php-malware-finder – Detect Potentially Malicious PHP
PHP-malware-finder is a tool that you can use to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares / webshells. Detection is performed by crawling the filesystem and testing files against a set of YARA rules.

The following list of encoders /obfuscators/ webshells are also detected:
- Best PHP Obfuscator
- Carbylamine
- Cipher Design
- Cyklodev
- Joes Web Tools Obfuscator
- P.A.S
- PHP Jiami
- Php Obfuscator Encode
- SpinObf
- Weevely3
- atomiku
- cobra obfuscator
- phpencode
- tennc
- web-malware-collection
- webtoolsvn
- novahot
- nano
Instead of using an hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like “a $_GET
variable is decoded two times, unzipped, and then passed to some dangerous function like system
“.
Some of the advantages with using this tool are:
- It doesn’t use a single rule per sample, since it only cares about finding malicious patterns, not specific webshells
- It has a complete testsuite, to avoid regressions
- Its whitelist system doesn’t rely on filenames
- It doesn’t rely on (slow) entropy computation
- It uses a ghetto-style static analysis, instead of relying on file hashes
- Thanks to the aforementioned pseudo-static analysis, it works (especially) well on obfuscated files
You can read more and download this tool over here: https://github.com/jvoisin/php-malware-finder
Subscribe
0 Comments