30 lines
541 B
Text
30 lines
541 B
Text
|
rule rovnix_downloader
|
||
|
{
|
||
|
meta:
|
||
|
author="McAfee"
|
||
|
description="Rovnix downloader with sinkhole checks"
|
||
|
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/"
|
||
|
|
||
|
strings:
|
||
|
$sink1="control"
|
||
|
$sink2 = "sink"
|
||
|
$sink3 = "hole"
|
||
|
$sink4= "dynadot"
|
||
|
$sink5= "block"
|
||
|
$sink6= "malw"
|
||
|
$sink7= "anti"
|
||
|
$sink8= "googl"
|
||
|
$sink9= "hack"
|
||
|
$sink10= "trojan"
|
||
|
$sink11= "abuse"
|
||
|
$sink12= "virus"
|
||
|
$sink13= "black"
|
||
|
$sink14= "spam"
|
||
|
$boot= "BOOTKIT_DLL.dll"
|
||
|
$mz = { 4D 5A }
|
||
|
|
||
|
condition:
|
||
|
$mz in (0..2) and all of ($sink*) and $boot
|
||
|
|
||
|
}
|