43 lines
893 B
Text
43 lines
893 B
Text
|
private rule RooterCode : Rooter Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Rooter code features"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-10"
|
||
|
|
||
|
strings:
|
||
|
// xor 0x30 decryption
|
||
|
$ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 }
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
private rule RooterStrings : Rooter Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Rooter Identifying Strings"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-10"
|
||
|
|
||
|
strings:
|
||
|
$group1 = "seed\x00"
|
||
|
$group2 = "prot\x00"
|
||
|
$group3 = "ownin\x00"
|
||
|
$group4 = "feed0\x00"
|
||
|
$group5 = "nown\x00"
|
||
|
|
||
|
condition:
|
||
|
3 of ($group*)
|
||
|
}
|
||
|
|
||
|
rule Rooter : Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Rooter"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-10"
|
||
|
|
||
|
condition:
|
||
|
RooterCode or RooterStrings
|
||
|
}
|