).urlopen(...)
-    - pattern: urllib3.HTTPSConnectionPool(...).request(...)
-    - pattern: urllib3.HTTPSConnectionPool(...).request_encode_body(...)
-    - pattern: urllib3.HTTPSConnectionPool(...).request_encode_url(...)
-    - pattern: urllib3.HTTPConnection(...)
-    - pattern: urllib3.HTTPConnection(...).request(...)
-    - pattern: urllib3.HTTPConnection(...).request_chunked(...)
-    - pattern: urllib3.HTTPSConnection(...)
-    - pattern: urllib3.HTTPSConnection(...).request(...)
-    - pattern: urllib3.HTTPSConnection(...).request_chunked(...)
-    - pattern: urllib3.ProxyManager(...).urlopen(...)
-        # using urllib
-    - pattern: urllib.request(...)
-    - pattern: urllib.request.urlopen(...)
-        # using httpx
-    - pattern: httpx.request(...)
-    - pattern: httpx.get(...)
-    - pattern: httpx.post(...)
-    - pattern: httpx.put(...)
-    - pattern: httpx.delete(...)
-    - pattern: httpx.head(...)
-    - pattern: httpx.options(...)
-    - pattern: httpx.stream(...)
-    - pattern: httpx.patch(...)
-    - pattern: httpx.AsyncClient(...)
-    - pattern: httpx.AsyncClient(...).request(...)
-    - pattern: httpx.AsyncClient(...).get(...)
-    - pattern: httpx.AsyncClient(...).post(...)
-    - pattern: httpx.AsyncClient(...).put(...)
-    - pattern: httpx.AsyncClient(...).delete(...)
-    - pattern: httpx.AsyncClient(...).head(...)
-    - pattern: httpx.AsyncClient(...).options(...)
-    - pattern: httpx.AsyncClient(...).stream(...)
-    - pattern: httpx.AsyncClient(...).patch(...)
-    - pattern: httpx.AsyncClient(...).send(...)
-    - pattern: httpx.Client(...)
-    - pattern: httpx.Client(...).request(...)
-    - pattern: httpx.Client(...).get(...)
-    - pattern: httpx.Client(...).post(...)
-    - pattern: httpx.Client(...).put(...)
-    - pattern: httpx.Client(...).delete(...)
-    - pattern: httpx.Client(...).head(...)
-    - pattern: httpx.Client(...).options(...)
-    - pattern: httpx.Client(...).stream(...)
-    - pattern: httpx.Client(...).patch(...)
-    - pattern: httpx.Client(...).send(...)
-
         # process spawning
         # using subprocess module
     - pattern: subprocess.check_output(...)
@@ -285,33 +156,6 @@ rules:
     - pattern: __import__('builtins').exec(...)
     - pattern: __import__('builtins').eval(...)
 
-        # file write
-    - patterns:
-      - pattern-either:
-        - pattern-inside: |
-            with open(...) as $FILE:
-                ...
-        - pattern-inside: |
-            with builtins.open(...) as $FILE:
-                ...
-        - pattern-inside: |
-            with __import__('builtins').open(...) as $FILE:
-                ...
-        - pattern-inside: |
-            $FILE = open(...)
-            ...
-        - pattern-inside: |
-            $FILE = builtins.open(...)
-            ...
-        - pattern-inside: |
-            $FILE = __import__('builtins').open(...)
-            ...
-      - pattern: $FILE.write(...)
-    - pattern: os.write(...)
-    - pattern: os.writev(...)
-    - pattern: os.pwrite(...)
-    - pattern: os.pwritev(...)
-
 - id: obfuscation_excessive-spacing
   metadata:
     description: Detects the use of excessive spacing in code, which may indicate obfuscation or hidden code.

tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/decode_and_execute.py

@@ -32,11 +32,6 @@ def marshal_flow():
     def marshal_inline_flow():
         exec(__import__('marshal').loads(b'\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00@\x00\x00\x00s\x0c\x00\x00\x00e\x00d\x00\x83\x01\x01\x00d\x01S\x00)\x02z\x0cHello world!N)\x01\xda\x05print\xa9\x00r\x02\x00\x00\x00r\x02\x00\x00\x00\xfa\x08<string>\xda\x08<module>\x01\x00\x00\x00\xf3\x00\x00\x00\x00'))
 
-    def bytes_eval_to_soc_bind():
-        import socket
-        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as soc:
-            soc.bind(__import__('builtins').eval(b'("127.0.0.1", 0)'.decode()))
-
     def map_b64_to_request():
         import requests as req
 
@@ -54,14 +49,5 @@ def zlib_ast_subprocess():
         # just decodes to ["echo", "Hello world!"]
         subprocess.Popen(literal_eval(zeeee.decompress(b'x\x9c\x8bVOM\xce\xc8W\xd7QP\xf7H\xcd\xc9\xc9W(\xcf/\xcaIQT\x8f\x05\x00]\xa0\x07\x9d').decode()))
 
-    def propagation_to_write():
-        import os as e
-
-        # symbol propagations should detect assign of os as e to o and bytes to b and still trigger
-        o = e
-        b = bytes
-        # just decodes to "Hello world!"
-        contents = b.fromhex("48656C6C6F20776F726C6421")
-        # just decodes to "some_path"
-        file = o.open(''.join(chr(c) for c in [115, 111, 109, 101, 95, 112, 97, 116, 104]), o.O_RDWR)
-        o.pwritev(file, contents, 0)
+    def b64_reversed_decompressed_ioc():
+        _ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)(b'something_malicious_here'))