From 4b2e125e7c46753839e414f66331d0f85a5fc268 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Wed, 10 Jan 2018 13:13:44 +0100 Subject: [PATCH] new pattern --- malware4.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/malware4.pl b/malware4.pl index 6f1e0e4..76948b2 100644 --- a/malware4.pl +++ b/malware4.pl @@ -251,7 +251,10 @@ my @regexen = ( qr/<\?php\s+\$str\s+\=\s+\"([A-z0-9]{1,20})\"\;\$Oo0\=\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\;\$([A-z0-9]{1,20})\s+\=\$\_POST\[\"([A-z0-9]{1,20})\"\]\;\$Oo0\(\$([A-z0-9]{1,20})\)\;\?>/is, qr/<\?php\s+\$OO00O0\=1\;\$O0O0O0\=1\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20}).+?\.chr\(([0-9]{1,10})\)\.\$([A-z0-9]{1,20})\[([0-9]{1,10})\]\.chr\(([0-9]{1,10})\)\..+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is, - + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20}).+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is, + qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'gas\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is, + ); my @base64_decodes = (