From b897cc91fbef1258607c61f6287e195bd1f1b0ac Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Wed, 13 May 2015 14:18:14 +0200
Subject: Add onemore rule

---
 malwares.yara | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/malwares.yara b/malwares.yara
index c5a11e6..07c72d9 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -54,7 +54,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $vars = /\$_{2,}/ fullword  // $__ is rarely used in legitimate scripts
+        $vars = /\$_{2,}/ // $__ is rarely used in legitimate scripts
         $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
@@ -110,6 +110,7 @@ rule DodgyPhp
         $htaccess = "SetHandler application/x-httpd-php"
         $obvious_preg = /['"]\/\.\*\/e["']/ fullword  // "/.*/e" <- this is suspicious
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
+        $stored_func = /\$[A-Za-z0-9_-]+\[([0-9]+|['"][^'"]+['"])\]\s*\(/  // things like $myArray['varname'](parameters, ...)
 
     condition:
         IsPhp and (any of them or CloudFlareBypass)
-- 
cgit v1.3