rule backdoor_apt_pcclient { meta: author = "@patrickrolsen" maltype = "APT.PCCLient" filetype = "DLL" version = "0.1" description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)" date = "2012-10" strings: $magic = { 4d 5a } // MZ $string1 = "www.micro1.zyns.com" $string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" $string3 = "msacm32.drv" wide $string4 = "C:\\Windows\\Explorer.exe" wide $string5 = "Elevation:Administrator!" wide $string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb" condition: $magic at 0 and 4 of ($string*) } rule pos_memory_scrapper { meta: author = "@patrickrolsen" maltype = "Point of Sale (POS) Malware Memory Scraper" version = "0.1" description = "POS Memory Scraper" reference = "7f9cdc380eeed16eaab3e48d59f271aa -> http://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html" date = "12/30/2013" strings: $string1 = "kartoxa" nocase $string2 = "CC2 region:" $string3 = "CC memregion:" $string4 = "target pid:" $string5 = "scan all processes:" $string6 = " " condition: all of ($string*) } rule FE_PCAPs { meta: author = "@patrickrolsen" maltype = "N/A" version = "0.1" description = "Find FireEye PCAPs uploaded to Virus Total" date = "12/30/2013" strings: $magic = {D4 C3 B2 A1} $ip1 = {0A 00 00 ?? C7 10 C7 ??} // "10.0.0.?? -> 199.16.199.?? $ip2 = {C7 10 C7 ?? 0A 00 00 ??} // "199.16.199.?? -> 10.0.0.??" condition: $magic at 0 and all of ($ip*) } // Point of Sale (POS) Malware rule pos_memory_scrapper2 { meta: author = "@patrickrolsen" maltype = "Point of Sale (POS) Malware Memory Scraper" version = "0.2" description = "POS Memory Scraper" reference = "7f9cdc380eeed16eaab3e48d59f271aa http://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html" date = "01/03/2014" strings: $magic = { 4D 5A } // MZ Header $string1 = "kartoxa" nocase $string2 = "CC2 region:" $string3 = "CC memregion:" $string4 = "target pid:" $string5 = "scan all processes:" $string6 = " " $string7 = "KAPTOXA" nocase condition: ($magic at 0) and all of ($string*) } rule pos_malwre_dexter_stardust { meta: author = "@patrickrolsen" maltype = "Dexter Malware - StarDust Variant" version = "0.1" description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf" reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658" date = "12/30/2013" strings: $magic = { 4D 5A } // MZ Header $string1 = "ceh_3\\.\\ceh_4\\..\\ceh_6" $string2 = "Yatoed3fe3rex23030am39497403" $string3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19" $string4 = "CommonFile.exe" condition: ($magic at 0) and all of ($string*) } rule pos_malware_project_hook { meta: author = "@patrickrolsen" maltype = "Project Hook" version = "0.1" description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf" reference = "759154d20849a25315c4970fe37eac59" date = "12/30/2013" strings: $magic = { 4D 5A } // MZ Header $string1 = "CallImage.exe" $string2 = "BurpSwim" $string3 = "Work\\Project\\Load" $string4 = "WortHisnal" condition: ($magic at 0) and all of ($string*) } rule pdb_strings_Rescator { meta: author = "@patrickrolsen" maltype = "N/A Threat Intel..." version = "0.2" description = "Rescator PDB strings within binaries" date = "01/03/2014" strings: $magic = { 4D 5A } // MZ Header $pdb1 = "\\Projects\\Rescator" nocase condition: ($magic at 0) and $pdb1 } rule rtf_Kaba_jDoe { meta: author = "@patrickrolsen" maltype = "APT.Kaba" filetype = "RTF" version = "0.1" description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620" date = "2013-12-10" strings: $magic1 = { 7b 5c 72 74 30 31 } // {\rt01 $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1 $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3 $author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe" $author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone" $string1 = { 44 30 [16] 43 46 [23] 31 31 45 } condition: ($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1 } rule rtf_yahoo_ken { meta: author = "@patrickrolsen" maltype = "Yahoo Ken" filetype = "RTF" version = "0.1" description = "Test rule" date = "2013-12-14" strings: $magic1 = { 7b 5c 72 74 30 31 } // {\rt01 $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1 $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3 $author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken" condition: ($magic1 or $magic2 or $magic3 at 0) and $author1 } rule Backdoor_APT_Mongall { meta: author = "@patrickrolsen" maltype = "Backdoor.APT.Mongall" version = "0.1" reference = "fd69a799e21ccb308531ce6056944842" date = "01/04/2014" strings: $author = "author user" $title = "title Vjkygdjdtyuj" nocase $comp = "company ooo" $cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10" $passwd = "password 00000000" condition: all of them } rule tran_duy_linh { meta: author = "@patrickrolsen" maltype = "Misc." version = "0.1" reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc." date = "2013-12-12" strings: $magic = {D0 CF 11 E0} //DOCFILE0 $string1 = "Tran Duy Linh" fullword $string2 = "DLC Corporation" fullword condition: $magic at 0 and all of ($string*) } rule web_log_review { meta: author = "@patrickrolsen" version = "0.1" reference = "Key words in weblogs - Very likely FPs in here." date = "2013-12-14" strings: $s = "GET /.htaccess" nocase $s0 = "GET /db/main.php" nocase $s3 = "GET /dbadmin/main.php" nocase $s4 = "GET /phpinfo.php" nocase $s5 = "GET /password" nocase $s6 = "GET /passwd" nocase $s7 = "GET /phpmyadmin2" nocase $s8 = "GET /c99shell.php" nocase $s9 = "GET /c99.php" nocase $s10 = "GET /response.write" nocase $s11 = "GET /&dir" nocase $s12 = "backdoor.php" nocase $s13 = "GET /.htpasswd" nocase $s14 = "GET /htaccess.bak" nocase $s15 = "GET /htaccess.txt" nocase $s16 = "GET /.bash_history" nocase $s17 = "GET /_sqladm" nocase $s18 = "'$IFS/etc/privpasswd;'" nocase $s19 = ";cat /tmp/config/usr.ini" nocase $s20 = "v0pCr3w" nocase $s21 = "eval(base64_decode" nocase $s22 = "nob0dyCr3w" nocase $s23 = "eval(gzinflate" nocase $s24 = "Hacked by" fullword $s25 = "%5Bcmd%5D" nocase $s26 = "[cmd]" nocase $s27 = "union+select" nocase $s28 = "UNION%20SELECT" nocase $s29 = "(str_rot13" nocase condition: any of ($s*) } rule acunetix_web_scanner { meta: author = "@patrickrolsen" version = "0.1" reference = "Acunetix Web Scanner" date = "2013-12-14" strings: $s = "acunetix_wvs_security_test" $s0 = "testasp.vulnweb.com" $s1 = "GET /www.acunetix.tst" condition: any of ($s*) } rule php_exploit_GIF { meta: author = "@patrickrolsen" maltype = "GIF Exploits" version = "0.1" reference = "code.google.com/p/caffsec-malware-analysis" date = "2013-12-14" strings: $magic = {47 49 46 38 ?? 61} // GIF8a $string1 = "; // md5 Login" nocase $string2 = "; // md5 Password" nocase $string3 = "shell_exec" $string4 = "(base64_decode" $string5 = "a $string1 = {3c 68 74 6d 6c 3e} // $string2 = {3c 48 54 4d 4c 3e} // condition: ($magic at 0) and (any of ($string*)) } rule web_shell_crews { meta: author = "@patrickrolsen" maltype = "Web Shell Crews" version = "0.4" reference = "http://www.exploit-db.com/exploits/24905/" date = "12/29/2013" strings: $mz = { 4d 5a } // MZ $string1 = "v0pCr3w" $string2 = "BENJOLSHELL" $string3 = "EgY_SpIdEr" $string4 = "HcJ" $string5 = "0wn3d" $string6 = "OnLy FoR QbH" $string7 = "wSiLm" $string8 = "b374k r3c0d3d" $string9 = "x'1n73ct|d" $string10 = "## CREATED BY KATE ##" $string11 = "Ikram Ali" $string12 = "FeeLCoMz" $string13 = "s3n4t00r" $string14 = "FaTaLisTiCz_Fx" $string15 = "feelscanz.pl" $string16 = "##[ KONFIGURASI" $string17 = "Created by Kiss_Me" $string18 = "Casper_Cell" $string19 = "# [ CREWET ] #" $string20 = "BY MACKER" $string21 = "FraNGky" $string22 = "1dt.w0lf" $string23 = "Modification By iFX" nocase condition: not $mz at 0 and any of ($string*) } rule misc_php_exploits { meta: author = "@patrickrolsen" version = "0.4" data = "12/29/2013" reference = "Virus Total Downloading PHP files and reviewing them..." strings: $mz = { 4d 5a } // MZ $php = "<?php" $string1 = "eval(gzinflate(str_rot13(base64_decode(" $string2 = "eval(base64_decode(" $string3 = "eval(gzinflate(base64_decode(" $string4 = "cmd.exe /c" $string5 = "eva1" $string6 = "urldecode(stripslashes(" $string7 = "preg_replace(\"/.*/e\",\"\\x" $string8 = "<?php echo \"<script>" $string9 = "'o'.'w'.'s'" // 'Wi'.'nd'.'o'.'w'.'s' $string10 = "preg_replace(\"/.*/\".'e',chr" $string11 = "exp1ode" $string12 = "cmdexec(\"killall ping;" $string13 = "r57shell.php" condition: not $mz at 0 and $php and any of ($string*) } rule zend_framework { meta: author = "@patrickrolsen" maltype = "Zend Framework" version = "0.3" date = ""12/29/2013"" strings: $mz = { 4d 5a } // MZ $php = "<?php" $string = "$zend_framework" nocase condition: not $mz at 0 and $php and $string } rule jpg_web_shell { meta: author = "@patrickrolsen" version = "0.1" data = "12/19/2013" reference = "http://www.securelist.com/en/blog/208214192/Malware_in_metadata" strings: $magic = { ff d8 ff e? } // e0, e1, e8 $string1 = "<script src" $string2 = "/.*/e" $string3 = "base64_decode" condition: ($magic at 0) and 1 of ($string*) }