From c8cd3b4fb126be0dd66fd2252226508f8f1b1d0c Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Mon, 31 Oct 2016 14:04:23 +0100
Subject: Improves the detection of concatenation-based obfuscation

---
 php-malware-finder/php.yar | 1 +
 1 file changed, 1 insertion(+)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index e80dae9..536d880 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -53,6 +53,7 @@ rule ObfuscatedPhp
         $variable_variable = /\${\$[0-9a-zA-z]+}/
         $too_many_chr = /(chr\([\d]+\)\.){8}/  // concatenation of more than eight `chr()`
         $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
+        $concat_with_spaces = /(\$[^\n\r]+\. ){5}/  // concatenation of more than 5 words, with spaces
         $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
         $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/  // eval /* comment */ (php_code)
 condition:
-- 
cgit v1.3