From 29a7fb9033e0a3a364a89f7a2ef6be8b2dcf0c6b Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Fri, 12 Aug 2016 11:55:56 +0200
Subject: Add a strrev-based detection, because skiddies are, will, skiddies.

---
 php-malware-finder/common.yar | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index ae2b784..2b0cd7d 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -56,10 +56,23 @@ private rule hex
         any of them
 }
 
+private rule strrev
+{
+    strings:
+        $globals = "slabolg" nocase fullword
+        $preg_replace = "ecalper_gerp" nocase fullword
+        $base64_decode = "edoced_46esab" nocase fullword
+        $gzinflate = "etalfnizg" nocase fullword
+    
+    condition:
+        any of them
+}
+
+
 rule SuspiciousEncoding
 {
     condition:
-        base64 or hex
+        base64 or hex or strrev
 }
 
 rule DodgyStrings
-- 
cgit v1.3