diff options
| author | Julien (jvoisin) Voisin | 2015-05-13 14:18:14 +0200 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2015-05-13 14:18:14 +0200 |
| commit | b897cc91fbef1258607c61f6287e195bd1f1b0ac (patch) | |
| tree | 300b9ee2e00ffa5ee5ef91b4c28260cdcb0ee0d7 | |
| parent | ad9327f187de3816f9517d82f671a209578a136b (diff) | |
Add onemore rule
| -rw-r--r-- | malwares.yara | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara index c5a11e6..07c72d9 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -54,7 +54,7 @@ private rule CloudFlareBypass | |||
| 54 | rule ObfuscatedPhp | 54 | rule ObfuscatedPhp |
| 55 | { | 55 | { |
| 56 | strings: | 56 | strings: |
| 57 | $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts | 57 | $vars = /\$_{2,}/ // $__ is rarely used in legitimate scripts |
| 58 | $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy | 58 | $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy |
| 59 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 59 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 60 | $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/ | 60 | $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/ |
| @@ -110,6 +110,7 @@ rule DodgyPhp | |||
| 110 | $htaccess = "SetHandler application/x-httpd-php" | 110 | $htaccess = "SetHandler application/x-httpd-php" |
| 111 | $obvious_preg = /['"]\/\.\*\/e["']/ fullword // "/.*/e" <- this is suspicious | 111 | $obvious_preg = /['"]\/\.\*\/e["']/ fullword // "/.*/e" <- this is suspicious |
| 112 | $udp_dos = /sockopen\s*\(['"]udp:\/\// | 112 | $udp_dos = /sockopen\s*\(['"]udp:\/\// |
| 113 | $stored_func = /\$[A-Za-z0-9_-]+\[([0-9]+|['"][^'"]+['"])\]\s*\(/ // things like $myArray['varname'](parameters, ...) | ||
| 113 | 114 | ||
| 114 | condition: | 115 | condition: |
| 115 | IsPhp and (any of them or CloudFlareBypass) | 116 | IsPhp and (any of them or CloudFlareBypass) |