From 1eec91dbcf6959fa3bd92bb21582c75f58f4be8c Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Wed, 15 Apr 2015 18:34:43 +0200
Subject: Ajout de sites DANGEROUS

Et hotfix de la detection des preg_replace
---
 malwares.yara | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 352d084..0cf4948 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -98,12 +98,13 @@ rule DodgyPhp
 {
     strings:
         $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
+        $double_encoding = /(base64_decode\s*\(\s*){2}/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
         $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /preg_replace\(['"]\/[^\/]\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
+        $pr = /preg_replace\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $htaccess = "SetHandler application/x-httpd-php"
 
@@ -190,7 +191,12 @@ rule ExploitsWebsites
         $injector = "1337day.com"
         $rapid7 = "rapid7.com"
         $shodan = "shodan.io"
-        $packetstorm = "packetstormsecurity.com"
+        $packetstorm = "packetstormsecurity"
+        $crackfor = "crackfor"
+        $rednoize = "md5.rednoize"
+        $hashcracking = "hashcracking"
+        $darkc0de = "darkc0de"
+        $securityfocus = "securityfocus"
 
     condition:
         IsPhp and any of them
-- 
cgit v1.3