From 6b46436de856e51c68eb68999185a6d41a9ef07a Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 17:34:48 +0100
Subject: Add some rules

---
 malwares.yara | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malwares.yara b/malwares.yara
index de735a7..7167708 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -117,6 +117,7 @@ rule DodgyPhp
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
         $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
         $iis_com = /IIS:\/\/localhost\/w3svc/
+        $user_function = /(call_user_func|create_function)/
 
     condition:
         (any of them or CloudFlareBypass) and not IsWhitelisted
@@ -174,6 +175,8 @@ rule DodgyStrings
         $ = "/etc/resolv.conf"
         $ = "/etc/syslog.conf"
         $ = "/etc/proftpd.conf"
+        $ = "/windows/system32/"
+        $ = "WScript.Shell"
         $ = "WinExec"
         $ = "uname -a" fullword
         $ = "nc -l" fullword
-- 
cgit v1.3