From 2d6ac58e2f2ebb75a7ddd00da42e0b69ea12eb11 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Thu, 17 May 2018 19:18:39 +0200 Subject: [PATCH] new patterns --- malware6.pl | 3 +++ malwaresh.pl | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/malware6.pl b/malware6.pl index d625976..3abcffd 100644 --- a/malware6.pl +++ b/malware6.pl @@ -36,6 +36,9 @@ my @regexen = ( qr/eval\(\"\?\>\" \. base64_decode\(.+?\)\); \?>/is, qr/<\?php.+?\$alphabet =.+?exit\(\);.+?\$([A-z0-9]{1,20}) =.+?\"\"\.chr\(.+?\)\.\"\"\.chr\(.+?\)\.\"\\x.+?\]\.\$([A-z0-9]{1,20})\[\d\d\], \$([A-z0-9]{1,20}) ,\"([A-z0-9]{1,20})\"\);/is, qr/<\? echo\(base64_decode\(.+?\)\); \?>/is, + qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is, + qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is, + qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is, ); diff --git a/malwaresh.pl b/malwaresh.pl index c61798b..6d0f935 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -1020,7 +1020,9 @@ my @regexen = ( qr/eval\(\"\?\>\" \. base64_decode\(.+?\)\); \?>/is, qr/<\?php.+?\$alphabet =.+?exit\(\);.+?\$([A-z0-9]{1,20}) =.+?\"\"\.chr\(.+?\)\.\"\"\.chr\(.+?\)\.\"\\x.+?\]\.\$([A-z0-9]{1,20})\[\d\d\], \$([A-z0-9]{1,20}) ,\"([A-z0-9]{1,20})\"\);/is, qr/<\? echo\(base64_decode\(.+?\)\); \?>/is, - + qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is, + qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is, + qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is, ); my @base64_decodes = (