From 7cd4c1b85b0d24b220b045a269d52b06421449a8 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Fri, 12 Feb 2016 13:28:27 +0100
Subject: Strings are nocase

---
 php-malware-finder/malwares.yara | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 4bff547..b348a81 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -184,6 +184,7 @@ rule DodgyStrings
         $ = "/etc/syslog.conf"
         $ = "/proc/cpuinfo" fullword
         $ = "/windows/system32/"
+        $ = "/var/log/lastlog"
         $ = "WScript.Shell"
         $ = "WinExec"
         $ = "b374k" fullword nocase
@@ -222,23 +223,24 @@ rule DodgyStrings
 rule Websites
 {
     strings:
-        $ = "1337day.com"
-        $ = "antichat.ru"
-        $ = "ccteam.ru"
+        $ = "1337day.com" nocase
+        $ = "antichat.ru" nocase
+        $ = "ccteam.ru" nocase
         $ = "crackfor" nocase
         $ = "darkc0de" nocase
-        $ = "egyspider.eu"
-        $ = "exploit-db.com"
-        $ = "fopo.com.ar"  /* Free Online Php Obfuscator */
-        $ = "hashchecker.com"
+        $ = "egyspider.eu" nocase
+        $ = "exploit-db.com" nocase
+        $ = "fopo.com.ar" nocase  /* Free Online Php Obfuscator */
+        $ = "hashchecker.com" nocase
         $ = "hashkiller.com" nocase
-        $ = "md5crack.com"
-        $ = "md5decrypter.com"
-        $ = "milw0rm.com"
+        $ = "md5crack.com" nocase
+        $ = "md5decrypter.com" nocase
+        $ = "milw0rm.com" nocase
+        $ = "milw00rm.com" nocase
         $ = "packetstormsecurity" nocase
-        $ = "rapid7.com"
+        $ = "rapid7.com" nocase
         $ = "securityfocus" nocase
-        $ = "shodan.io"
+        $ = "shodan.io" nocase
 
     condition:
         any of them and not IsWhitelisted
-- 
cgit v1.3