22 lines
464 B
Text
22 lines
464 B
Text
|
rule GIF_exploit
|
||
|
{
|
||
|
meta:
|
||
|
author = "@patrickrolsen"
|
||
|
maltype = "GIF Exploits"
|
||
|
version = "0.1"
|
||
|
reference = "code.google.com/p/caffsec-malware-analysis"
|
||
|
date = "2013-12-14"
|
||
|
strings:
|
||
|
$magic = {47 49 46 38 ?? 61} // GIF8<version>a
|
||
|
$s1 = "; // md5 Login" nocase
|
||
|
$s2 = "; // md5 Password" nocase
|
||
|
$s3 = "shell_exec"
|
||
|
$s4 = "(base64_decode"
|
||
|
$s5 = "<?php"
|
||
|
$s6 = "(str_rot13"
|
||
|
$s7 = ".exe"
|
||
|
$s8 = ".dll"
|
||
|
$s9 = "eval($_"
|
||
|
condition:
|
||
|
($magic at 0) and any of ($s*)
|
||
|
}
|