From de3e79edacea28320170bec145dbaf28cc31064c Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 16:27:56 +0100
Subject: Fix a stupid typo

`eval(` patterns are now much better detected.
---
 malwares.yara | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/malwares.yara b/malwares.yara
index 98e11cb..de735a7 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
+        $eval = /[;{}]*[\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
@@ -188,6 +188,7 @@ rule DodgyStrings
         $ = "webshell" fullword nocase
         $ = "exploit" fullword nocase
         $ = "hacking" fullword nocase
+        $ = "hacker" fullword nocase
         $ = "/proc/cpuinfo" fullword
         $ = "/bin/sh" fullword
         $ = "/bin/bash" fullword
-- 
cgit v1.3