summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien (jvoisin) Voisin2016-07-07 17:12:59 +0200
committerJulien (jvoisin) Voisin2016-07-07 17:12:59 +0200
commite3b54db29f29aeb5e37ab7b8a4a140260eeab98f (patch)
tree745d2e3f244e7620d060a77f4bf92852c3578662
parent3bb034544be27cc36ad99aef01327833b7429c24 (diff)
Factorize a bit the code, and add GIF-based backdoor detection
Diffstat
-rw-r--r--php-malware-finder/common.yar12
-rw-r--r--php-malware-finder/php.yar8
2 files changed, 15 insertions, 5 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 0dd373f..4c36084 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -1,3 +1,14 @@
1rule CloudFlareBypass
2{
3 strings:
4 $ = "chk_jschl"
5 $ = "jschl_vc"
6 $ = "jschl_answer"
7
8 condition:
9 2 of them // Better be safe than sorry
10}
11
1private rule IRC 12private rule IRC
2{ 13{
3 strings: 14 strings:
@@ -125,6 +136,7 @@ rule Websites
125 strings: 136 strings:
126 $ = "1337day.com" nocase 137 $ = "1337day.com" nocase
127 $ = "antichat.ru" nocase 138 $ = "antichat.ru" nocase
139 $ = "b374k" nocase
128 $ = "ccteam.ru" nocase 140 $ = "ccteam.ru" nocase
129 $ = "crackfor" nocase 141 $ = "crackfor" nocase
130 $ = "darkc0de" nocase 142 $ = "darkc0de" nocase
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 1659754..cd31593 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -33,15 +33,13 @@ global private rule IsPhp
33 $php and filesize < 5MB 33 $php and filesize < 5MB
34} 34}
35 35
36rule CloudFlareBypass 36rule HiddenInAFile
37{ 37{
38 strings: 38 strings:
39 $ = "chk_jschl" 39 $gif = {47 49 46 38 ?? 61} // GIF8[version]a
40 $ = "jschl_vc"
41 $ = "jschl_answer"
42 40
43 condition: 41 condition:
44 2 of them // Better be safe than sorry 42 $gif at 0
45} 43}
46 44
47rule PasswordProtection 45rule PasswordProtection