Refactor the `;eval(` rule

1 files changed, 2 insertions, 3 deletions

diff --git a/malwares.yara b/malwares.yara
index 5bf6dd3..dd656ef 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,10 +57,10 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;{}]*[\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
+        $eval = /(<\?php\s*\n*\r*|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)/  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
+        $oneliner = /<\?php\s*\n*\r*\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
@@ -203,7 +203,6 @@ rule DodgyStrings
         $ = "uname -a" fullword
         $ = "warez" fullword nocase
         $ = /(reverse|web)\s*shell/ nocase
-        $ = /\t{16,}?/  /* a lot of spaces */
 
         $vbs = /language\s*=\s*vbscript/ nocase
         $asp = "scripting.filesystemobject" nocase