rule BlackShades { meta: author = "Brian Wallace (@botnet_hunter)" date = "2014/04" ref = "http://malwareconfig.com/stats/PoisonIvy" ref = "http://blog.cylance.com/a-study-in-bots-blackshades-net" family = "blackshades" strings: $string1 = "bss_server" $string2 = "txtChat" $string3 = "UDPFlood" condition: all of them }