From b875d86be9caaf5d7f5f624f80419f1671c3e167 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Wed, 8 Apr 2015 11:06:40 +0200
Subject: Small performances improvement

---
 malwares.yara | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 30d8e1c..cd8a789 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -17,10 +17,11 @@
 private rule IsPhp
 {
     strings:
-        $php = /<\?[^x]/ //php but not xml
+        $php = "<?"
+        $xml = "<?xml"
 
     condition:
-        $php
+        $php and not $xml
 }
 
 private rule IRC
@@ -54,14 +55,13 @@ rule ObfuscatedPhp
 {
     strings:
         $vars = /\$_{2,}/ fullword  // $__ is rarely used in legitimate scripts
-        $hexvars = /\${['"][\w\\]+['"]}/ fullword  // ${blablabla}
         $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
     condition:
-        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or #hexvars > 5 or $weevely3)
+        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3)
 }
 
 private rule base64
-- 
cgit v1.3