Add a string entry for visbot

author: Julien (jvoisin) Voisin 2016-05-11 13:22:32 +0200
committer: Julien (jvoisin) Voisin 2016-05-11 13:22:32 +0200
commit: 7e280b341566f27b4612db70df6f5ecb825354bf (patch)
tree: dd808190f0d84b66428ab97b21d4146164d8564f
parent: 00d3bd072796336a7b243eb11a74412ef9c15b1f (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index ff0c988..3c4bd64 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -101,6 +101,7 @@ rule DodgyStrings
        $ = "suhosin.executor.func.blacklist"
        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
        $ = "uname -a" fullword
+        $ = "visbot" nocase fullword
        $ = "warez" fullword nocase
        $ = "whoami" fullword
        $ = /(reverse|web|cmd)\s*shell/ nocase
author	Julien (jvoisin) Voisin	2016-05-11 13:22:32 +0200
committer	Julien (jvoisin) Voisin	2016-05-11 13:22:32 +0200
commit	7e280b341566f27b4612db70df6f5ecb825354bf (patch)
tree	dd808190f0d84b66428ab97b21d4146164d8564f
parent	00d3bd072796336a7b243eb11a74412ef9c15b1f (diff)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index ff0c988..3c4bd64 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar
@@ -101,6 +101,7 @@ rule DodgyStrings
101	$ = "suhosin.executor.func.blacklist"	101	$ = "suhosin.executor.func.blacklist"
102	$ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.	102	$ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
103	$ = "uname -a" fullword	103	$ = "uname -a" fullword
		104	$ = "visbot" nocase fullword
104	$ = "warez" fullword nocase	105	$ = "warez" fullword nocase
105	$ = "whoami" fullword	106	$ = "whoami" fullword
106	$ = /(reverse\|web\|cmd)\s*shell/ nocase	107	$ = /(reverse\|web\|cmd)\s*shell/ nocase