From 002f75633c6968ec824e7da8fa6682a248e719ad Mon Sep 17 00:00:00 2001
From: shaddai
Date: Tue, 12 Jan 2016 11:34:09 +0100
Subject: new rules : ini_get, disable_magic_quotes and restore_bypass updated

these rules were added in order to detect new malware samples from https://github.com/nikicat/web-malware-collection---
 malwares.yara | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/malwares.yara b/malwares.yara
index dd656ef..3f7ee83 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -110,7 +110,9 @@ rule DodgyPhp
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir)['"]\)/
+        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
+        $ini_get = /ini_get\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
+     
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
         $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
@@ -119,6 +121,8 @@ rule DodgyPhp
         $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $user_function = /(call_user_func|create_function)/
+        $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
+
 
     condition:
         (any of them or CloudFlareBypass) and not IsWhitelisted
-- 
cgit v1.3