Hello,
from <http://www.dict.cc/englisch-deutsch/from.html> time
<http://www.dict.cc/englisch-deutsch/time.html> to time
<http://www.dict.cc/englisch-deutsch/time.html> i create some signatures
from what i found in php-code of my users.
Now i found some malware that worries me. Its obfuscated php-code to
execute all which was sent by POST (mostly spammails). If i unencrypt
the code, so i always find the same malwarecode. But code how it can be
found in php-page is always variable.
samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK
What should i do now? Is there a trick to find a signature which fits
for all samples or i have to create a different signature for every sample?
What <http://www.dict.cc/englisch-deutsch/What.html> is
<http://www.dict.cc/englisch-deutsch/is.html> your
<http://www.dict.cc/englisch-deutsch/your.html> view
<http://www.dict.cc/englisch-deutsch/view.html> on
<http://www.dict.cc/englisch-deutsch/on.html> this
<http://www.dict.cc/englisch-deutsch/this.html> subject?
<http://www.dict.cc/englisch-deutsch/subject%3F.html>
Thanks,
Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml