From 8039662c4ec5e407d23d19a27df34286e398ad45 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 15:47:28 +0100
Subject: Perf optimization and rules completion

---
 malwares.yara | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 4f08a9b..98e11cb 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,10 +57,10 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
-        $b374k = /'ev'\.'al'/
+        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
+        $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
+        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
@@ -105,7 +105,7 @@ rule DodgyPhp
     strings:
         $vars = /\$__+/ // $__ is rarely used in legitimate scripts
         $double_encoding = /(base64_decode\s*\(\s*){2}/
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-- 
cgit v1.3