Hello,
Am 08.09.2014 um 16:58 schrieb Steve Basford:
Hi,
Tricky :(
Copy this into@ not_tested.ndb
test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
test.cryptbot:7:*:3D22{12}225E22{40}3B2024
Thanks, this seems to work. I will try it. Hopefully only a few FP.
Hello,
from http://www.dict.cc/englisch-deutsch/from.html time
http://www.dict.cc/englisch-deutsch/time.html to time
http://www.dict.cc/englisch-deutsch/time.html i create some signatures
from what i found in php-code of my users.
Now i found some malware that worries me. Its obfuscated
Hello,
sorry for links to my translator. I thought thunderbird is removing this
when choosing pure-text-format.
now it is readable:
Am 08.09.2014 um 16:04 schrieb Hajo Locke:
Hello,
from time to time i create some signatures from what i found in
php-code of my users.
Now i found some
Hajo,
Would you be interested in sharing the signatures you create with the
ClamAV community? If so, please check out the process here:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
As for signatures for obfuscated PHP, it really does depend on the code you
are
On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:
What should i do now? Is there a trick to find a signature which fits
for all samples or i have to create a different signature for every
sample?
Hi,
Tricky :(
Copy this into@ not_tested.ndb
Because plugin developers do nutty things, I'd probably combine the two
into a single signature to reduce possible false positives, but other than
that it looks like those. I've seen non-malicious CMS plugins that use
similar obfuscation techniques, though I'm certainly willing to use these
as is
