08e8d462fe
RED PILL 🔴 💊
23 lines
957 B
Text
23 lines
957 B
Text
|
|
/* LENOVO Superfish -------------------------------------------------------- */
|
|
|
|
rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
|
|
meta:
|
|
description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
|
|
author = "Florian Roth (Nextron Systems) / improved by kbandla"
|
|
reference = "https://twitter.com/4nc4p/status/568325493558272000"
|
|
date = "2015/02/19"
|
|
hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
|
|
hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
|
|
hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
|
|
hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
|
|
id = "200c016e-7ad8-5b58-be5f-7866e91d60e9"
|
|
strings:
|
|
//$s1 = "VisualDiscovery.exe" fullword wide
|
|
$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
|
|
$s3 = "GetPCProxyHandler" fullword ascii
|
|
$s4 = "StartPCProxy" fullword ascii
|
|
$s5 = "SetPCProxyHandler" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 2MB and all of ($s*)
|
|
}
|