Sneed-Reactivity/yara-mikesxrs/Airbus/derusbi_linux.yar

18 lines
537 B
Text
Raw Normal View History

rule derusbi_linux
{
meta:
description = "Derusbi Server Linux version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
Reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
strings:
$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
$cmd = "unset LS_OPTIONS;uname -a"
$pname = "[diskio]"
$rkfile = "/tmp/.secure"
$ELF = "\x7fELF"
condition:
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}