1 files changed, 8 insertions, 2 deletions

diff --git a/malwares.yara b/malwares.yara
index 352d084..0cf4948 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -98,12 +98,13 @@ rule DodgyPhp
 {
     strings:
         $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
+        $double_encoding = /(base64_decode\s*\(\s*){2}/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
         $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /preg_replace\(['"]\/[^\/]\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
+        $pr = /preg_replace\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $htaccess = "SetHandler application/x-httpd-php"
 
@@ -190,7 +191,12 @@ rule ExploitsWebsites
         $injector = "1337day.com"
         $rapid7 = "rapid7.com"
         $shodan = "shodan.io"
-        $packetstorm = "packetstormsecurity.com"
+        $packetstorm = "packetstormsecurity"
+        $crackfor = "crackfor"
+        $rednoize = "md5.rednoize"
+        $hashcracking = "hashcracking"
+        $darkc0de = "darkc0de"
+        $securityfocus = "securityfocus"
 
     condition:
         IsPhp and any of them