Simplify a bit the rules

author: jvoisin 2015-06-30 15:50:01 +0200
committer: jvoisin 2015-06-30 15:50:01 +0200
commit: 77e5a33cfac0b750543297cd9c8756b81d969614 (patch)
tree: 6a5dc0928fbc840a33b4ebbba38a18aa32291254
parent: 96d3ab78766aef646879f05175227cc59d19aac7 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/malwares.yara b/malwares.yara
index 3081e15..6e28d40 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -54,7 +54,6 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
    strings:
-        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
@@ -63,7 +62,7 @@ rule ObfuscatedPhp
        $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
        $strange_arg = /\${\$[0-9a-zA-z]+}/
    condition:
-        IsPhp and ($align or $oneliner or $eval or $launcher or $strange_arg or #vars > 5 or $weevely3 or $danone)
+        IsPhp and any of them
 }
 private rule base64
@@ -98,6 +97,7 @@ rule SuspiciousEncoding
 rule DodgyPhp
 {
    strings:
+        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
        $execution = /(eval|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
author	jvoisin	2015-06-30 15:50:01 +0200
committer	jvoisin	2015-06-30 15:50:01 +0200
commit	77e5a33cfac0b750543297cd9c8756b81d969614 (patch)
tree	6a5dc0928fbc840a33b4ebbba38a18aa32291254
parent	96d3ab78766aef646879f05175227cc59d19aac7 (diff)