PHP Malware Finder

In September, 2015, we introduced to you PHP Malware Finder (PMF), an open-source tool created by NBS System to spot potential backdoors left by hackers on PHP applications. Since then, this tool evolved: check out its new features!

ASP Malware Finder

PHP Malware Finder could change its name… Since it now enables to spot malevolent code on applications using the ASP language, used in Microsoft applications. To scan these applications, different rules, targeting the specifics of this language, are used.

Optimization of the rules files

Before, for each call, PMF used all of its rules to check whether the scanned file contained any code matching one of these rules. At the time, the tool only worked for PHP applications, using one single file of rules was thus not a problem. However, adding a new language in the same file means that PMF has to read, for each action, rules that are not applied to the targeted application… which implies a loss of both time and resources.

That is why PMF now contains 3 rules files:

  • The « common » file gathers all universal rules allowing to recognize malevolent code, whatever the technology used by the application. It contains, for instance, a rule to spot URLS that are being used to send hashes on bruteforce websites.
  • The PHP file only contains rules that are specific to PHP.
  • The ASP file only contains rules that are specific to ASP.

PMF users can choose which file to use, according to their application, and optimize the use of the tool by only checking the rules that apply to them.

Update simplification

For PHP Malware Finder to be efficient, it has to adapt to new kinds of malevolent code, and to be able to spot as many malwares as possible. That is why these rules files are regularly updated, thanks to an active watch and to your contributions!

However, until now, every addition or update of the filtrating rules required a new version of PHP Malware Finder. It is now possible to update the rules files without updating the whole software! It allows to not deploy, for each new rule, all the machines using PMF, and to make the use of the tool more flexible.

icone documentationIt is the “- – update” function of the script which allows this flexibility. It is by default linked to the rules files on the PMF Github page, but users only have to change the script in order to link it to their own internal files.

Keep contributing…

These modifications aim at facilitating your use of PHP Malware Finder, and to make the Web safer! Thus, do not hesitate and contribute on the project’s Github page, whether directly on the script, within the rules (new example of malevolent files), or within the whitelist of legitimate files by using the script on your sane applications!

Source: Julien Voisin

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.