Sneed-Reactivity/yara-mikesxrs/adamburt/adamburt_index.yara

168 lines
5.5 KiB
Text
Raw Permalink Normal View History

rule shellshock_generic
{
meta:
author="Adam Burt"
strings:
$starter = "() { "
$alt1 = "(a)=>"
$alt2 = ":; } ;"
$att1 = "HOLD Flooding"
$att2 = "JUNK Flooding"
$att4 = "PONG!"
$att5 = "/bin/busybox"
$att6 = "SCANNER"
condition:
( $starter and any of ($alt*) ) or ( all of ($att*) )
}
rule BackOffPOS_1_56_LAST
{
meta:
description = "BackoffPOS 1.56 LAST process injection code detection"
in_the_wild = true
strings:
$a = {E8 00 00 00 00 5D 81 ED 05 00 00 00 31 C9 64 8B 71 30 8B 76 0C 8B 76 1C 8B 5E 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8D BD E3 05 00 00 89 FE B9 0E 00 00 00 AD E8 15 02 00 00 AB E2 F7 8D 85 D0 03 00 00 50 6A 00 6A 00 FF 95 EB 05 00 00 8D 85 99 03 00 00 50 FF 95 FF 05 00 00 85 C0 0F 84 D5 01 00 00 8D 9D A5 03 00 00 53 50 FF 95 FB 05 00 00 85 C0 0F 84 BF 01 00 00 89 85 DF 05 00 00 8D BD DD 03 00 00 6A 00 6A 1A 57 6A 00 FF 95 DF 05 00 00 89 FE E8 A7 01 00 00 01 C7 B9 09 00 00 00 8D B5 82 03 00 00 F3 A4 8D BD DC 04 00 00 6A 00 6A 1A 57 6A 00 FF 95 DF 05 00 00 89 FE E8 7E 01 00 00 01 C7 B9 0E 00 00 00 8D B5 8B 03 00 00 F3 A4 8D 85 72 03 00 00 50 6A 00 68 01 00 1F 00 FF 95 03 06 00 00 85 C0 74 14 50 FF 95 E3 05 00 00 68 E0 93 04 00 FF 95 0B 06 00 00 EB D4 8D 85 DD 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 50 FF 95 E7 05 00 00 83 F8 FF 0F 84 03 01 00 00 89 C3 6A 00 50 FF 95 F7 05 00 00 83 F8 FF 0F 84 E8 00 00 00 89 C7 6A 04 68 00 30 00 00 50 6A 00 FF 95 0F 06 00 00 85 C0 0F 84 CE 00 00 00 89 C6 8D 85 DB 05 00 00 6A 00 50 57 56 53 FF 95 07 06 00 00 85 C0 0F 84 B2 00 00 00 53 FF 95 E3 05 00 00 8D 85 6A 03 00 00 50 57 56 E8 28 01 00 00 8D 85 DC 04 00 00 6A 00 68 80 00 00 00 6A 02 6A 00 6A 00 68 00 00 00 40 50 FF 95 E7 05 00 00 83 F8 FF 74 29 89 C3 8D 85 DB 05 00 00 6A 00 50 57 56 53 FF 95 17 06 00 00 53 FF 95 E3 05 00 00 68 00 80 00 00 6A 00 56 FF 95 13 06 00 00 8D 85 99 03 00 00 50 FF 95 FF 05 00 00 8D 9D BD 03 00 00 53 50 FF 95 FB 05 00 00 8D 9D CB 03 00 00 8D BD DC 04 00 00 6A 00 6A 00 6A 00 57 53 6A 00 FF D0 68 E0 93 04 00 FF 95 0B 06 00 00 8D BD DC 04 00 00 57 FF 95 F3 05 00 00 E9 B0 FE FF FF 53 FF 95 E3 05 00 00 68 E0 93 04 00 FF 95 0B 06 00 00 E9 99 FE FF FF 6A 00 FF 95 EF 05 00 00 53 31 C0 8A 1C 06 84 DB 74 03 40 EB F6 5B C3 55 89 E5 83 EC 0C 60 89 5D FC 89 45 F8 03 5B 3C 8B 5B 78 03 5D FC 8B 7B 20 03 7D FC 31 F6 8D 14 B7 8B 12 03 55 FC 31 C0 C1 C0 07 32 02 42 80 3A 00 75 F5 3B 45 F8 74 06 46 3B 73 18 72 E0 8B 53 24 03 55 FC 0F B7 14 72 8B 43 1C 03 45 FC 8B 04 90 03 45 FC 89 45 F4 61 8B 45 F4 C9 C3 55 89 E5 57 56 53 81 EC 04 01 00 00 31 C0 88 84 28 F4 FE FF FF 40 3D 00 01 00 00 75 F1 8D 8D F4 FE FF FF 8D 7D F4 31 D2 31 DB 8A 01 88 85 F2 FE FF FF 8B 75 10 02 04 32 01 C3 0F B6 DB 8A 84 2B F4 FE FF FF 88 01 8A 85 F2 FE FF FF 88 84 2B F4 FE FF FF 8D 42 01 BE 08 00 00 00 99 F7 FE 41 39 F9 75 C7 31 C9 31 D2 31 C0 EB 42 42 81 E2 FF 00 00 00 0F B6 BC 2A F4 FE FF FF 01 F9 0F B6 C9 0F B6 B4 29 F4 FE FF FF 89 F3 88 9C 2A F4 FE FF FF 89 FB 88 9C 29 F4 FE FF FF 8D 1C 37 0F B6 DB 8A 9C 2B F4 FE FF FF 8B 75 08 30 1C 30 40 3B 45 0C 7C B9 81 C4 04 01 00 00 5B 5E 5F 5D C2 0C 00 }
$b = {50 61 73 73 77 6F 72 64 }
$c = {6E 73 6B 61 6C }
$d = {77 69 6E 73 65 72 76 73 2E 65 78 65 }
$e = {73 68 65 6C 6C 33 32 2E 64 6C 6C 00 53 48 47 65 74 53 70 65 63 69 61 6C 46 6F 6C 64 65 72 50 61 74 68 41 00 53 68 65 6C 6C 45 78 65 63 75 74 65 41 }
condition:
all of them
}
rule BackOffPOS_1_55_DEC
{
meta:
description = "BackoffPOS 1.56 LAST process injection code detection"
in_the_wild = true
strings:
$a = "dec"
$b = "1.55"
$d = "Update"
$e = "Terminate"
$f = "Upload KeyLogs"
$g = "[Enter]"
condition:
all of them
}
rule BackOffPOS_GENERIC
{
meta:
description = "BackoffPOS generic catcher for known strings"
in_the_wild = true
strings:
$a = "Update"
$b = "Terminate"
$d = "Uninstall"
$e = "Download"
$f = "Run"
$g = "Upload"
$h = "KeyLogs"
$i = "Password"
$j = "USERNAME"
$k = "[Enter]"
$l = "Log"
condition:
all of them
}
rule Dexter
{
meta:
description = "Dexter malware memory injection detection"
in_the_wild = true
strings:
$a = "Resilience"
$b = "download-"
$c = "update-"
$d = "checkin:"
$e = "uninstall"
$f = "CurrentVersion\\Run"
$g = "response="
$h = "gateway.php"
$i = "iexplore.exe"
condition:
all of them
}
import "pe"
rule metasploit_payload_msfpayload
{
meta:
description = "This rule detects generic metasploit callback payloads generated with msfpayload"
Author = "Adam Burt (adam_burt@symantec.com)"
strings:
$a1 = "asf"
$a2 = "release"
$a3 = "build"
$a4 = "support"
$a5 = "ab.pdb"
$l1 = "WS2_32.dll"
$l2 = "mswsock"
$l3 = "ntdll.dll"
$l4 = "KERNEL32.dll"
$l5 = "shell32"
$l6 = "malloc"
$l7 = "fopen"
$l8 = "fclose"
$l9 = "fprintf"
$l10 = "strncpy"
condition:
all of ($l*)
and all of ($a*)
}
rule metasploit_service_starter
{
meta:
description = "This rule detects related metasploit service starters"
author = "Adam Burt (adam_burt@symantec.com)"
strings:
$a1 = "StartServiceCtrlDispatcher"
$a2 = "RegisterServiceCtrlHandle"
$a3 = "CloseHandle"
$a4 = "memset"
$a5 = "rundll32.exe"
$a6 = "msvcrt.dll"
condition:
pe.sections[3].name == ".bss"
and pe.sections[3].virtual_size == 0x00000030
and pe.sections[2].virtual_size == 0x0000001c
and pe.sections[4].virtual_size == 0x00000224
and all of them
}
rule trojan_poweliks_dropper
{
meta:
author = "Adam Burt (adam_burt@symantec.com)"
md5hash = "181dbed16bce32a7cfc15ecdd6e31918"
sha1hash = "b00a9e4e12f799a1918358d175f571439fc4b45c"
strings:
$s1 = "NameOfMutexObject"
$c1 = {2F 2E 6D 2C}
$c2 = {76 AB 0B A7}
condition:
$c1 at 0x104a0 or ($s1 and $c2 at 0x104a8)
}