Replace the $__ rule with the $___ one.

author: jvoisin 2015-06-30 15:25:10 +0200
committer: jvoisin 2015-06-30 15:25:10 +0200
commit: c2797613ef8a31d23381229cb0cdecc1f0a17f4d (patch)
tree: 9fe5689bc3331a547157a80361c3c098a2243411
parent: c066a4fd993ace9c279ce95d7f60645f5c4a505a (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index c421956..3081e15 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -54,7 +54,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
    strings:
-        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
+        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
author	jvoisin	2015-06-30 15:25:10 +0200
committer	jvoisin	2015-06-30 15:25:10 +0200
commit	c2797613ef8a31d23381229cb0cdecc1f0a17f4d (patch)
tree	9fe5689bc3331a547157a80361c3c098a2243411
parent	c066a4fd993ace9c279ce95d7f60645f5c4a505a (diff)

diff --git a/malwares.yara b/malwares.yara index c421956..3081e15 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -54,7 +54,7 @@ private rule CloudFlareBypass
54	rule ObfuscatedPhp	54	rule ObfuscatedPhp
55	{	55	{
56	strings:	56	strings:
57	$vars = /\$__+/ // $__ is rarely used in legitimate scripts	57	$vars = /\$___+/ // $__ is rarely used in legitimate scripts
58	$eval = /[;}][\t ]*@?(eval\|preg_replace\|system\|exec)\(/ // ;eval( <- this is dodgy	58	$eval = /[;}][\t ]*@?(eval\|preg_replace\|system\|exec)\(/ // ;eval( <- this is dodgy
59	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k	59	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
60	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec)\(/	60	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec)\(/