From d6d411e5143adcc2e7ef9d18903fa6429982b719 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Fri, 26 Feb 2016 11:53:12 +0100
Subject: Detect pseudo-gifs

---
 php-malware-finder/malwares.yara | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index fc78c31..a326ef3 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -63,8 +63,9 @@ rule ObfuscatedPhp
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $variable_variable = /\${\$[0-9a-zA-z]+}/
-        $too_many_chr = /(chr\([\d]+\)\.){2,}?/
-        $concat = /(\$[^\n\r]+\.){5,}?/
+        $too_many_chr = /(chr\([\d]+\)\.){2,}?/  // concatenation of more than two `chr()`
+        $concat = /(\$[^\n\r]+\.){5,}?/  // concatenation of more than 5 words
+        $gif = /^GIF89/
 condition:
         any of them and not IsWhitelisted
 }
-- 
cgit v1.3