new patterns

2018-05-05 11:46:59 +02:00 · 2018-05-05 11:46:59 +02:00 · 34c2077d0b
commit 34c2077d0b
parent e723035717
2 changed files with 14 additions and 3 deletions
--- a/malware5.pl
+++ b/malware5.pl
@ -438,7 +438,13 @@ my @regexen = (
    qr/<\?php.+?preg\_replace\(\"\\x2F.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/is,
    qr/<\?php\s+\@ob\_start\(\)\;.+?if\s+\(\!isset\(\$\_COOKIE\[\'key\'\]\)\)\s+\{.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;.+?\$remove\_tags\(\$content\)\;.+?return\s+\$content\;\s+\}/is,
    qr/<\?php\s+eval\s+\(\$\_POST\[\w\]\)\;\s+\?>/is,
-    
+    qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/is,
+    qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/is,
+    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
+    qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,    

    );

--- a/malwaresh.pl
+++ b/malwaresh.pl
@ -921,8 +921,13 @@ my @regexen = (
    qr/<\?php.+?preg\_replace\(\"\\x2F.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/is,
    qr/<\?php\s+\@ob\_start\(\)\;.+?if\s+\(\!isset\(\$\_COOKIE\[\'key\'\]\)\)\s+\{.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;.+?\$remove\_tags\(\$content\)\;.+?return\s+\$content\;\s+\}/is,
    qr/<\?php\s+eval\s+\(\$\_POST\[\w\]\)\;\s+\?>/is,
-    
-
+    qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/is,
+    qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/is,
+    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
+    qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,    

 );