Merge branch 'main' into add-upx-support

Author: egibs

README.md

@@ -35,6 +35,16 @@ malcontent has 3 modes of operation:
 
 malcontent is at its best analyzing programs that run on Linux. Still, it also performs admirably for programs designed for other UNIX platforms such as macOS and, to a lesser extent, Windows.
 
+## ⚠️ Malware Disclaimer ⚠️
+
+Due to how malcontent operates, other malware scanners can detect malcontent as malicious.
+
+Programs that leverage Yara rules will often see other programs that also use Yara rules as malicious due to the strings looking for problematic behavior(s).
+
+For example, Elastic's agent has historically detected malcontent because of this: https://github.com/chainguard-dev/malcontent/issues/78*.
+
+>  \*Additional scanner findings can be seen in [this](https://www.virustotal.com/gui/file/b6f90aa5b9e7f3a5729a82f3ea35f96439691e150e0558c577a8541d3a187ba4/detection) VirusTotal scan.
+
 ## Features
 
 * 14,500+ [YARA](YARA) detection rules

pkg/render/markdown.go

@@ -73,22 +73,6 @@ func (r Markdown) Full(ctx context.Context, rep *malcontent.Report) error {
 	}
 
 	for modified := rep.Diff.Modified.Oldest(); modified != nil; modified = modified.Next() {
-		var title string
-		if modified.Value.PreviousRelPath != "" && modified.Value.PreviousRelPathScore >= 0.9 {
-			title = fmt.Sprintf("## Moved: %s -> %s (similarity: %0.2f)", modified.Value.PreviousPath, modified.Value.Path, modified.Value.PreviousRelPathScore)
-		} else {
-			title = fmt.Sprintf("## Changed: %s", modified.Value.Path)
-		}
-		if modified.Value.RiskScore != modified.Value.PreviousRiskScore {
-			title = fmt.Sprintf("%s [%s → %s]",
-				title,
-				mdRisk(modified.Value.PreviousRiskScore, modified.Value.PreviousRiskLevel),
-				mdRisk(modified.Value.RiskScore, modified.Value.RiskLevel))
-		}
-
-		if len(modified.Value.Behaviors) > 0 {
-			fmt.Fprint(r.w, title+"\n\n")
-		}
 		added := 0
 		removed := 0
 		noDiff := 0
@@ -104,6 +88,29 @@ func (r Markdown) Full(ctx context.Context, rep *malcontent.Report) error {
 			}
 		}
 
+		if added == 0 && removed == 0 {
+			continue
+		}
+
+		var title string
+		switch {
+		case modified.Value.PreviousRelPath != "" && modified.Value.PreviousRelPathScore >= 0.9:
+			title = fmt.Sprintf("## Moved: %s -> %s (similarity: %0.2f)", modified.Value.PreviousPath, modified.Value.Path, modified.Value.PreviousRelPathScore)
+		default:
+			title = fmt.Sprintf("## Changed (%d added, %d removed): %s", added, removed, modified.Value.Path)
+		}
+
+		if modified.Value.RiskScore != modified.Value.PreviousRiskScore {
+			title = fmt.Sprintf("%s [%s → %s]",
+				title,
+				mdRisk(modified.Value.PreviousRiskScore, modified.Value.PreviousRiskLevel),
+				mdRisk(modified.Value.RiskScore, modified.Value.RiskLevel))
+		}
+
+		if len(modified.Value.Behaviors) > 0 {
+			fmt.Fprint(r.w, title+"\n\n")
+		}
+
 		// We split the added/removed up in Markdown to address readability feedback. Unfortunately,
 		// this means we hide "existing" behaviors, which causes context to suffer. We should evaluate an
 		// improved rendering, similar to the "terminal" refresh, that includes everything.
@@ -140,17 +147,7 @@ func (r Markdown) Full(ctx context.Context, rep *malcontent.Report) error {
 		}
 
 		if noDiff > 0 {
-			count = noDiff
-			noun := "behavior"
-			qual = "consistent"
-			if count > 1 {
-				noun = "behaviors"
-			}
-			markdownTable(ctx, modified.Value, r.w, tableConfig{
-				Title:       fmt.Sprintf("### %d %s %s", count, qual, noun),
-				SkipAdded:   true,
-				SkipRemoved: true,
-			})
+			continue
 		}
 	}
 	return nil

pkg/render/simple.go

@@ -83,11 +83,23 @@ func (r Simple) Full(_ context.Context, rep *malcontent.Report) error {
 		}
 	}
 
+	count := func(bs []*malcontent.Behavior) (int, int) {
+		var added, removed int
+		for _, b := range bs {
+			if b.DiffAdded {
+				added++
+			}
+			if b.DiffRemoved {
+				removed++
+			}
+		}
+
+		return added, removed
+	}
+
 	for modified := rep.Diff.Modified.Oldest(); modified != nil; modified = modified.Next() {
 		if modified.Value.PreviousRelPath != "" && modified.Value.PreviousRelPathScore >= 0.9 {
 			fmt.Fprintf(r.w, ">>> moved: %s -> %s (score: %f)\n", modified.Value.PreviousPath, modified.Value.Path, modified.Value.PreviousRelPathScore)
-		} else {
-			fmt.Fprintf(r.w, "*** changed: %s\n", modified.Value.Path)
 		}
 
 		var bs []*malcontent.Behavior
@@ -97,8 +109,14 @@ func (r Simple) Full(_ context.Context, rep *malcontent.Report) error {
 			return bs[i].ID < bs[j].ID
 		})
 
-		for i := range bs {
-			b := bs[i]
+		added, removed := count(bs)
+		if added == 0 && removed == 0 {
+			continue
+		}
+
+		fmt.Fprintf(r.w, "*** changed (%d added, %d removed): %s\n", added, removed, modified.Value.Path)
+
+		for _, b := range bs {
 			if b.DiffRemoved {
 				fmt.Fprintf(r.w, "-%s\n", b.ID)
 				continue
@@ -107,7 +125,7 @@ func (r Simple) Full(_ context.Context, rep *malcontent.Report) error {
 				fmt.Fprintf(r.w, "+%s\n", b.ID)
 			}
 			if !b.DiffRemoved && !b.DiffAdded {
-				fmt.Fprintf(r.w, "%s\n", b.ID)
+				continue
 			}
 		}
 	}

pkg/render/tea_style.go

@@ -60,9 +60,6 @@ var (
 
 	diffRemovedStyle = lipgloss.NewStyle().
 				Foreground(lipgloss.Color("196"))
-
-	diffUnchangedStyle = lipgloss.NewStyle().
-				Foreground(lipgloss.Color("69"))
 )
 
 // cleanAndWrapEvidence handles evidence strings, including those with escape sequences.
@@ -135,6 +132,7 @@ func renderFileSummaryTea(_ context.Context, fr *malcontent.FileReport, w io.Wri
 	previousNsRiskScore := map[string]int{}
 	diffMode := false
 
+	var added, removed int
 	for _, b := range fr.Behaviors {
 		ns, _ := splitRuleID(b.ID)
 		if b.DiffAdded || b.DiffRemoved {
@@ -147,6 +145,13 @@ func renderFileSummaryTea(_ context.Context, fr *malcontent.FileReport, w io.Wri
 		if !b.DiffRemoved && b.RiskScore > nsRiskScore[ns] {
 			nsRiskScore[ns] = b.RiskScore
 		}
+
+		if b.DiffAdded {
+			added++
+		}
+		if b.DiffRemoved {
+			removed++
+		}
 	}
 
 	// Sort namespaces
@@ -176,7 +181,12 @@ func renderFileSummaryTea(_ context.Context, fr *malcontent.FileReport, w io.Wri
 		riskBadge,
 	)
 
+	if added == 0 && removed == 0 {
+		return
+	}
+
 	if diffMode {
+		rc.Title = fmt.Sprintf("Changed (%d added, %d removed): %s", added, removed, fr.Path)
 		header = lipgloss.JoinHorizontal(
 			lipgloss.Center,
 			pathStyle.Render(rc.Title),
@@ -245,8 +255,7 @@ func renderFileSummaryTea(_ context.Context, fr *malcontent.FileReport, w io.Wri
 					baseStyle = diffRemovedStyle
 					e = ""
 				default:
-					baseStyle = diffUnchangedStyle
-					e = ""
+					continue
 				}
 			}
 

pkg/render/terminal.go

@@ -116,10 +116,7 @@ func (r Terminal) Full(ctx context.Context, rep *malcontent.Report) error {
 		var title string
 		if modified.Value.PreviousRelPath != "" && modified.Value.PreviousRelPathScore >= 0.9 {
 			title = fmt.Sprintf("Moved: %s -> %s (score: %f)", modified.Value.PreviousPath, modified.Value.Path, modified.Value.PreviousRelPathScore)
-		} else {
-			title = fmt.Sprintf("Changed: %s", modified.Value.Path)
 		}
-
 		if modified.Value.RiskScore != modified.Value.PreviousRiskScore {
 			title = fmt.Sprintf("%s %s", title,
 				darkBrackets(fmt.Sprintf("%s %s %s", riskInColor(modified.Value.PreviousRiskLevel), color.HiWhiteString("→"), riskInColor(modified.Value.RiskLevel))))
@@ -220,7 +217,6 @@ func ansiLineLength(s string) int {
 }
 
 func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer, rc tableConfig) {
-	fmt.Fprintf(w, "├─ %s %s\n", riskEmoji(fr.RiskScore), rc.Title)
 	width := suggestedWidth()
 
 	byNamespace := map[string][]*malcontent.Behavior{}
@@ -232,6 +228,7 @@ func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer
 		return
 	}
 
+	var added, removed int
 	for _, b := range fr.Behaviors {
 		ns, _ := splitRuleID(b.ID)
 
@@ -247,15 +244,28 @@ func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer
 
 		byNamespace[ns] = append(byNamespace[ns], b)
 
+		if b.DiffAdded {
+			added++
+		}
 		if b.DiffRemoved {
-			continue
+			removed++
 		}
 
 		if b.RiskScore > nsRiskScore[ns] {
 			nsRiskScore[ns] = b.RiskScore
 		}
+
+		if added == 0 && removed == 0 {
+			continue
+		}
+
+		if diffMode {
+			rc.Title = fmt.Sprintf("Changed (%d added, %d removed): %s", added, removed, fr.Path)
+		}
 	}
 
+	fmt.Fprintf(w, "├─ %s %s\n", riskEmoji(fr.RiskScore), rc.Title)
+
 	nss := []string{}
 	for ns := range byNamespace {
 		nss = append(nss, ns)
@@ -281,10 +291,10 @@ func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer
 				diff = color.HiGreenString("+")
 			}
 
-			if riskLevel < previousRiskLevel {
+			if riskScore > previousNsRiskScore[ns] {
 				nsIcon = color.HiYellowString("▲")
 			}
-			if riskLevel > previousRiskLevel {
+			if riskScore < previousNsRiskScore[ns] {
 				nsIcon = color.HiGreenString("▼")
 			}
 			if riskLevel == "NONE" {
@@ -331,8 +341,7 @@ func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer
 				}
 
 				if !b.DiffAdded && !b.DiffRemoved {
-					pc = color.New(color.FgHiCyan)
-					e = ""
+					continue
 				}
 
 				content = fmt.Sprintf("%s%s%s %s %s", diff, indent, bullet, rest, desc)

tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff

@@ -1,4 +1,4 @@
-## Changed: javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL]
+## Changed (49 added, 2 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL]
 
 ### 49 new behaviors
 
@@ -61,14 +61,3 @@
 | -MEDIUM | [exec/remote_commands/code_eval](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/remote_commands/code_eval.yara#eval) | evaluate code dynamically using eval() | [eval("](https://github.com/search?q=eval%28%22&type=code) |
 | -MEDIUM | [os/time/clock_sleep](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-sleep.yara#setInterval) | uses setInterval to wait | [setInterval(](https://github.com/search?q=setInterval%28&type=code) |
 
-### 6 consistent behaviors
-
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
-| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [Downloads](https://github.com/search?q=Downloads&type=code)<br>[downloads-view](https://github.com/search?q=downloads-view&type=code)<br>[mobile-download-links](https://github.com/search?q=mobile-download-links&type=code) |
-| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) |
-| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
-| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [plugin_relativeTime](https://github.com/search?q=plugin_relativeTime&type=code)<br>[plugin_updateLocale](https://github.com/search?q=plugin_updateLocale&type=code)<br>[plugins](https://github.com/search?q=plugins&type=code) |
-| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://abitype.dev](https://abitype.dev)<br>[https://andromeda-explorer.metis.io/api](https://andromeda-explorer.metis.io/api)<br>[https://andromeda.metis.io/?owner=1088](https://andromeda.metis.io/?owner=1088)<br>[https://api-era.zksync.network/api](https://api-era.zksync.network/api)<br>[https://api-moonbeam.moonscan.io/api](https://api-moonbeam.moonscan.io/api)<br>[https://api-moonriver.moonscan.io/api](https://api-moonriver.moonscan.io/api)<br>[https://api-optimistic.etherscan.io/api](https://api-optimistic.etherscan.io/api)<br>[https://api-zkevm.polygonscan.com/api](https://api-zkevm.polygonscan.com/api)<br>[https://api.arbiscan.io/api](https://api.arbiscan.io/api)<br>[https://api.avax.network/ext/bc/C/rpc](https://api.avax.network/ext/bc/C/rpc)<br>[https://api.basescan.org/api](https://api.basescan.org/api)<br>[https://api.blastscan.io/api](https://api.blastscan.io/api)<br>[https://api.bscscan.com/api](https://api.bscscan.com/api)<br>[https://api.celoscan.io/api](https://api.celoscan.io/api)<br>[https://api.etherscan.io/api](https://api.etherscan.io/api)<br>[https://api.ftmscan.com/api](https://api.ftmscan.com/api)<br>[https://api.gnosisscan.io/api](https://api.gnosisscan.io/api)<br>[https://api.lineascan.build/api](https://api.lineascan.build/api)<br>[https://api.mantlescan.xyz/api](https://api.mantlescan.xyz/api)<br>[https://api.polygonscan.com/api](https://api.polygonscan.com/api)<br>[https://api.roninchain.com/rpc](https://api.roninchain.com/rpc)<br>[https://api.routescan.io/v2/network/mainnet/evm/43114/etherscan/api](https://api.routescan.io/v2/network/mainnet/evm/43114/etherscan/api)<br>[https://api.scan.pulsechain.com/api](https://api.scan.pulsechain.com/api)<br>[https://api.scrollscan.com/api](https://api.scrollscan.com/api)<br>[https://api.snowtrace.io](https://api.snowtrace.io)<br>[https://api.wallet.coinbase.com/rpc/v2/desktop/chrome](https://api.wallet.coinbase.com/rpc/v2/desktop/chrome)<br>[https://api.web3modal.org](https://api.web3modal.org)<br>[https://app.roninchain.com](https://app.roninchain.com)<br>[https://arb1.arbitrum.io/rpc](https://arb1.arbitrum.io/rpc)<br>[https://arbiscan.io](https://arbiscan.io)<br>[https://arweave.net](https://arweave.net)<br>[https://aurorascan.dev/api](https://aurorascan.dev/api)<br>[https://avatar.vercel.sh/andrew.svg?size=50](https://avatar.vercel.sh/andrew.svg?size=50)<br>[https://basescan.org](https://basescan.org)<br>[https://blastscan.io](https://blastscan.io)<br>[https://block-explorer-api.mainnet.zksync.io/api](https://block-explorer-api.mainnet.zksync.io/api)<br>[https://bobascan.com](https://bobascan.com)<br>[https://bscscan.com](https://bscscan.com)<br>[https://build.onbeam.com/rpc](https://build.onbeam.com/rpc)<br>[https://celoscan.io](https://celoscan.io)<br>[https://cloudflare-eth.com](https://cloudflare-eth.com)<br>[https://docs.cloud.coinbase.com/wallet-sdk/docs/errors](https://docs.cloud.coinbase.com/wallet-sdk/docs/errors)<br>[https://docs.soliditylang.org/en/latest/cheatsheet.html](https://docs.soliditylang.org/en/latest/cheatsheet.html)<br>[https://echo.walletconnect.com/](https://echo.walletconnect.com/)<br>[https://era.zksync.network/](https://era.zksync.network/)<br>[https://ethereum.org/en/developers/docs/networks/](https://ethereum.org/en/developers/docs/networks/)<br>[https://etherscan.io](https://etherscan.io)<br>[https://evm.cronos.org](https://evm.cronos.org)<br>[https://evm.kava.io](https://evm.kava.io)<br>[https://exchainrpc.okex.org](https://exchainrpc.okex.org)<br>[https://explorer-api.cronos.org/mainnet/api](https://explorer-api.cronos.org/mainnet/api)<br>[https://explorer-api.walletconnect.com](https://explorer-api.walletconnect.com)<br>[https://explorer.cronos.org](https://explorer.cronos.org)<br>[https://explorer.dogechain.dog/api](https://explorer.dogechain.dog/api)<br>[https://explorer.fuse.io/api](https://explorer.fuse.io/api)<br>[https://explorer.harmony.one](https://explorer.harmony.one)<br>[https://explorer.kcc.io](https://explorer.kcc.io)<br>[https://explorer.metis.io](https://explorer.metis.io)<br>[https://explorer.walletconnect.com/?type=wallet](https://explorer.walletconnect.com/?type=wallet)<br>[https://explorer.zksync.io/](https://explorer.zksync.io/)<br>[https://fonts.googleapis.com/css2?family=Inter](https://fonts.googleapis.com/css2?family=Inter)<br>[https://forno.celo.org](https://forno.celo.org)<br>[https://ftmscan.com](https://ftmscan.com)<br>[https://gnosisscan.io](https://gnosisscan.io)<br>[https://go.cb-w.com/dapp?cb_url=](https://go.cb-w.com/dapp?cb_url=)<br>[https://go.cb-w.com/walletlink](https://go.cb-w.com/walletlink)<br>[https://kavascan.com/api](https://kavascan.com/api)<br>[https://kcc-rpc.com](https://kcc-rpc.com)<br>[https://keys.coinbase.com/connect](https://keys.coinbase.com/connect)<br>[https://lineascan.build](https://lineascan.build)<br>[https://links.ethers.org/v5-errors-](https://links.ethers.org/v5-errors-)<br>[https://mainnet.aurora.dev](https://mainnet.aurora.dev)<br>[https://mainnet.base.org](https://mainnet.base.org)<br>[https://mainnet.boba.network](https://mainnet.boba.network)<br>[https://mainnet.era.zksync.io](https://mainnet.era.zksync.io)<br>[https://mainnet.optimism.io](https://mainnet.optimism.io)<br>[https://mantlescan.xyz/](https://mantlescan.xyz/)<br>[https://moonbeam.public.blastapi.io](https://moonbeam.public.blastapi.io)<br>[https://moonriver.moonscan.io](https://moonriver.moonscan.io)<br>[https://moonriver.public.blastapi.io](https://moonriver.public.blastapi.io)<br>[https://moonscan.io](https://moonscan.io)<br>[https://npms.io/search?q=ponyfill.](https://npms.io/search?q=ponyfill.)<br>[https://openchain.xyz/signatures?query=](https://openchain.xyz/signatures?query=)<br>[https://optimistic.etherscan.io](https://optimistic.etherscan.io)<br>[https://polygon-rpc.com](https://polygon-rpc.com)<br>[https://polygonscan.com](https://polygonscan.com)<br>[https://pulse.walletconnect.org](https://pulse.walletconnect.org)<br>[https://reactjs.org/docs/error-decoder.html?invariant=](https://reactjs.org/docs/error-decoder.html?invariant=)<br>[https://rpc.ankr.com/bsc](https://rpc.ankr.com/bsc)<br>[https://rpc.ankr.com/fantom](https://rpc.ankr.com/fantom)<br>[https://rpc.ankr.com/harmony](https://rpc.ankr.com/harmony)<br>[https://rpc.blast.io](https://rpc.blast.io)<br>[https://rpc.dogechain.dog](https://rpc.dogechain.dog)<br>[https://rpc.fuse.io](https://rpc.fuse.io)<br>[https://rpc.gnosischain.com](https://rpc.gnosischain.com)<br>[https://rpc.linea.build](https://rpc.linea.build)<br>[https://rpc.mantle.xyz](https://rpc.mantle.xyz)<br>[https://rpc.pulsechain.com](https://rpc.pulsechain.com)<br>[https://rpc.scroll.io](https://rpc.scroll.io)<br>[https://rpc.walletconnect.com/v1/?chainId=eip155](https://rpc.walletconnect.com/v1/?chainId=eip155)<br>[https://rpc.walletconnect.org](https://rpc.walletconnect.org)<br>[https://safe-client.safe.global](https://safe-client.safe.global)<br>[https://scan.pulsechain.com](https://scan.pulsechain.com)<br>[https://scrollscan.com](https://scrollscan.com)<br>[https://secure.walletconnect.org/sdk](https://secure.walletconnect.org/sdk)<br>[https://snowtrace.io](https://snowtrace.io)<br>[https://subnets.avax.network/beam](https://subnets.avax.network/beam)<br>[https://verify.walletconnect.com](https://verify.walletconnect.com)<br>[https://verify.walletconnect.org](https://verify.walletconnect.org)<br>[https://wagmi.sh/core](https://wagmi.sh/core)<br>[https://wagmi.sh/react](https://wagmi.sh/react)<br>[https://walletconnect.com/explorer?type=wallet](https://walletconnect.com/explorer?type=wallet)<br>[https://walletconnect.com/faq](https://walletconnect.com/faq)<br>[https://www.jsdelivr.com/using-sri-with-dynamic-files](https://www.jsdelivr.com/using-sri-with-dynamic-files)<br>[https://www.oklink.com/okc](https://www.oklink.com/okc)<br>[https://www.walletlink.org](https://www.walletlink.org)<br>[https://zkevm-rpc.com](https://zkevm-rpc.com)<br>[https://zkevm.polygonscan.com](https://zkevm.polygonscan.com) |
-| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [new URL](https://github.com/search?q=new+URL&type=code) |
-

tests/linux/2021.XMR-Stak/1b1a56.elf.simple

@@ -1,6 +1,7 @@
 # linux/2021.XMR-Stak/1b1a56.elf: critical
 3P/TTC-CERT/kittipongk_cryptominer_xmr: high
 3P/elastic/cryptominer_stak: critical
+3P/sekoia/miner_lin_xmrig: critical
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
 c2/addr/url: low

tests/linux/2022.bpfdoor/bpfdoor_1.simple

@@ -1,5 +1,6 @@
 # linux/2022.bpfdoor/bpfdoor_1: critical
 3P/elastic/bpfdoor: critical
+3P/sekoia/backdoor_lin_bpfdoor: critical
 3P/sig_base/redmenshen_bpfdoor: critical
 data/random/insecure: low
 exec/program: medium