Closed plusvic closed 10 years ago
From plus...@gmail.com on May 23, 2013 07:06:01
The problem here is that /\w+.gif/ makes the rule an order of magnitude slower, is not really an infinite loop, but it takes waaaay more time to scan.
Status: Invalid
From wshie...@gmail.com on April 20, 2013 03:26:29
What steps will reproduce the problem? 1. Run the following rule on FLOC-meeting.doc
rule APT1_WEBC2_TABLE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1"
}
FLOC-meeting.doc is discussed here: http://www.securelist.com/en/analysis/204792265/Red_October_Detailed_Malware_Description_1_First_Stage_of_Attack If you would like a copy of it I can pass it along. For obvious reasons I'm not going to post malware here. It's worth noting that FLOC-meeting is one of a handful of samples commonly available in open source reporting which triggers this.
Original issue: http://code.google.com/p/yara-project/issues/detail?id=82