96 lines
4.4 KiB
Text
96 lines
4.4 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: Florian Roth
|
||
|
Date: 2018-05-24
|
||
|
Identifier: VPNFilter
|
||
|
Reference: https://blog.talosintelligence.com/2018/05/VPNFilter.html
|
||
|
*/
|
||
|
|
||
|
/* Rule Set ----------------------------------------------------------------- */
|
||
|
|
||
|
rule MAL_ELF_VPNFilter_1 {
|
||
|
meta:
|
||
|
description = "Detects VPNFilter malware"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research"
|
||
|
date = "2018-05-24"
|
||
|
hash1 = "f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344"
|
||
|
id = "dc50cb37-a6e7-5eb5-9581-31d7fd005e47"
|
||
|
strings:
|
||
|
$s1 = "Login=" fullword ascii
|
||
|
$s2 = "Password=" fullword ascii
|
||
|
$s3 = "%s/rep_%u.bin" fullword ascii
|
||
|
$s4 = "%s:%uh->%s:%hu" fullword ascii
|
||
|
$s5 = "Password required" fullword ascii /* Goodware String - occured 1 times */
|
||
|
$s6 = "password=" fullword ascii /* Goodware String - occured 2 times */
|
||
|
$s7 = "Authorization: Basic" fullword ascii /* Goodware String - occured 2 times */
|
||
|
$s8 = "/tmUnblock.cgi" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x457f and filesize < 100KB and all of them
|
||
|
}
|
||
|
|
||
|
rule MAL_ELF_VPNFilter_2 {
|
||
|
meta:
|
||
|
description = "Detects VPNFilter malware"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research"
|
||
|
date = "2018-05-24"
|
||
|
hash1 = "50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec"
|
||
|
id = "95356303-e8ba-585d-b2fc-af9e10b0b93f"
|
||
|
strings:
|
||
|
$s1 = "User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)" fullword ascii
|
||
|
$s2 = "passwordPASSWORDpassword" fullword ascii
|
||
|
$s3 = "/tmp/client.key" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x457f and filesize < 1000KB and all of them
|
||
|
}
|
||
|
|
||
|
rule MAL_ELF_VPNFilter_3 {
|
||
|
meta:
|
||
|
description = "Detects VPNFilter malware"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research"
|
||
|
date = "2018-05-24"
|
||
|
hash1 = "0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92"
|
||
|
hash2 = "9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17"
|
||
|
hash3 = "37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4"
|
||
|
hash4 = "0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b"
|
||
|
hash5 = "4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b"
|
||
|
hash6 = "8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1"
|
||
|
hash7 = "776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d"
|
||
|
id = "020603bf-fbce-5de1-82b9-5a2dfacfada3"
|
||
|
strings:
|
||
|
$sx1 = "User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)" fullword ascii
|
||
|
$sx2 = "Execute by shell[%d]:" fullword ascii
|
||
|
$sx3 = "CONFIG.TOR.name:" fullword ascii
|
||
|
|
||
|
$s1 = "Executing command: %s %s..." fullword ascii
|
||
|
$s2 = "/proc/%d/cmdline" fullword ascii
|
||
|
|
||
|
$a1 = "Mozilla/5.0 Firefox/50.0" fullword ascii
|
||
|
$a2 = "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0" fullword ascii
|
||
|
$a3 = "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x457f and filesize < 1000KB and ( 1 of ($sx*) or 2 of ($s*) or 2 of ($a*) )
|
||
|
}
|
||
|
|
||
|
rule SUSP_ELF_Tor_Client {
|
||
|
meta:
|
||
|
description = "Detects VPNFilter malware"
|
||
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research"
|
||
|
date = "2018-05-24"
|
||
|
hash1 = "afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719"
|
||
|
id = "1be6528d-1b60-50da-8125-2ef73b8aeb4f"
|
||
|
strings:
|
||
|
$x1 = "We needed to load a secret key from %s, but it was encrypted. Try 'tor --keygen' instead, so you can enter the passphrase." fullword ascii
|
||
|
$x2 = "Received a VERSION cell with odd payload length %d; closing connection." fullword ascii
|
||
|
$x3 = "Please upgrade! This version of Tor (%s) is %s, according to the directory authorities. Recommended versions are: %s" fullword ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x457f and 1 of them
|
||
|
}
|