rule html_exploit_GIF { meta: author = "@patrickrolsen" maltype = "Web Shells" version = "0.1" reference = "code.google.com/p/caffsec-malware-analysis" date = "2013-12-14" strings: $magic = {47 49 46 38 ?? 61} // GIF8a $s1 = {3c 68 74 6d 6c 3e} // $s2 = {3c 48 54 4d 4c 3e} // condition: ($magic at 0) and (any of ($s*)) }