12 lines
382 B
Text
12 lines
382 B
Text
|
rule Careto_OSX_SBD {
|
||
|
|
meta:
|
||
|
|
author = "AlienVault (Alberto Ortega)"
|
||
|
|
description = "TheMask / Careto OSX component signature"
|
||
|
|
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
|
||
|
|
strings:
|
||
|
|
/* XORed "/dev/null strdup() setuid(geteuid())" */
|
||
|
|
$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
|
||
|
|
condition:
|
||
|
|
all of them
|
||
|
|
}
|