private rule IMulerCode : IMuler Family { meta: description = "IMuler code tricks" author = "Seth Hardy" last_modified = "2014-06-16" strings: // Load these function strings 4 characters at a time. These check the first two blocks: $L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F } $L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 } $L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E } $L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A } $L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 } condition: any of ($L4*) } private rule IMulerStrings : IMuler Family { meta: description = "IMuler Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-16" strings: $ = "/cgi-mac/" $ = "xnocz1" $ = "checkvir.plist" $ = "/Users/apple/Documents/mac back" $ = "iMuler2" $ = "/Users/imac/Desktop/macback/" $ = "xntaskz.gz" $ = "2wmsetstatus.cgi" $ = "launch-0rp.dat" $ = "2wmupload.cgi" $ = "xntmpz" $ = "2wmrecvdata.cgi" $ = "xnorz6" $ = "2wmdelfile.cgi" $ = "/LanchAgents/checkvir" $ = "0PERA:%s" $ = "/tmp/Spotlight" $ = "/tmp/launch-ICS000" condition: any of them } rule IMuler : Family { meta: description = "IMuler" author = "Seth Hardy" last_modified = "2014-06-16" condition: IMulerCode or IMulerStrings }