Sneed-Reactivity/yara-Neo23x0/threat_lenovo_superfish.yar

24 lines
957 B
Text
Raw Normal View History

/* LENOVO Superfish -------------------------------------------------------- */
rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
meta:
description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
author = "Florian Roth (Nextron Systems) / improved by kbandla"
reference = "https://twitter.com/4nc4p/status/568325493558272000"
date = "2015/02/19"
hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
id = "200c016e-7ad8-5b58-be5f-7866e91d60e9"
strings:
//$s1 = "VisualDiscovery.exe" fullword wide
$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
$s3 = "GetPCProxyHandler" fullword ascii
$s4 = "StartPCProxy" fullword ascii
$s5 = "SetPCProxyHandler" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2MB and all of ($s*)
}