From aa1f56a912194957918c37eef8c30e490267ee59 Mon Sep 17 00:00:00 2001
From: Julien "shaddai" Reveret
Date: Fri, 6 Nov 2015 19:33:18 +0100
Subject: added signature for base64 concatenation

---
 php-malware-finder/malwares.yara | 1 +
 1 file changed, 1 insertion(+)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 7610d18..8fd5eb5 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -65,6 +65,7 @@ rule ObfuscatedPhp
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
         $too_many_chr = /(chr\([\d]+\)\.){2,}?/
+        $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/
     condition:
         any of them and not IsWhitelisted
 }
-- 
cgit v1.3