added signature for base64 concatenation

author: Julien "shaddai" Reveret 2015-11-06 19:33:18 +0100
committer: Julien "shaddai" Reveret 2015-11-06 19:33:18 +0100
commit: aa1f56a912194957918c37eef8c30e490267ee59 (patch)
tree: b6b9bdf72ba7c5734fd56056f8776328fb9ff0dc
parent: 2a9aaacc5a6b5246c199f5b43eead30428bd2911 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 7610d18..8fd5eb5 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -65,6 +65,7 @@ rule ObfuscatedPhp
        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
        $strange_arg = /\${\$[0-9a-zA-z]+}/
        $too_many_chr = /(chr\([\d]+\)\.){2,}?/
+        $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/
    condition:
        any of them and not IsWhitelisted
 }
author	Julien "shaddai" Reveret	2015-11-06 19:33:18 +0100
committer	Julien "shaddai" Reveret	2015-11-06 19:33:18 +0100
commit	aa1f56a912194957918c37eef8c30e490267ee59 (patch)
tree	b6b9bdf72ba7c5734fd56056f8776328fb9ff0dc
parent	2a9aaacc5a6b5246c199f5b43eead30428bd2911 (diff)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 7610d18..8fd5eb5 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -65,6 +65,7 @@ rule ObfuscatedPhp
65	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html	65	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
66	$strange_arg = /\${\$[0-9a-zA-z]+}/	66	$strange_arg = /\${\$[0-9a-zA-z]+}/
67	$too_many_chr = /(chr\([\d]+\)\.){2,}?/	67	$too_many_chr = /(chr\([\d]+\)\.){2,}?/
		68	$b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/
68	condition:	69	condition:
69	any of them and not IsWhitelisted	70	any of them and not IsWhitelisted
70	}	71	}