From 12c72b5cd4d94bbb26caa7687f1f708e17cca68d Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Tue, 30 Aug 2016 15:34:20 +0200
Subject: Add a rule to detect some obfuscated samples

Thanks to @Doeurf for the sample
---
 php-malware-finder/php.yar | 1 +
 1 file changed, 1 insertion(+)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index ba1130e..cdb91c2 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -54,6 +54,7 @@ rule ObfuscatedPhp
         $too_many_chr = /(chr\([\d]+\)\.){8}/  // concatenation of more than eight `chr()`
         $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
         $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
+        $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/  // eval /* comment */ (php_code)
 condition:
         any of them and not IsWhitelisted
 }
-- 
cgit v1.3