php-malware-finder – Detect Potentially Malicious PHP

PHP-malware-finder is a tool that you can use to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares / webshells. Detection is performed by crawling the filesystem and testing files against a set of YARA rules.

php-malware-finder - Detect Potentially Malicious PHP
php-malware-finder – Detect Potentially Malicious PHP

The following list of encoders /obfuscators/ webshells are also detected:

  • Best PHP Obfuscator
  • Carbylamine
  • Cipher Design
  • Cyklodev
  • Joes Web Tools Obfuscator
  • P.A.S
  • PHP Jiami
  • Php Obfuscator Encode
  • SpinObf
  • Weevely3
  • atomiku
  • cobra obfuscator
  • phpencode
  • tennc
  • web-malware-collection
  • webtoolsvn
  • novahot
  • nano

Instead of using an hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like “a $_GET variable is decoded two times, unzipped, and then passed to some dangerous function like system“.

Some of the advantages with using this tool are:

  • It doesn’t use a single rule per sample, since it only cares about finding malicious patterns, not specific webshells
  • It has a complete testsuite, to avoid regressions
  • Its whitelist system doesn’t rely on filenames
  • It doesn’t rely on (slow) entropy computation
  • It uses a ghetto-style static analysis, instead of relying on file hashes
  • Thanks to the aforementioned pseudo-static analysis, it works (especially) well on obfuscated files

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments