diff options
| author | Julien Voisin | 2016-02-12 13:28:27 +0100 |
|---|---|---|
| committer | Julien Voisin | 2016-02-12 15:05:05 +0100 |
| commit | 7cd4c1b85b0d24b220b045a269d52b06421449a8 (patch) | |
| tree | 023fe0b8dc35f40242b6018729ddb82c5dd79a6b | |
| parent | ced28d12fecc276475ec5b98b117c4bd866c99fc (diff) | |
Strings are nocase
| -rw-r--r-- | php-malware-finder/malwares.yara | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 4bff547..b348a81 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -184,6 +184,7 @@ rule DodgyStrings | |||
| 184 | $ = "/etc/syslog.conf" | 184 | $ = "/etc/syslog.conf" |
| 185 | $ = "/proc/cpuinfo" fullword | 185 | $ = "/proc/cpuinfo" fullword |
| 186 | $ = "/windows/system32/" | 186 | $ = "/windows/system32/" |
| 187 | $ = "/var/log/lastlog" | ||
| 187 | $ = "WScript.Shell" | 188 | $ = "WScript.Shell" |
| 188 | $ = "WinExec" | 189 | $ = "WinExec" |
| 189 | $ = "b374k" fullword nocase | 190 | $ = "b374k" fullword nocase |
| @@ -222,23 +223,24 @@ rule DodgyStrings | |||
| 222 | rule Websites | 223 | rule Websites |
| 223 | { | 224 | { |
| 224 | strings: | 225 | strings: |
| 225 | $ = "1337day.com" | 226 | $ = "1337day.com" nocase |
| 226 | $ = "antichat.ru" | 227 | $ = "antichat.ru" nocase |
| 227 | $ = "ccteam.ru" | 228 | $ = "ccteam.ru" nocase |
| 228 | $ = "crackfor" nocase | 229 | $ = "crackfor" nocase |
| 229 | $ = "darkc0de" nocase | 230 | $ = "darkc0de" nocase |
| 230 | $ = "egyspider.eu" | 231 | $ = "egyspider.eu" nocase |
| 231 | $ = "exploit-db.com" | 232 | $ = "exploit-db.com" nocase |
| 232 | $ = "fopo.com.ar" /* Free Online Php Obfuscator */ | 233 | $ = "fopo.com.ar" nocase /* Free Online Php Obfuscator */ |
| 233 | $ = "hashchecker.com" | 234 | $ = "hashchecker.com" nocase |
| 234 | $ = "hashkiller.com" nocase | 235 | $ = "hashkiller.com" nocase |
| 235 | $ = "md5crack.com" | 236 | $ = "md5crack.com" nocase |
| 236 | $ = "md5decrypter.com" | 237 | $ = "md5decrypter.com" nocase |
| 237 | $ = "milw0rm.com" | 238 | $ = "milw0rm.com" nocase |
| 239 | $ = "milw00rm.com" nocase | ||
| 238 | $ = "packetstormsecurity" nocase | 240 | $ = "packetstormsecurity" nocase |
| 239 | $ = "rapid7.com" | 241 | $ = "rapid7.com" nocase |
| 240 | $ = "securityfocus" nocase | 242 | $ = "securityfocus" nocase |
| 241 | $ = "shodan.io" | 243 | $ = "shodan.io" nocase |
| 242 | 244 | ||
| 243 | condition: | 245 | condition: |
| 244 | any of them and not IsWhitelisted | 246 | any of them and not IsWhitelisted |