rule html_exploit_GIF
{
meta:
author = "@patrickrolsen"
maltype = "Web Shells"
version = "0.1"
reference = "code.google.com/p/caffsec-malware-analysis"
date = "2013-12-14"
strings:
$magic = {47 49 46 38 ?? 61} // GIF8a
$s1 = {3c 68 74 6d 6c 3e} //
$s2 = {3c 48 54 4d 4c 3e} //
condition:
($magic at 0) and (any of ($s*))
}