From 1b88cf3b85d8e3225fb55526f53cbf4df75d9813 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 29 Jul 2015 16:27:30 +0200
Subject: Add some more rules

---
 malwares.yara | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 02d7127..569f16c 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -56,12 +56,11 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
+        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
+        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
-        $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
         $strange_arg = /\${\$[0-9a-zA-z]+}/
     condition:
         any of them and not IsWhitelisted
@@ -74,6 +73,7 @@ private rule base64
         $system = "c3lzdGVt"
         $preg_replace = "cHJlZ19yZXBsYWNl"
         $exec = "ZXhlYyg"
+        $base64_decode = "YmFzZTY0X2RlY29kZ"
     condition:
         any of them
 }
@@ -101,8 +101,7 @@ rule DodgyPhp
 {
     strings:
         $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\( *(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
-        $double_encoding = /(base64_decode\s*\(\s*){2}/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
@@ -151,7 +150,7 @@ rule DangerousPhp
         $ = "call_user_func" fullword
         $ = "register_shutdown_function" fullword
         $ = "register_tick_function" fullword
-        $ = /ob_start\s*\(\s*['"]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
+        $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
         $ = "mb_ereg_replace_callback" fullword
         $ = "preg_replace_callback" fullword
 
-- 
cgit v1.3