From 1b5fe36501938838249e0b14f971409b0389e6ca Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 2 May 2018 20:16:32 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 5 ++++-
 malwaresh.pl | 4 +++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index 9c88c9a..b8a1ac0 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -376,7 +376,10 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
     qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/images\/config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is,
     qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$.+?\}exit\(\)\;\}\s+\?>/is,
-   
+    qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/is,
+    qr/\*\/\s+\$\w\=\@\$\w\(\'\'\,strrev\(\'\;\)\)\]B2D2C\_PTTH\[REVRES\_\$\(edoced\_46esab\(lave\'\)\)\;\@\$\w\(\)\;\s+\/\*/is,
+    qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is,
+
     );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 26a65bd..5a5eefe 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -859,7 +859,9 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
     qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/images\/config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is,
     qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$.+?\}exit\(\)\;\}\s+\?>/is,
-    
+    qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/is,
+    qr/\*\/\s+\$\w\=\@\$\w\(\'\'\,strrev\(\'\;\)\)\]B2D2C\_PTTH\[REVRES\_\$\(edoced\_46esab\(lave\'\)\)\;\@\$\w\(\)\;\s+\/\*/is,
+    qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is,
 
 );