PHP-malware-finder is a tool that you can use to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares / webshells. Detection is performed by crawling the filesystem and testing files against a set of YARA rules.

The following list of encoders /obfuscators/ webshells are also detected:

• Best PHP Obfuscator
• Carbylamine
• Cipher Design
• Cyklodev
• Joes Web Tools Obfuscator
• P.A.S
• PHP Jiami
• Php Obfuscator Encode
• SpinObf
• Weevely3
• atomiku
• cobra obfuscator
• phpencode
• tennc
• web-malware-collection
• webtoolsvn
• novahot
• nano

Instead of using an hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like “a $_GET variable is decoded two times, unzipped, and then passed to some dangerous function like system“.

Some of the advantages with using this tool are:

• It doesn’t use a single rule per sample, since it only cares about finding malicious patterns, not specific webshells
• It has a complete testsuite, to avoid regressions
• Its whitelist system doesn’t rely on filenames
• It doesn’t rely on (slow) entropy computation
• It uses a ghetto-style static analysis, instead of relying on file hashes
• Thanks to the aforementioned pseudo-static analysis, it works (especially) well on obfuscated files

You can read more and download this tool over here: https://github.com/jvoisin/php-malware-finder