From 946c70b200f76aec8fed0a9e0bd475a9dcc6a3ca Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Fri, 17 Apr 2015 11:13:00 +0200
Subject: Better detection of obvious preg_replace-powered execution

---
 malwares.yara | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malwares.yara b/malwares.yara
index 0cf4948..63e9376 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -107,6 +107,7 @@ rule DodgyPhp
         $pr = /preg_replace\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $htaccess = "SetHandler application/x-httpd-php"
+        $obvious_preg = /['"]\/\.\*\/e["']/ fullword  // "/.*/e" <- this is suspicious
 
     condition:
         IsPhp and (any of them or CloudFlareBypass)
-- 
cgit v1.3