From 7c845c3352aea9a66d4da2b23c341e06b0e52599 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Thu, 25 Feb 2016 18:31:06 +0100
Subject: Misc additions

---
 php-malware-finder/malwares.yara | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 64c327b..fc78c31 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -84,11 +84,12 @@ private rule base64
 private rule hex
 {
     strings:
-      $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
-      $exec = "\\x65\\x78\\x65\\x63" nocase
-      $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
-      $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
-      $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
+        $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
+        $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
+        $exec = "\\x65\\x78\\x65\\x63" nocase
+        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
+        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
     
     condition:
         any of them
@@ -201,7 +202,7 @@ rule DodgyStrings
         $ = "WinExec"
         $ = "b374k" fullword nocase
         $ = "backdoor" fullword nocase
-        $ = "c99shell" fullword nocase
+        $ = /(c99|r57|fx29)shell/
         $ = "cmd.exe" fullword nocase
         $ = "defaced" fullword nocase
         $ = "evilc0ders" fullword nocase
-- 
cgit v1.3