So there have been a rash of next generation Malware scripts that are using some tools that make them much more difficult to be detected. This post is intended to be a reference to several of the important REGEX patterns that I was albe to use to find the Malware packages to be removed.

<?php $GLOBALS['q489'] = "\x64\x69\x5c\x2b\x6c\x40\x59\x79\x30\x44\x6f\x3a\x27\x2e\x72\x57\x38\x49\x2a\x45

Can be detected with the following string

\<\?php.*(\\x[a-zA-Z0-9]*?)+

Here is another string to detect base64_decode strings with long packages that could indicate that something malicious is hiding

base64_decode(.{200,})

eval\(.*?base64_decode\(.{200,}

Also be sure to be on the look out for these other functions I've seen in conjunction with Malware

str_rot13(), assert()