diff options
| author | jvoisin | 2016-01-04 16:27:56 +0100 |
|---|---|---|
| committer | jvoisin | 2016-01-04 16:27:56 +0100 |
| commit | de3e79edacea28320170bec145dbaf28cc31064c (patch) | |
| tree | 06eed9116c59e8aadfd968bc58ebbb8d6eb37ae6 | |
| parent | 8f2560344f84b6cac651d7dc73ff327af23ac65d (diff) | |
Fix a stupid typo
`eval(` patterns are now much better detected.
| -rw-r--r-- | malwares.yara | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara index 98e11cb..de735a7 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -57,7 +57,7 @@ private rule CloudFlareBypass | |||
| 57 | rule ObfuscatedPhp | 57 | rule ObfuscatedPhp |
| 58 | { | 58 | { |
| 59 | strings: | 59 | strings: |
| 60 | $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ // ;eval( <- this is dodgy | 60 | $eval = /[;{}]*[\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ // ;eval( <- this is dodgy |
| 61 | $b374k = "'ev'.'al'" | 61 | $b374k = "'ev'.'al'" |
| 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 63 | $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ | 63 | $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ |
| @@ -188,6 +188,7 @@ rule DodgyStrings | |||
| 188 | $ = "webshell" fullword nocase | 188 | $ = "webshell" fullword nocase |
| 189 | $ = "exploit" fullword nocase | 189 | $ = "exploit" fullword nocase |
| 190 | $ = "hacking" fullword nocase | 190 | $ = "hacking" fullword nocase |
| 191 | $ = "hacker" fullword nocase | ||
| 191 | $ = "/proc/cpuinfo" fullword | 192 | $ = "/proc/cpuinfo" fullword |
| 192 | $ = "/bin/sh" fullword | 193 | $ = "/bin/sh" fullword |
| 193 | $ = "/bin/bash" fullword | 194 | $ = "/bin/bash" fullword |