LD_PRELOAD isn't cool

author: Julien (jvoisin) Voisin 2016-05-11 12:58:12 +0200
committer: Julien (jvoisin) Voisin 2016-05-11 13:00:53 +0200
commit: ae99e3ebd30b21cf3d6b514a17f069f8b9675726 (patch)
tree: ae51a1ecbec1e4a2d57c85d87cea02e9c83789fb
parent: 4ed8b5611b54829662d52e6cca87e7cab92f5141 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 38b6726..ff0c988 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -88,6 +88,7 @@ rule DodgyStrings
        $ = "kernel32.dll" fullword nocase
        $ = "kingdefacer" nocase
        $ = "Wireghoul" nocase fullword
+        $ = "LD_PRELOAD" fullword
        $ = "libpcprofile"  // CVE-2010-3856 local root
        $ = "locus7s" nocase
        $ = "ls -la" fullword
author	Julien (jvoisin) Voisin	2016-05-11 12:58:12 +0200
committer	Julien (jvoisin) Voisin	2016-05-11 13:00:53 +0200
commit	ae99e3ebd30b21cf3d6b514a17f069f8b9675726 (patch)
tree	ae51a1ecbec1e4a2d57c85d87cea02e9c83789fb
parent	4ed8b5611b54829662d52e6cca87e7cab92f5141 (diff)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index 38b6726..ff0c988 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar
@@ -88,6 +88,7 @@ rule DodgyStrings
88	$ = "kernel32.dll" fullword nocase	88	$ = "kernel32.dll" fullword nocase
89	$ = "kingdefacer" nocase	89	$ = "kingdefacer" nocase
90	$ = "Wireghoul" nocase fullword	90	$ = "Wireghoul" nocase fullword
		91	$ = "LD_PRELOAD" fullword
91	$ = "libpcprofile" // CVE-2010-3856 local root	92	$ = "libpcprofile" // CVE-2010-3856 local root
92	$ = "locus7s" nocase	93	$ = "locus7s" nocase
93	$ = "ls -la" fullword	94	$ = "ls -la" fullword