diff options
| author | jvoisin | 2015-07-28 17:42:17 +0200 |
|---|---|---|
| committer | jvoisin | 2015-07-28 17:42:17 +0200 |
| commit | 4b5c3a018259afa8f1700e29a08119367385e15b (patch) | |
| tree | 1bcc27bcd594531f77151c471c7f1af03eed5cf2 | |
| parent | 5890bb1d8384c82152ea222c1d8ce36b9c2bb6d8 (diff) | |
Add `pack` to the list
| -rw-r--r-- | malwares.yara | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara index 1263b39..b376307 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -100,7 +100,7 @@ rule DodgyPhp | |||
| 100 | { | 100 | { |
| 101 | strings: | 101 | strings: |
| 102 | $vars = /\$___+/ // $__ is rarely used in legitimate scripts | 102 | $vars = /\$___+/ // $__ is rarely used in legitimate scripts |
| 103 | $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/ | 103 | $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\( *(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/ |
| 104 | $double_encoding = /(base64_decode\s*\(\s*){2}/ | 104 | $double_encoding = /(base64_decode\s*\(\s*){2}/ |
| 105 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ | 105 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ |
| 106 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ | 106 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ |