summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--malwares.yara3
1 files changed, 2 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index c5a11e6..07c72d9 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -54,7 +54,7 @@ private rule CloudFlareBypass
54rule ObfuscatedPhp 54rule ObfuscatedPhp
55{ 55{
56 strings: 56 strings:
57 $vars = /\$_{2,}/ fullword // $__ is rarely used in legitimate scripts 57 $vars = /\$_{2,}/ // $__ is rarely used in legitimate scripts
58 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy 58 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy
59 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 59 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
60 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/ 60 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
@@ -110,6 +110,7 @@ rule DodgyPhp
110 $htaccess = "SetHandler application/x-httpd-php" 110 $htaccess = "SetHandler application/x-httpd-php"
111 $obvious_preg = /['"]\/\.\*\/e["']/ fullword // "/.*/e" <- this is suspicious 111 $obvious_preg = /['"]\/\.\*\/e["']/ fullword // "/.*/e" <- this is suspicious
112 $udp_dos = /sockopen\s*\(['"]udp:\/\// 112 $udp_dos = /sockopen\s*\(['"]udp:\/\//
113 $stored_func = /\$[A-Za-z0-9_-]+\[([0-9]+|['"][^'"]+['"])\]\s*\(/ // things like $myArray['varname'](parameters, ...)
113 114
114 condition: 115 condition:
115 IsPhp and (any of them or CloudFlareBypass) 116 IsPhp and (any of them or CloudFlareBypass)