diff options
| author | jvoisin | 2015-07-09 13:33:07 +0200 |
|---|---|---|
| committer | jvoisin | 2015-07-09 13:33:07 +0200 |
| commit | 82aa5ca8080b3787dfb5d5e3944a8cdfc0c9dc6c (patch) | |
| tree | 992279ec428c9899c44baf09791dbca98cf9ef2f | |
| parent | 0fdae3a7ac0d99624626ae42ae7966689b1b989a (diff) | |
make IsPhp a global rule
| -rw-r--r-- | malwares.yara | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/malwares.yara b/malwares.yara index b3f5e78..d438854 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -24,7 +24,7 @@ private rule IsWhitelisted | |||
| 24 | hash.sha1(0, filesize) == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" // classes/Tools.php | 24 | hash.sha1(0, filesize) == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" // classes/Tools.php |
| 25 | } | 25 | } |
| 26 | 26 | ||
| 27 | private rule IsPhp | 27 | global private rule IsPhp |
| 28 | { | 28 | { |
| 29 | strings: | 29 | strings: |
| 30 | $php = "<?" | 30 | $php = "<?" |
| @@ -72,7 +72,7 @@ rule ObfuscatedPhp | |||
| 72 | $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/ | 72 | $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/ |
| 73 | $strange_arg = /\${\$[0-9a-zA-z]+}/ | 73 | $strange_arg = /\${\$[0-9a-zA-z]+}/ |
| 74 | condition: | 74 | condition: |
| 75 | IsPhp and any of them and not IsWhitelisted | 75 | any of them and not IsWhitelisted |
| 76 | } | 76 | } |
| 77 | 77 | ||
| 78 | private rule base64 | 78 | private rule base64 |
| @@ -101,7 +101,7 @@ private rule hex | |||
| 101 | rule SuspiciousEncoding | 101 | rule SuspiciousEncoding |
| 102 | { | 102 | { |
| 103 | condition: | 103 | condition: |
| 104 | IsPhp and (base64 or hex) | 104 | base64 or hex |
| 105 | } | 105 | } |
| 106 | 106 | ||
| 107 | rule DodgyPhp | 107 | rule DodgyPhp |
| @@ -121,7 +121,7 @@ rule DodgyPhp | |||
| 121 | $udp_dos = /sockopen\s*\(['"]udp:\/\// | 121 | $udp_dos = /sockopen\s*\(['"]udp:\/\// |
| 122 | 122 | ||
| 123 | condition: | 123 | condition: |
| 124 | IsPhp and (any of them or CloudFlareBypass) and not IsWhitelisted | 124 | (any of them or CloudFlareBypass) and not IsWhitelisted |
| 125 | } | 125 | } |
| 126 | 126 | ||
| 127 | rule DangerousPhp | 127 | rule DangerousPhp |
| @@ -158,7 +158,7 @@ rule DangerousPhp | |||
| 158 | $whitelist = /escapeshellcmd|escapeshellarg/ | 158 | $whitelist = /escapeshellcmd|escapeshellarg/ |
| 159 | 159 | ||
| 160 | condition: | 160 | condition: |
| 161 | IsPhp and not $whitelist and (5 of them or #system > 250) and not IsWhitelisted | 161 | not $whitelist and (5 of them or #system > 250) and not IsWhitelisted |
| 162 | } | 162 | } |
| 163 | 163 | ||
| 164 | rule DodgyStrings | 164 | rule DodgyStrings |
| @@ -194,7 +194,7 @@ rule DodgyStrings | |||
| 194 | $asp = "scripting.filesystemobject" nocase | 194 | $asp = "scripting.filesystemobject" nocase |
| 195 | 195 | ||
| 196 | condition: | 196 | condition: |
| 197 | IsPhp and (IRC or 2 of them) | 197 | IRC or 2 of them |
| 198 | } | 198 | } |
| 199 | 199 | ||
| 200 | rule Websites | 200 | rule Websites |
| @@ -222,5 +222,5 @@ rule Websites | |||
| 222 | $locus = "locus7s.com" | 222 | $locus = "locus7s.com" |
| 223 | 223 | ||
| 224 | condition: | 224 | condition: |
| 225 | IsPhp and any of them | 225 | any of them |
| 226 | } | 226 | } |