`assert` can be dodgy too

author: jvoisin 2015-07-03 17:08:34 +0200
committer: jvoisin 2015-07-03 17:08:34 +0200
commit: 294182b8d5703c2aacd7e2cd5bcd5bf63296007f (patch)
tree: 02cfb7468e992f936d36c8c12b9bc10f57d19032
parent: 25b2a49fefd6f7f16f6abfc49c2bfdda5647e56d (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/malwares.yara b/malwares.yara
index 8e10e05..0df037b 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -98,7 +98,7 @@ rule DodgyPhp
 {
    strings:
        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
@@ -207,7 +207,7 @@ rule Websites
        $md5crack = "md5decrypter.com"
        $hashkiller = "hashkiller.com"
        $hashchecker = "hashchecker.com"
-        $fopo = "http://www.fopo.com.ar/"
+        $fopo = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
        $ccteam = "ccteam.ru"
        $locus = "locus7s.com"
author	jvoisin	2015-07-03 17:08:34 +0200
committer	jvoisin	2015-07-03 17:08:34 +0200
commit	294182b8d5703c2aacd7e2cd5bcd5bf63296007f (patch)
tree	02cfb7468e992f936d36c8c12b9bc10f57d19032
parent	25b2a49fefd6f7f16f6abfc49c2bfdda5647e56d (diff)

diff --git a/malwares.yara b/malwares.yara index 8e10e05..0df037b 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -98,7 +98,7 @@ rule DodgyPhp
98	{	98	{
99	strings:	99	strings:
100	$vars = /\$___+/ // $__ is rarely used in legitimate scripts	100	$vars = /\$___+/ // $__ is rarely used in legitimate scripts
101	$execution = /(eval\|passthru\|exec\|system\|win_shell_execute) *\((base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|\\?\$_(GET\|REQUEST\|POST))/	101	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute) *\((base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|\\?\$_(GET\|REQUEST\|POST))/
102	$double_encoding = /(base64_decode\s\(\s){2}/	102	$double_encoding = /(base64_decode\s\(\s){2}/
103	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	103	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
104	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	104	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
@@ -207,7 +207,7 @@ rule Websites
207	$md5crack = "md5decrypter.com"	207	$md5crack = "md5decrypter.com"
208	$hashkiller = "hashkiller.com"	208	$hashkiller = "hashkiller.com"
209	$hashchecker = "hashchecker.com"	209	$hashchecker = "hashchecker.com"
210	$fopo = "http://www.fopo.com.ar/"	210	$fopo = "www.fopo.com.ar" /* Free Online Php Obfuscator */
211	$ccteam = "ccteam.ru"	211	$ccteam = "ccteam.ru"
212	$locus = "locus7s.com"	212	$locus = "locus7s.com"
213		213