Because plugin developers do nutty things, I'd probably combine the two into a single signature to reduce possible false positives, but other than that it looks like those. I've seen non-malicious CMS plugins that use similar obfuscation techniques, though I'm certainly willing to use these as is and see how many false positives I get.
--Maarten On Mon, Sep 8, 2014 at 10:58 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote: > > > > > What should i do now? Is there a trick to find a signature which fits > > for all samples or i have to create a different signature for every > > sample? > > > Hi, > > Tricky :( > > Copy this into@ not_tested.ndb > > test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024 > test.cryptbot:7:*:3D22{12}225E22{40}3B2024 > > You might have to change :3: to :7: to make it work... > > Disclaimer: not had enough coffee, so not fully tested etc. > > Cheers, > > Steve > Sanesecurity.com > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Maarten Broekman Endurance International Group vDeck Senior Linux Systems Administrator / PCI ISA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml