import "pe" rule malware_windows_moonlightmaze_IRIX_exploit_GEN { meta: description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" reference2 = "https://www.exploit-db.com/exploits/19274/" author = "Kaspersky Lab" md5_1 = "008ea82f31f585622353bd47fa1d84be" //df3 md5_2 = "a26bad2b79075f454c83203fa00ed50c" //log md5_3 = "f67fc6e90f05ba13f207c7fdaa8c2cab" //xconsole md5_4 = "5937db3896cdd8b0beb3df44e509e136" //xlock md5_5 = "f4ed5170dcea7e5ba62537d84392b280" //xterm strings: $a1 = "stack = 0x%x, targ_addr = 0x%x" $a2 = "execl failed" condition: (uint32(0)==0x464c457f) and (all of them) }