summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--malwares.yara8
1 files changed, 4 insertions, 4 deletions
diff --git a/malwares.yara b/malwares.yara
index 30d8e1c..cd8a789 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -17,10 +17,11 @@
17private rule IsPhp 17private rule IsPhp
18{ 18{
19 strings: 19 strings:
20 $php = /<\?[^x]/ //php but not xml 20 $php = "<?"
21 $xml = "<?xml"
21 22
22 condition: 23 condition:
23 $php 24 $php and not $xml
24} 25}
25 26
26private rule IRC 27private rule IRC
@@ -54,14 +55,13 @@ rule ObfuscatedPhp
54{ 55{
55 strings: 56 strings:
56 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts 57 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts
57 $hexvars = /\${['"][\w\\]+['"]}/ fullword // ${blablabla}
58 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy 58 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy
59 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 59 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
60 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/ 60 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
61 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 61 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
62 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 62 $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
63 condition: 63 condition:
64 IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3) 64 IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3)
65} 65}
66 66
67private rule base64 67private rule base64