diff options
| author | Julien (jvoisin) Voisin | 2016-08-12 11:55:56 +0200 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-08-12 11:55:56 +0200 |
| commit | 29a7fb9033e0a3a364a89f7a2ef6be8b2dcf0c6b (patch) | |
| tree | 325d8eff0eebeeb3cc6880c2ace464a0bbc09d1c | |
| parent | c22aab535dccf6613f57826eb1bda0c980ce06dd (diff) | |
Add a strrev-based detection, because skiddies are, will, skiddies.
| -rw-r--r-- | php-malware-finder/common.yar | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index ae2b784..2b0cd7d 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar | |||
| @@ -56,10 +56,23 @@ private rule hex | |||
| 56 | any of them | 56 | any of them |
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | private rule strrev | ||
| 60 | { | ||
| 61 | strings: | ||
| 62 | $globals = "slabolg" nocase fullword | ||
| 63 | $preg_replace = "ecalper_gerp" nocase fullword | ||
| 64 | $base64_decode = "edoced_46esab" nocase fullword | ||
| 65 | $gzinflate = "etalfnizg" nocase fullword | ||
| 66 | |||
| 67 | condition: | ||
| 68 | any of them | ||
| 69 | } | ||
| 70 | |||
| 71 | |||
| 59 | rule SuspiciousEncoding | 72 | rule SuspiciousEncoding |
| 60 | { | 73 | { |
| 61 | condition: | 74 | condition: |
| 62 | base64 or hex | 75 | base64 or hex or strrev |
| 63 | } | 76 | } |
| 64 | 77 | ||
| 65 | rule DodgyStrings | 78 | rule DodgyStrings |