summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--malwares.yara5
1 files changed, 2 insertions, 3 deletions
diff --git a/malwares.yara b/malwares.yara
index 5bf6dd3..dd656ef 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,10 +57,10 @@ private rule CloudFlareBypass
57rule ObfuscatedPhp 57rule ObfuscatedPhp
58{ 58{
59 strings: 59 strings:
60 $eval = /[;{}]*[\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ // ;eval( <- this is dodgy 60 $eval = /(<\?php\s*\n*\r*|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)/ // ;eval( <- this is dodgy
61 $b374k = "'ev'.'al'" 61 $b374k = "'ev'.'al'"
62 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 62 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
63 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ 63 $oneliner = /<\?php\s*\n*\r*\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
64 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 64 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
65 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 65 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
66 $strange_arg = /\${\$[0-9a-zA-z]+}/ 66 $strange_arg = /\${\$[0-9a-zA-z]+}/
@@ -203,7 +203,6 @@ rule DodgyStrings
203 $ = "uname -a" fullword 203 $ = "uname -a" fullword
204 $ = "warez" fullword nocase 204 $ = "warez" fullword nocase
205 $ = /(reverse|web)\s*shell/ nocase 205 $ = /(reverse|web)\s*shell/ nocase
206 $ = /\t{16,}?/ /* a lot of spaces */
207 206
208 $vbs = /language\s*=\s*vbscript/ nocase 207 $vbs = /language\s*=\s*vbscript/ nocase
209 $asp = "scripting.filesystemobject" nocase 208 $asp = "scripting.filesystemobject" nocase