diff options
| author | Julien (jvoisin) Voisin | 2016-02-26 11:53:12 +0100 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-02-26 11:53:12 +0100 |
| commit | d6d411e5143adcc2e7ef9d18903fa6429982b719 (patch) | |
| tree | ffe5962b526026196fe1a68555383fdd0d00596c | |
| parent | 7c845c3352aea9a66d4da2b23c341e06b0e52599 (diff) | |
Detect pseudo-gifs
| -rw-r--r-- | php-malware-finder/malwares.yara | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index fc78c31..a326ef3 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -63,8 +63,9 @@ rule ObfuscatedPhp | |||
| 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| 64 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html | 64 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html |
| 65 | $variable_variable = /\${\$[0-9a-zA-z]+}/ | 65 | $variable_variable = /\${\$[0-9a-zA-z]+}/ |
| 66 | $too_many_chr = /(chr\([\d]+\)\.){2,}?/ | 66 | $too_many_chr = /(chr\([\d]+\)\.){2,}?/ // concatenation of more than two `chr()` |
| 67 | $concat = /(\$[^\n\r]+\.){5,}?/ | 67 | $concat = /(\$[^\n\r]+\.){5,}?/ // concatenation of more than 5 words |
| 68 | $gif = /^GIF89/ | ||
| 68 | condition: | 69 | condition: |
| 69 | any of them and not IsWhitelisted | 70 | any of them and not IsWhitelisted |
| 70 | } | 71 | } |