From 89f8db40defcc6d03ec235dc42cdea5e696a397a Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Mon, 13 Apr 2015 13:15:09 +0200
Subject: Improve detection of Danone malwares

---
 malwares.yara | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/malwares.yara b/malwares.yara
index cd8a789..352d084 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -60,8 +60,9 @@ rule ObfuscatedPhp
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
+        $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
     condition:
-        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3)
+        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3 or $danone)
 }
 
 private rule base64
-- 
cgit v1.3