From 44dd7450c5f957f37f9d55a69cd24c9a24332a30 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 5 Jan 2016 10:44:38 +0100
Subject: Cleanup the wordlist

---
 malwares.yara | 69 +++++++++++++++++++++++++++++------------------------------
 1 file changed, 34 insertions(+), 35 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index c3679b2..5bf6dd3 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -171,35 +171,39 @@ rule DangerousPhp
 rule DodgyStrings
 {
     strings:
+        $ = "/../../../"
+        $ = /\/bin\/(ba)?sh/ fullword
         $ = "/etc/passwd"
-        $ = "/etc/shadow"
+        $ = "/etc/proftpd.conf"
         $ = "/etc/resolv.conf"
+        $ = "/etc/shadow"
         $ = "/etc/syslog.conf"
-        $ = "/etc/proftpd.conf"
+        $ = "/proc/cpuinfo" fullword
         $ = "/windows/system32/"
         $ = "WScript.Shell"
         $ = "WinExec"
-        $ = "uname -a" fullword
-        $ = "nc -l" fullword
-        $ = "ls -la" fullword
+        $ = "b374k" fullword nocase
+        $ = "backdoor" fullword nocase
+        $ = "c99shell" fullword nocase
         $ = "cmd.exe" fullword nocase
-        $ = "ipconfig" fullword nocase
-        $ = "find . -type f" fullword
         $ = "defaced" fullword nocase
-        $ = "slowloris" fullword nocase
-        $ = "id_rsa" fullword
-        $ = "backdoor" fullword nocase
-        $ = "webshell" fullword nocase
         $ = "exploit" fullword nocase
-        $ = "hacking" fullword nocase
-        $ = "hacker" fullword nocase
-        $ = "/proc/cpuinfo" fullword
-        $ = "/bin/sh" fullword
-        $ = "/bin/bash" fullword
+        $ = "find . -type f" fullword
+        $ = /hack(ing|er)/ nocase
+        $ = "hashcrack" nocase
+        $ = "id_rsa" fullword
+        $ = "ipconfig" fullword nocase
+        $ = "kingdefacer" nocase
+        $ = "locus7s" nocase
+        $ = "ls -la" fullword
+        $ = "nc -l" fullword
         $ = "ps -aux" fullword
-        $ = "b374k" fullword
+        $ = "rootkit" fullword nocase
+        $ = "slowloris" fullword nocase
+        $ = "uname -a" fullword
+        $ = "warez" fullword nocase
         $ = /(reverse|web)\s*shell/ nocase
-        $ = /\t{16,}?/
+        $ = /\t{16,}?/  /* a lot of spaces */
 
         $vbs = /language\s*=\s*vbscript/ nocase
         $asp = "scripting.filesystemobject" nocase
@@ -211,28 +215,23 @@ rule DodgyStrings
 rule Websites
 {
     strings:
-        $ = "milw0rm.com"
-        $ = "exploit-db.com"
         $ = "1337day.com"
-        $ = "rapid7.com"
-        $ = "shodan.io"
-        $ = "packetstormsecurity"
+        $ = "antichat.ru"
+        $ = "ccteam.ru"
         $ = "crackfor" nocase
-        $ = "md5.rednoize"
-        $ = "hashcracking" nocase
         $ = "darkc0de" nocase
-        $ = "securityfocus" nocase
-        $ = "antichat.ru"
-        $ = "KingDefacer" nocase
+        $ = "egyspider.eu"
+        $ = "exploit-db.com"
+        $ = "fopo.com.ar"  /* Free Online Php Obfuscator */
+        $ = "hashchecker.com"
+        $ = "hashkiller.com" nocase
         $ = "md5crack.com"
         $ = "md5decrypter.com"
-        $ = "hashkiller.com"
-        $ = "hashchecker.com"
-        $ = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
-        $ = "ccteam.ru"
-        $ = "locus7s.com"
-        $ = "b374k"
-        $ = "www.egyspider.eu"
+        $ = "milw0rm.com"
+        $ = "packetstormsecurity" nocase
+        $ = "rapid7.com"
+        $ = "securityfocus" nocase
+        $ = "shodan.io"
 
     condition:
         any of them and not IsWhitelisted
-- 
cgit v1.3