From 4fd675eb14c33c77dc29598bf22b4da59e07be5d Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Wed, 2 May 2018 21:12:58 +0200 Subject: [PATCH] new patterns --- malware5.pl | 3 +++ malwaresh.pl | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/malware5.pl b/malware5.pl index b8a1ac0..7fc9e55 100644 --- a/malware5.pl +++ b/malware5.pl @@ -379,6 +379,9 @@ my @regexen = ( qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/is, qr/\*\/\s+\$\w\=\@\$\w\(\'\'\,strrev\(\'\;\)\)\]B2D2C\_PTTH\[REVRES\_\$\(edoced\_46esab\(lave\'\)\)\;\@\$\w\(\)\;\s+\/\*/is, qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is, + qr/\*\/if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}\/\*/is, + qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/is, + qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/is, ); diff --git a/malwaresh.pl b/malwaresh.pl index 5a5eefe..84c96c0 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -862,7 +862,10 @@ my @regexen = ( qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/is, qr/\*\/\s+\$\w\=\@\$\w\(\'\'\,strrev\(\'\;\)\)\]B2D2C\_PTTH\[REVRES\_\$\(edoced\_46esab\(lave\'\)\)\;\@\$\w\(\)\;\s+\/\*/is, qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is, - + qr/\*\/if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}\/\*/is, + qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/is, + qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/is, + ); my @base64_decodes = (