Add a rule to match multiplescomments

author: jvoisin 2016-01-04 17:34:54 +0100
committer: jvoisin 2016-01-04 17:35:07 +0100
commit: e6c04caba89f6915c84b247990382461851e08f3 (patch)
tree: 4f567dd846cabfdd6cf0150b709d344c399de27f
parent: 6b46436de856e51c68eb68999185a6d41a9ef07a (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/malwares.yara b/malwares.yara
index 7167708..ee6ea07 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -65,6 +65,7 @@ rule ObfuscatedPhp
        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
        $strange_arg = /\${\$[0-9a-zA-z]+}/
        $too_many_chr = /(chr\([\d]+\)\.){2,}/
+        $many_comments = /\/\*.{,28}\*\/[^\/]*\/\*/  // Something like as/* */ser/* */t
    condition:
        any of them and not IsWhitelisted
 }
author	jvoisin	2016-01-04 17:34:54 +0100
committer	jvoisin	2016-01-04 17:35:07 +0100
commit	e6c04caba89f6915c84b247990382461851e08f3 (patch)
tree	4f567dd846cabfdd6cf0150b709d344c399de27f
parent	6b46436de856e51c68eb68999185a6d41a9ef07a (diff)

diff --git a/malwares.yara b/malwares.yara index 7167708..ee6ea07 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -65,6 +65,7 @@ rule ObfuscatedPhp
65	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html	65	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
66	$strange_arg = /\${\$[0-9a-zA-z]+}/	66	$strange_arg = /\${\$[0-9a-zA-z]+}/
67	$too_many_chr = /(chr\([\d]+\)\.){2,}/	67	$too_many_chr = /(chr\([\d]+\)\.){2,}/
		68	$many_comments = /\/\.{,28}\\/[^\/]\/\/ // Something like as/* /ser/ */t
68	condition:	69	condition:
69	any of them and not IsWhitelisted	70	any of them and not IsWhitelisted
70	}	71	}