diff options
| author | Julien (jvoisin) Voisin | 2016-02-23 17:05:36 +0100 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-02-23 17:05:36 +0100 |
| commit | ee2b664e053cc51db9efbbadcdcfd61aeb62e0e7 (patch) | |
| tree | bd2f9e1b52e40760413a50d5dfca91150b3edb32 | |
| parent | d33add4b7c344798458f7dec2295185674cb608f (diff) | |
Rename a rule
| -rw-r--r-- | php-malware-finder/malwares.yara | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 4603b76..1a4abf6 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -62,7 +62,7 @@ rule ObfuscatedPhp | |||
| 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| 64 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html | 64 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html |
| 65 | $strange_arg = /\${\$[0-9a-zA-z]+}/ | 65 | $variable_variable = /\${\$[0-9a-zA-z]+}/ |
| 66 | $too_many_chr = /(chr\([\d]+\)\.){2,}?/ | 66 | $too_many_chr = /(chr\([\d]+\)\.){2,}?/ |
| 67 | $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/ | 67 | $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/ |
| 68 | condition: | 68 | condition: |