summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--malwares.yara5
1 files changed, 3 insertions, 2 deletions
diff --git a/malwares.yara b/malwares.yara
index f764de5..dc1a6cd 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -61,8 +61,9 @@ rule ObfuscatedPhp
61 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 61 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
62 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 62 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
63 $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/ 63 $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
64 $strange_arg = /\${\$[0-9a-zA-z]+}/
64 condition: 65 condition:
65 IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3 or $danone) 66 IsPhp and ($align or $oneliner or $eval or $launcher or $strange_arg or #vars > 5 or $weevely3 or $danone)
66} 67}
67 68
68private rule base64 69private rule base64
@@ -132,7 +133,7 @@ rule DangerousPhp
132 $k = "win_shell_execute" fullword 133 $k = "win_shell_execute" fullword
133 $l = "win32_create_service" fullword 134 $l = "win32_create_service" fullword
134 $m = "posix_getpwuid" fullword 135 $m = "posix_getpwuid" fullword
135 $n = "shmop_open" fullword 136 $n = "shm_open" fullword
136 $o = "assert" fullword 137 $o = "assert" fullword
137 $p = "fsockopen" fullword 138 $p = "fsockopen" fullword
138 $q = "function_exists" fullword 139 $q = "function_exists" fullword