76 lines
2.6 KiB
Text
76 lines
2.6 KiB
Text
|
// Linux/Moose yara rules
|
||
|
// For feedback or questions contact us at: github@eset.com
|
||
|
// https://github.com/eset/malware-ioc/
|
||
|
//
|
||
|
// These yara rules are provided to the community under the two-clause BSD
|
||
|
// license as follows:
|
||
|
//
|
||
|
// Copyright (c) 2015, ESET
|
||
|
// All rights reserved.
|
||
|
//
|
||
|
// Redistribution and use in source and binary forms, with or without
|
||
|
// modification, are permitted provided that the following conditions are met:
|
||
|
//
|
||
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
||
|
// list of conditions and the following disclaimer.
|
||
|
//
|
||
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer in the documentation
|
||
|
// and/or other materials provided with the distribution.
|
||
|
//
|
||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
//
|
||
|
private rule is_elf
|
||
|
{
|
||
|
strings:
|
||
|
$header = { 7F 45 4C 46 }
|
||
|
|
||
|
condition:
|
||
|
$header at 0
|
||
|
}
|
||
|
|
||
|
rule moose
|
||
|
{
|
||
|
meta:
|
||
|
Author = "Thomas Dupuy"
|
||
|
Date = "2015/04/21"
|
||
|
Description = "Linux/Moose malware"
|
||
|
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
|
||
|
Source = "https://github.com/eset/malware-ioc/"
|
||
|
Contact = "github@eset.com"
|
||
|
License = "BSD 2-Clause"
|
||
|
|
||
|
strings:
|
||
|
$s0 = "Status: OK"
|
||
|
$s1 = "--scrypt"
|
||
|
$s2 = "stratum+tcp://"
|
||
|
$s3 = "cmd.so"
|
||
|
$s4 = "/Challenge"
|
||
|
$s7 = "processor"
|
||
|
$s9 = "cpu model"
|
||
|
$s21 = "password is wrong"
|
||
|
$s22 = "password:"
|
||
|
$s23 = "uthentication failed"
|
||
|
$s24 = "sh"
|
||
|
$s25 = "ps"
|
||
|
$s26 = "echo -n -e "
|
||
|
$s27 = "chmod"
|
||
|
$s28 = "elan2"
|
||
|
$s29 = "elan3"
|
||
|
$s30 = "chmod: not found"
|
||
|
$s31 = "cat /proc/cpuinfo"
|
||
|
$s32 = "/proc/%s/cmdline"
|
||
|
$s33 = "kill %s"
|
||
|
|
||
|
condition:
|
||
|
is_elf and all of them
|
||
|
}
|