Misc additions

author: Julien (jvoisin) Voisin 2016-02-25 18:31:06 +0100
committer: Julien (jvoisin) Voisin 2016-02-25 18:31:06 +0100
commit: 7c845c3352aea9a66d4da2b23c341e06b0e52599 (patch)
tree: 8112db67679cd27b7b12da9391d0214d0826e9a5
parent: 477a1ee9253ca1ad031bcd921207a85861bc651b (diff)
1 files changed, 7 insertions, 6 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 64c327b..fc78c31 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -84,11 +84,12 @@ private rule base64
 private rule hex
 {
    strings:
-      $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
+        $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
-      $exec = "\\x65\\x78\\x65\\x63" nocase
+        $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
-      $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
+        $exec = "\\x65\\x78\\x65\\x63" nocase
-      $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
-      $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
+        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
    
    condition:
        any of them
@@ -201,7 +202,7 @@ rule DodgyStrings
        $ = "WinExec"
        $ = "b374k" fullword nocase
        $ = "backdoor" fullword nocase
-        $ = "c99shell" fullword nocase
+        $ = /(c99|r57|fx29)shell/
        $ = "cmd.exe" fullword nocase
        $ = "defaced" fullword nocase
        $ = "evilc0ders" fullword nocase
author	Julien (jvoisin) Voisin	2016-02-25 18:31:06 +0100
committer	Julien (jvoisin) Voisin	2016-02-25 18:31:06 +0100
commit	7c845c3352aea9a66d4da2b23c341e06b0e52599 (patch)
tree	8112db67679cd27b7b12da9391d0214d0826e9a5
parent	477a1ee9253ca1ad031bcd921207a85861bc651b (diff)