From 294182b8d5703c2aacd7e2cd5bcd5bf63296007f Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 3 Jul 2015 17:08:34 +0200
Subject: `assert` can be dodgy too

---
 malwares.yara | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 8e10e05..0df037b 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -98,7 +98,7 @@ rule DodgyPhp
 {
     strings:
         $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
         $double_encoding = /(base64_decode\s*\(\s*){2}/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
@@ -207,7 +207,7 @@ rule Websites
         $md5crack = "md5decrypter.com"
         $hashkiller = "hashkiller.com"
         $hashchecker = "hashchecker.com"
-        $fopo = "http://www.fopo.com.ar/"
+        $fopo = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
         $ccteam = "ccteam.ru"
         $locus = "locus7s.com"
 
-- 
cgit v1.3