60 lines
2.6 KiB
Text
60 lines
2.6 KiB
Text
|
// Operation Windigo yara rules
|
||
|
// For feedback or questions contact us at: windigo@eset.sk
|
||
|
// https://github.com/eset/malware-ioc/
|
||
|
//
|
||
|
// These yara rules are provided to the community under the two-clause BSD
|
||
|
// license as follows:
|
||
|
//
|
||
|
// Copyright (c) 2014, ESET
|
||
|
// All rights reserved.
|
||
|
//
|
||
|
// Redistribution and use in source and binary forms, with or without
|
||
|
// modification, are permitted provided that the following conditions are met:
|
||
|
//
|
||
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
||
|
// list of conditions and the following disclaimer.
|
||
|
//
|
||
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer in the documentation
|
||
|
// and/or other materials provided with the distribution.
|
||
|
//
|
||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
//
|
||
|
rule onimiki
|
||
|
{
|
||
|
meta:
|
||
|
description = "Linux/Onimiki malicious DNS server"
|
||
|
malware = "Linux/Onimiki"
|
||
|
operation = "Windigo"
|
||
|
author = "Olivier Bilodeau <bilodeau@eset.com>"
|
||
|
created = "2014-02-06"
|
||
|
reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf"
|
||
|
contact = "windigo@eset.sk"
|
||
|
source = "https://github.com/eset/malware-ioc/"
|
||
|
license = "BSD 2-Clause"
|
||
|
|
||
|
strings:
|
||
|
// code from offset: 0x46CBCD
|
||
|
$a1 = {43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D}
|
||
|
$a2 = {74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0}
|
||
|
$a3 = {D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C}
|
||
|
$a4 = {8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89}
|
||
|
$a5 = {C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89}
|
||
|
$a6 = {C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92}
|
||
|
$a7 = {8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01}
|
||
|
$a8 = {00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26}
|
||
|
$a9 = {42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07}
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|