new patterns

malware6.pl

@@ -175,6 +175,10 @@ my @regexen = (
     qr/<\?php\s+if \(\$_GET \[\'([A-z0-9_]{1,20})\'\]\) \{\s+echo \"OK\";\s+exit \(\);\s+\}\s+if\(\$_POST\[\'to\'\]\)\s+\{\s+\$to = \$_POST \[\'to\'\];.+?header \( \"Location: http:\/\/\{\$link\}\" \);\s+\}/is,
     qr/<script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x.+?\\x65\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);<\/script>/is,
     qr/var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);/is,
+    qr/<\?php\s+if \(!defined\(\'stream_context_create \'\)\)\s+\{\s+define\(\'stream_context_create \', 1\);.+?\$([A-z0-9_]{1,20})=\"rawurl\" \. \"decode\";return \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\);\}.+?eval\/\*([A-z0-9_]{1,20})\*\/\(([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20})\)\);\s+\}/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
+    qr/<\?php \$([A-z0-9_]{10,})=.+?eval\(gzinflate\(base64_decode\(\$([A-z0-9_]{10,})\)\)\); \?>/is,
 
     
 

malwaresh.pl

@@ -1161,9 +1161,10 @@ my @regexen = (
     qr/<\?php\s+if \(\$_GET \[\'([A-z0-9_]{1,20})\'\]\) \{\s+echo \"OK\";\s+exit \(\);\s+\}\s+if\(\$_POST\[\'to\'\]\)\s+\{\s+\$to = \$_POST \[\'to\'\];.+?header \( \"Location: http:\/\/\{\$link\}\" \);\s+\}/is,
     qr/<script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x.+?\\x65\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);<\/script>/is,
     qr/var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);/is,
-
-
-
+    qr/<\?php\s+if \(!defined\(\'stream_context_create \'\)\)\s+\{\s+define\(\'stream_context_create \', 1\);.+?\$([A-z0-9_]{1,20})=\"rawurl\" \. \"decode\";return \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\);\}.+?eval\/\*([A-z0-9_]{1,20})\*\/\(([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20})\)\);\s+\}/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
+    qr/<\?php \$([A-z0-9_]{10,})=.+?eval\(gzinflate\(base64_decode\(\$([A-z0-9_]{10,})\)\)\); \?>/is,
 
 
 )