From f01f3837eaa2aab4fca3cddae83b899eb12456e9 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Fri, 17 Apr 2015 11:46:23 +0200
Subject: Ajout de sites dodgy

---
 malwares.yara | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 63e9376..2962102 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -108,6 +108,7 @@ rule DodgyPhp
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $htaccess = "SetHandler application/x-httpd-php"
         $obvious_preg = /['"]\/\.\*\/e["']/ fullword  // "/.*/e" <- this is suspicious
+        $udp_dos = /sockopen\s*\(['"]udp:\/\//
 
     condition:
         IsPhp and (any of them or CloudFlareBypass)
@@ -184,7 +185,7 @@ rule DodgyStrings
         IsPhp and (IRC or 2 of them)
 }
 
-rule ExploitsWebsites
+rule Websites
 {
     strings:
         $milw0rm = "milw0rm"
@@ -193,11 +194,20 @@ rule ExploitsWebsites
         $rapid7 = "rapid7.com"
         $shodan = "shodan.io"
         $packetstorm = "packetstormsecurity"
-        $crackfor = "crackfor"
+        $crackfor = "crackfor" nocase
         $rednoize = "md5.rednoize"
-        $hashcracking = "hashcracking"
-        $darkc0de = "darkc0de"
-        $securityfocus = "securityfocus"
+        $hashcracking = "hashcracking" nocase
+        $darkc0de = "darkc0de" nocase
+        $securityfocus = "securityfocus" nocase
+        $antichat = "antichat.ru"
+        $kingdefacer = "KingDefacer" nocase
+        $md5crack = "md5crack.com"
+        $md5crack = "md5decrypter.com"
+        $hashkiller = "hashkiller.com"
+        $hashchecker = "hashchecker.com"
+        $fopo = "http://www.fopo.com.ar/"
+        $ccteam = "ccteam.ru"
+        $locus = "locus7s.com"
 
     condition:
         IsPhp and any of them
-- 
cgit v1.3