Sneed-Reactivity/yara-Neo23x0/apt_lnx_linadoor_rootkit.yar


rule MAL_LNX_LinaDoor_Rootkit_May22 {
   meta:
      description = "Detects LinaDoor Linux Rootkit"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2022-05-19"
      modified = "2023-05-16"
      score = 85
      hash1 = "25ff1efe36eb15f8e19411886217d4c9ec30b42dca072b1bf22f041a04049cd9"
      hash2 = "4792e22d4c9996af1cb58ed54fee921a7a9fdd19f7a5e7f268b6793cdd1ab4e7"
      hash3 = "9067230a0be61347c0cf5c676580fc4f7c8580fc87c932078ad0c3f425300fb7"
      hash4 = "940b79dc25d1988dabd643e879d18e5e47e25d0bb61c1f382f9c7a6c545bfcff"
      hash5 = "a1df5b7e4181c8c1c39de976bbf6601a91cde23134deda25703bc6d9cb499044"
      hash6 = "c4eea99658cd82d48aaddaec4781ce0c893de42b33376b6c60a949008a3efb27"
      hash7 = "c5651add0c7db3bbfe0bbffe4eafe9cd5aa254d99be7e3404a2054d6e07d20e7"
      id = "e2f250b4-9a8a-5d70-83d7-5d12ad3763fb"
   strings:
      $s1 = "/dev/net/.../rootkit_/" ascii
      $s2 = "did_exec" ascii fullword
      $s3 = "rh_reserved_tp_target" ascii fullword
      $s4 = "HIDDEN_SERVICES" ascii fullword
      $s5 = "bypass_udp_ports" ascii fullword
      $s6 = "DoBypassIP" ascii fullword

      $op1 = { 74 2a 4c 89 ef e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 4c 39 f2 }
      $op2 = { e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 4c 39 f2 48 0f 46 c3 5b }
      $op3 = { 48 89 c3 74 2a 4c 89 ef e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 }
      $op4 = { 4c 29 e2 48 01 c2 31 c0 4c 39 f2 48 0f 46 c3 5b 41 5c 41 5d }

      $fp1 = "/wgsyncdaemon.pid"
   condition:
      uint16(0) == 0x457f and
      filesize < 2000KB and 2 of them 
      and not 1 of ($fp*)
      or 4 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule MAL_LNX_LinaDoor_Rootkit_May22 {`
			`meta:`
			`description = "Detects LinaDoor Linux Rootkit"`
			`author = "Florian Roth"`
			`reference = "Internal Research"`
			`date = "2022-05-19"`
			`modified = "2023-05-16"`
			`score = 85`
			`hash1 = "25ff1efe36eb15f8e19411886217d4c9ec30b42dca072b1bf22f041a04049cd9"`
			`hash2 = "4792e22d4c9996af1cb58ed54fee921a7a9fdd19f7a5e7f268b6793cdd1ab4e7"`
			`hash3 = "9067230a0be61347c0cf5c676580fc4f7c8580fc87c932078ad0c3f425300fb7"`
			`hash4 = "940b79dc25d1988dabd643e879d18e5e47e25d0bb61c1f382f9c7a6c545bfcff"`
			`hash5 = "a1df5b7e4181c8c1c39de976bbf6601a91cde23134deda25703bc6d9cb499044"`
			`hash6 = "c4eea99658cd82d48aaddaec4781ce0c893de42b33376b6c60a949008a3efb27"`
			`hash7 = "c5651add0c7db3bbfe0bbffe4eafe9cd5aa254d99be7e3404a2054d6e07d20e7"`
			`id = "e2f250b4-9a8a-5d70-83d7-5d12ad3763fb"`
			`strings:`
			`$s1 = "/dev/net/.../rootkit_/" ascii`
			`$s2 = "did_exec" ascii fullword`
			`$s3 = "rh_reserved_tp_target" ascii fullword`
			`$s4 = "HIDDEN_SERVICES" ascii fullword`
			`$s5 = "bypass_udp_ports" ascii fullword`
			`$s6 = "DoBypassIP" ascii fullword`

			`$op1 = { 74 2a 4c 89 ef e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 4c 39 f2 }`
			`$op2 = { e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 4c 39 f2 48 0f 46 c3 5b }`
			`$op3 = { 48 89 c3 74 2a 4c 89 ef e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 }`
			`$op4 = { 4c 29 e2 48 01 c2 31 c0 4c 39 f2 48 0f 46 c3 5b 41 5c 41 5d }`

			`$fp1 = "/wgsyncdaemon.pid"`
			`condition:`
			`uint16(0) == 0x457f and`
			`filesize < 2000KB and 2 of them`
			`and not 1 of ($fp*)`
			`or 4 of them`
			`}`