Hajo, Would you be interested in sharing the signatures you create with the ClamAV community? If so, please check out the process here: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
As for signatures for obfuscated PHP, it really does depend on the code you are looking at, on a case-by-case basis. - Alain On Mon, Sep 8, 2014 at 10:04 AM, Hajo Locke <hajo.lo...@gmx.de> wrote: > Hello, > > from <http://www.dict.cc/englisch-deutsch/from.html> time < > http://www.dict.cc/englisch-deutsch/time.html> to time < > http://www.dict.cc/englisch-deutsch/time.html> i create some signatures > from what i found in php-code of my users. > Now i found some malware that worries me. Its obfuscated php-code to > execute all which was sent by POST (mostly spammails). If i unencrypt the > code, so i always find the same malwarecode. But code how it can be found > in php-page is always variable. > > samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK > > What should i do now? Is there a trick to find a signature which fits for > all samples or i have to create a different signature for every sample? > What <http://www.dict.cc/englisch-deutsch/What.html> is < > http://www.dict.cc/englisch-deutsch/is.html> your < > http://www.dict.cc/englisch-deutsch/your.html> view < > http://www.dict.cc/englisch-deutsch/view.html> on < > http://www.dict.cc/englisch-deutsch/on.html> this < > http://www.dict.cc/englisch-deutsch/this.html> subject? < > http://www.dict.cc/englisch-deutsch/subject%3F.html> > > Thanks, > Hajo > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml