rule GIF_exploit
{
meta:
	author = "@patrickrolsen"
	maltype = "GIF Exploits"
	version = "0.1"
	reference = "code.google.com/p/caffsec-malware-analysis"
	date = "2013-12-14"
strings:
	$magic = {47 49 46 38 ?? 61} // GIF8<version>a
	$s1 = "; // md5 Login" nocase
	$s2 = "; // md5 Password" nocase
	$s3 = "shell_exec"
	$s4 = "(base64_decode"
	$s5 = "<?php"
	$s6 = "(str_rot13"
	$s7 = ".exe"
	$s8 = ".dll"
	$s9 = "eval($_"
condition:
	($magic at 0) and any of ($s*)
}