25 lines
905 B
Text
25 lines
905 B
Text
|
rule kaiten: malware linux
|
||
|
{
|
||
|
meta:
|
||
|
author = "@h3x2b <tracker@h3x.eu>"
|
||
|
description = "Detects Kaiten samples - 20161009"
|
||
|
//Check also:
|
||
|
//http://tracker.h3x.eu/corpus/700
|
||
|
//http://tracker.h3x.eu/info/700
|
||
|
//http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2747
|
||
|
//https://www.virustotal.com/en/file/0173924f3b91579c2ab3382333f81b09fa2653588b9595243a0d85bd97f7dd11/analysis/1409864439/
|
||
|
//Samples:
|
||
|
|
||
|
strings:
|
||
|
$kaiten_00 = "NOTICE %s :Kaiten wa goraku"
|
||
|
$kaiten_01 = "NOTICE %s :TSUNAMI <target> <secs>"
|
||
|
$kaiten_02 = "NOTICE %s :PAN <target> <port> <secs>"
|
||
|
|
||
|
condition:
|
||
|
//ELF magic
|
||
|
uint32(0) == 0x464c457f and
|
||
|
|
||
|
//Contains all of the strings
|
||
|
2 of ($kaiten_*)
|
||
|
}
|