[clamav-users] Hint for creating signatures
Hajo Locke
Hajo.Locke at gmx.de
Mon Sep 8 14:16:24 UTC 2014
Hello,
sorry for links to my translator. I thought thunderbird is removing this
when choosing pure-text-format.
now it is readable:
Am 08.09.2014 um 16:04 schrieb Hajo Locke:
> Hello,
>
> from time to time i create some signatures from what i found in
> php-code of my users.
> Now i found some malware that worries me. Its obfuscated php-code to
> execute all which was sent by POST (mostly spammails). If i unencrypt
> the code, so i always find the same malwarecode. But code how it can
> be found in php-page is always variable.
>
> samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK
>
> What should i do now? Is there a trick to find a signature which fits
> for all samples or i have to create a different signature for every
> sample?
> What is your view on this subject?
>
> Thanks,
> Hajo
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list