116 lines
3.6 KiB
Text
116 lines
3.6 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud
|
||
|
Date: 2015-12-09
|
||
|
Reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
|
||
|
Identifier: Derusbi Dez 2015
|
||
|
*/
|
||
|
|
||
|
rule derusbi_kernel
|
||
|
{
|
||
|
meta:
|
||
|
description = "Derusbi Driver version"
|
||
|
date = "2015-12-09"
|
||
|
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
|
||
|
strings:
|
||
|
$token1 = "$$$--Hello"
|
||
|
$token2 = "Wrod--$$$"
|
||
|
$cfg = "XXXXXXXXXXXXXXX"
|
||
|
$class = ".?AVPCC_BASEMOD@@"
|
||
|
$MZ = "MZ"
|
||
|
condition:
|
||
|
$MZ at 0 and $token1 and $token2 and $cfg and $class
|
||
|
}
|
||
|
|
||
|
rule derusbi_linux
|
||
|
{
|
||
|
meta:
|
||
|
description = "Derusbi Server Linux version"
|
||
|
date = "2015-12-09"
|
||
|
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
|
||
|
strings:
|
||
|
$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
|
||
|
$cmd = "unset LS_OPTIONS;uname -a"
|
||
|
$pname = "[diskio]"
|
||
|
$rkfile = "/tmp/.secure"
|
||
|
$ELF = "\x7fELF"
|
||
|
condition:
|
||
|
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2015-12-15
|
||
|
Identifier: Derusbi Dez 2015
|
||
|
*/
|
||
|
|
||
|
rule Derusbi_Kernel_Driver_WD_UDFS {
|
||
|
meta:
|
||
|
description = "Detects Derusbi Kernel Driver"
|
||
|
author = "Florian Roth"
|
||
|
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
|
||
|
date = "2015-12-15"
|
||
|
score = 80
|
||
|
hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
|
||
|
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
|
||
|
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
|
||
|
hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
|
||
|
strings:
|
||
|
$x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
|
||
|
$x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
|
||
|
$x3 = "\\??\\pipe\\usbpcex%d" fullword wide
|
||
|
$x4 = "\\??\\pipe\\usbpcg%d" fullword wide
|
||
|
$x5 = "$$$--Hello" fullword ascii
|
||
|
$x6 = "Wrod--$$$" fullword ascii
|
||
|
|
||
|
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
|
||
|
$s2 = "Update.dll" fullword ascii
|
||
|
$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide
|
||
|
$s4 = "\\Driver\\nsiproxy" fullword wide
|
||
|
$s5 = "HOST: %s" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 800KB and
|
||
|
(
|
||
|
2 of ($x*) or all of ($s*)
|
||
|
)
|
||
|
}
|
||
|
|
||
|
rule Derusbi_Code_Signing_Cert {
|
||
|
meta:
|
||
|
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
|
||
|
author = "Florian Roth"
|
||
|
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
|
||
|
date = "2015-12-15"
|
||
|
score = 40
|
||
|
strings:
|
||
|
$s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
|
||
|
$s2 = "XL Games Co.,Ltd.0" fullword ascii
|
||
|
$s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
|
||
|
}
|
||
|
|
||
|
rule XOR_4byte_Key {
|
||
|
meta:
|
||
|
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
|
||
|
author = "Florian Roth"
|
||
|
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
|
||
|
date = "2015-12-15"
|
||
|
score = 60
|
||
|
strings:
|
||
|
/* Op Code */
|
||
|
$s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 }
|
||
|
/*
|
||
|
test ecx, ecx
|
||
|
jz short loc_590170
|
||
|
xor [esi], eax
|
||
|
add [esi], ebx
|
||
|
add esi, 4
|
||
|
dec ecx
|
||
|
jmp short loc_590162
|
||
|
*/
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 900KB and all of them
|
||
|
}
|