Fix a mistake

author: jvoisin 2015-05-22 09:43:31 +0200
committer: jvoisin 2015-05-22 09:43:31 +0200
commit: d8ad70a5c5bc621289d6d38c64525bb2b8dca9c0 (patch)
tree: d229a1f44009b1d6ad1bf4ad1a9ab16d4853391f
parent: f9e7357cdc5e006f528235a12f9cd72973aa0dbe (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index deb5f5f..25ba196 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -54,7 +54,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
    strings:
-        $vars = /\$__*/ // $__ is rarely used in legitimate scripts
+        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
author	jvoisin	2015-05-22 09:43:31 +0200
committer	jvoisin	2015-05-22 09:43:31 +0200
commit	d8ad70a5c5bc621289d6d38c64525bb2b8dca9c0 (patch)
tree	d229a1f44009b1d6ad1bf4ad1a9ab16d4853391f
parent	f9e7357cdc5e006f528235a12f9cd72973aa0dbe (diff)

diff --git a/malwares.yara b/malwares.yara index deb5f5f..25ba196 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -54,7 +54,7 @@ private rule CloudFlareBypass
54	rule ObfuscatedPhp	54	rule ObfuscatedPhp
55	{	55	{
56	strings:	56	strings:
57	$vars = /\$__*/ // $__ is rarely used in legitimate scripts	57	$vars = /\$__+/ // $__ is rarely used in legitimate scripts
58	$eval = /[;}][\t ]*@?(eval\|preg_replace\|system\|exec)\(/ // ;eval( <- this is dodgy	58	$eval = /[;}][\t ]*@?(eval\|preg_replace\|system\|exec)\(/ // ;eval( <- this is dodgy
59	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k	59	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
60	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec)\(/	60	$oneliner = /<\?php\s\n\r\s(eval\|preg_replace\|system\|exec)\(/