From e3b54db29f29aeb5e37ab7b8a4a140260eeab98f Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Thu, 7 Jul 2016 17:12:59 +0200
Subject: Factorize a bit the code, and add GIF-based backdoor detection

---
 php-malware-finder/common.yar | 12 ++++++++++++
 php-malware-finder/php.yar    |  8 +++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 0dd373f..4c36084 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -1,3 +1,14 @@
+rule CloudFlareBypass
+{
+    strings:
+        $ = "chk_jschl"
+        $ = "jschl_vc"
+        $ = "jschl_answer"
+
+    condition:
+        2 of them // Better be safe than sorry
+}
+
 private rule IRC
 {
     strings:
@@ -125,6 +136,7 @@ rule Websites
     strings:
         $ = "1337day.com" nocase
         $ = "antichat.ru" nocase
+        $ = "b374k" nocase
         $ = "ccteam.ru" nocase
         $ = "crackfor" nocase
         $ = "darkc0de" nocase
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 1659754..cd31593 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -33,15 +33,13 @@ global private rule IsPhp
         $php and filesize < 5MB
 }
 
-rule CloudFlareBypass
+rule HiddenInAFile
 {
     strings:
-        $ = "chk_jschl"
-        $ = "jschl_vc"
-        $ = "jschl_answer"
+        $gif = {47 49 46 38 ?? 61} // GIF8[version]a
 
     condition:
-        2 of them // Better be safe than sorry
+        $gif at 0
 }
 
 rule PasswordProtection
-- 
cgit v1.3