Add some embedded perl-script detection

author: Julien (jvoisin) Voisin 2016-02-26 11:54:03 +0100
committer: Julien (jvoisin) Voisin 2016-02-26 11:54:03 +0100
commit: c5a2b0115a6a63a4ea16726e2470967271310109 (patch)
tree: 7ad1f9abfee66e748739fd64afcc07cf2d13c933
parent: 1c7deb02ca805a28d6485f76e44ee0b7fe6f31d4 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 81de9e5..5c3cc1e 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -78,6 +78,7 @@ private rule base64
        $preg_replace = "cHJlZ19yZXBsYWNl"
        $exec = "ZXhlYyg"
        $base64_decode = "YmFzZTY0X2RlY29kZ"
+        $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
    condition:
        any of them
 }
author	Julien (jvoisin) Voisin	2016-02-26 11:54:03 +0100
committer	Julien (jvoisin) Voisin	2016-02-26 11:54:03 +0100
commit	c5a2b0115a6a63a4ea16726e2470967271310109 (patch)
tree	7ad1f9abfee66e748739fd64afcc07cf2d13c933
parent	1c7deb02ca805a28d6485f76e44ee0b7fe6f31d4 (diff)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 81de9e5..5c3cc1e 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -78,6 +78,7 @@ private rule base64
78	$preg_replace = "cHJlZ19yZXBsYWNl"	78	$preg_replace = "cHJlZ19yZXBsYWNl"
79	$exec = "ZXhlYyg"	79	$exec = "ZXhlYyg"
80	$base64_decode = "YmFzZTY0X2RlY29kZ"	80	$base64_decode = "YmFzZTY0X2RlY29kZ"
		81	$perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
81	condition:	82	condition:
82	any of them	83	any of them
83	}	84	}