Sneed-Reactivity/yara-mikesxrs/patrickrolsen/GIF_exploit.yar

22 lines
464 B
Text
Raw Normal View History

rule GIF_exploit
{
meta:
author = "@patrickrolsen"
maltype = "GIF Exploits"
version = "0.1"
reference = "code.google.com/p/caffsec-malware-analysis"
date = "2013-12-14"
strings:
$magic = {47 49 46 38 ?? 61} // GIF8<version>a
$s1 = "; // md5 Login" nocase
$s2 = "; // md5 Password" nocase
$s3 = "shell_exec"
$s4 = "(base64_decode"
$s5 = "<?php"
$s6 = "(str_rot13"
$s7 = ".exe"
$s8 = ".dll"
$s9 = "eval($_"
condition:
($magic at 0) and any of ($s*)
}