diff options
| author | Julien (jvoisin) Voisin | 2016-08-30 15:34:20 +0200 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-08-30 15:35:34 +0200 |
| commit | 12c72b5cd4d94bbb26caa7687f1f708e17cca68d (patch) | |
| tree | 5525b9845c4b6338e30ad6a667d5053c5a08bdf4 | |
| parent | c58fff51d33f2067ec23a4b8bb4426f0f18150ee (diff) | |
Add a rule to detect some obfuscated samples
Thanks to @Doeurf for the sample
| -rw-r--r-- | php-malware-finder/php.yar | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index ba1130e..cdb91c2 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -54,6 +54,7 @@ rule ObfuscatedPhp | |||
| 54 | $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` | 54 | $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` |
| 55 | $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words | 55 | $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words |
| 56 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ | 56 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ |
| 57 | $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/ // eval /* comment */ (php_code) | ||
| 57 | condition: | 58 | condition: |
| 58 | any of them and not IsWhitelisted | 59 | any of them and not IsWhitelisted |
| 59 | } | 60 | } |