15 lines
354 B
Text
15 lines
354 B
Text
|
rule html_exploit_GIF
|
||
|
{
|
||
|
meta:
|
||
|
author = "@patrickrolsen"
|
||
|
maltype = "Web Shells"
|
||
|
version = "0.1"
|
||
|
reference = "code.google.com/p/caffsec-malware-analysis"
|
||
|
date = "2013-12-14"
|
||
|
strings:
|
||
|
$magic = {47 49 46 38 ?? 61} // GIF8<version>a
|
||
|
$s1 = {3c 68 74 6d 6c 3e} // <html>
|
||
|
$s2 = {3c 48 54 4d 4c 3e} // <HTML>
|
||
|
condition:
|
||
|
($magic at 0) and (any of ($s*))
|
||
|
}
|