diff options
| author | jvoisin | 2015-06-25 10:27:58 +0200 |
|---|---|---|
| committer | jvoisin | 2015-06-25 10:27:58 +0200 |
| commit | d459125edca99f84b8eda87e6e064c81ec6d53f7 (patch) | |
| tree | 2ffe82109f27a29300ef811165a762450174407d | |
| parent | 0f19dae455efce37c28e7a5aac8d96bcbb86e7ca (diff) | |
What about moar spaces?
| -rw-r--r-- | malwares.yara | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara index d56ce7d..c421956 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -98,7 +98,7 @@ rule SuspiciousEncoding | |||
| 98 | rule DodgyPhp | 98 | rule DodgyPhp |
| 99 | { | 99 | { |
| 100 | strings: | 100 | strings: |
| 101 | $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/ | 101 | $execution = /(eval|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/ |
| 102 | $double_encoding = /(base64_decode\s*\(\s*){2}/ | 102 | $double_encoding = /(base64_decode\s*\(\s*){2}/ |
| 103 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ | 103 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ |
| 104 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ | 104 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ |