1 files changed, 14 insertions, 1 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index ae2b784..2b0cd7d 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -56,10 +56,23 @@ private rule hex
        any of them
 }
+private rule strrev
+{
+    strings:
+        $globals = "slabolg" nocase fullword
+        $preg_replace = "ecalper_gerp" nocase fullword
+        $base64_decode = "edoced_46esab" nocase fullword
+        $gzinflate = "etalfnizg" nocase fullword
+    
+    condition:
+        any of them
+}
 rule SuspiciousEncoding
 {
    condition:
-        base64 or hex
+        base64 or hex or strrev
 }
 rule DodgyStrings

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index ae2b784..2b0cd7d 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar
@@ -56,10 +56,23 @@ private rule hex
56	any of them	56	any of them
57	}	57	}
58		58
		59	private rule strrev
		60	{
		61	strings:
		62	$globals = "slabolg" nocase fullword
		63	$preg_replace = "ecalper_gerp" nocase fullword
		64	$base64_decode = "edoced_46esab" nocase fullword
		65	$gzinflate = "etalfnizg" nocase fullword
		66
		67	condition:
		68	any of them
		69	}
		70
		71
59	rule SuspiciousEncoding	72	rule SuspiciousEncoding
60	{	73	{
61	condition:	74	condition:
62	base64 or hex	75	base64 or hex or strrev
63	}	76	}
64		77
65	rule DodgyStrings	78	rule DodgyStrings