rule flusihoc 
{
	meta:
		author = "tnelson@arbor.net"
    company = "Arbor Networks"
    reference = "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/"
		date = "2017-07-06"
		description = "Chinese DDoS Bot related to Expleror"
		filetype = "exe"
		md50 = "7c04cef7061ecff84f50fbfa4f568611"
		md51 = "a81d8ed447170b930e89e482781393f6"
		md52 = "e6454373c877dfddcd5297b0049a58f8"
	
	strings:
		$ddos0 = "GET %s%s%s%s%s%s%s%s%s%s"
		$ddos1 = "%s|%s|%s|%s|%send"
		$info0 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"
		$info1 = "~MHz"
		$info2 = "%d*%dMHz"
		$cmd0 = "SYN_Flood"
		$cmd1 = "UDP_Flood"
		$cmd2 = "ICMP_Flood"
		$cmd3 = "TCP_Flood"
		$cmd4 = "HTTP_Flood"
		$cmd5 = "DNS_Flood"
		$cmd6 = "CON_Flood"
		$cmd7 = "CC_Flood"
		$cmd8 = "CC_Flood2"
		$pdb0 = "C:\\Users\\chengzhen\\Desktop\\"
		$pdb1 = "\\svchost\\Release\\svchost.pdb"
		$status0 = "null"
		$status1 = "Idle"
		$status2 = "Busy"
		$status3 = "RSDS"

	condition:
		(uint16(0) == 0x5A4D) and (2 of ($ddos*,$status*)) and (all of ($info*, $cmd*)) and (any of ($pdb*))
}