Small performances improvement

author: Julien Voisin 2015-04-08 11:06:40 +0200
committer: Julien Voisin 2015-04-08 11:06:40 +0200
commit: b875d86be9caaf5d7f5f624f80419f1671c3e167 (patch)
tree: b6e781b7ec6bb82a6bda4c470ff9e142f7f8da0b
parent: 05cb27e5b8c2966813d8407430018ed34c0444b5 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/malwares.yara b/malwares.yara
index 30d8e1c..cd8a789 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -17,10 +17,11 @@
 private rule IsPhp
 {
    strings:
-        $php = /<\?[^x]/ //php but not xml
+        $php = "<?"
+        $xml = "<?xml"
    condition:
-        $php
+        $php and not $xml
 }
 private rule IRC
@@ -54,14 +55,13 @@ rule ObfuscatedPhp
 {
    strings:
        $vars = /\$_{2,}/ fullword  // $__ is rarely used in legitimate scripts
-        $hexvars = /\${['"][\w\\]+['"]}/ fullword  // ${blablabla}
        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
        $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
    condition:
-        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
+        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3)
 }
 private rule base64
author	Julien Voisin	2015-04-08 11:06:40 +0200
committer	Julien Voisin	2015-04-08 11:06:40 +0200
commit	b875d86be9caaf5d7f5f624f80419f1671c3e167 (patch)
tree	b6e781b7ec6bb82a6bda4c470ff9e142f7f8da0b
parent	05cb27e5b8c2966813d8407430018ed34c0444b5 (diff)