Sneed-Reactivity/yara-Neo23x0/apt_venom_linux_rootkit.yar

33 lines
1.2 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-01-10
Identifier: Venom Rootkit
*/
/* Rule Set ----------------------------------------------------------------- */
rule Venom_Rootkit {
meta:
description = "Venom Linux Rootkit"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://security.web.cern.ch/security/venom.shtml"
date = "2017-01-12"
id = "fedc6fa9-7dfb-5e54-a7bf-9a16f96d6886"
strings:
$s1 = "%%VENOM%CTRL%MODE%%" ascii fullword
$s2 = "%%VENOM%OK%OK%%" ascii fullword
$s3 = "%%VENOM%WIN%WN%%" ascii fullword
$s4 = "%%VENOM%AUTHENTICATE%%" ascii fullword
$s5 = ". entering interactive shell" ascii fullword
$s6 = ". processing ltun request" ascii fullword
$s7 = ". processing rtun request" ascii fullword
$s8 = ". processing get request" ascii fullword
$s9 = ". processing put request" ascii fullword
$s10 = "venom by mouzone" ascii fullword
$s11 = "justCANTbeSTOPPED" ascii fullword
condition:
filesize < 4000KB and 2 of them
}