08e8d462fe
RED PILL 🔴 💊
3548 lines
No EOL
158 KiB
Text
3548 lines
No EOL
158 KiB
Text
rule AdwareAdGazelleSample
|
|
{
|
|
meta:
|
|
Description = "Adware.AdGazelle.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "D:\\popajar3" ascii wide
|
|
$ = "squeakychocolate" ascii wide
|
|
$ = "squeaky chocolate" ascii wide
|
|
$ = "adxloader.dll" ascii wide
|
|
$ = "adxloader.pdb" ascii wide
|
|
$ = "adxloader64.dll" ascii wide
|
|
$ = "adxloader64.pdb" ascii wide
|
|
$ = "d:\\Products\\ADX.IE.8" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareAdpeakSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Adpeak.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "dealcabby.dll" ascii wide
|
|
$ = "getsavin.dll" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwarePricePeepSample
|
|
{
|
|
meta:
|
|
Description = "Adware.PricePeep.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "BrandedUpdater" ascii wide
|
|
$ = "default_browser" ascii wide
|
|
$ = "LaunchDefaultBrowser" ascii wide
|
|
$ = "LaunchBrowser" ascii wide
|
|
|
|
$a1 = "InstallUtil.pdb" ascii wide
|
|
$a2 = "C:\\managed\\root\\VTG_" ascii wide
|
|
$a3 = "InstallUtil.pdb" ascii wide
|
|
$a4 = "BrandedUpdater.pdb" ascii wide
|
|
//$a5 = "PricePeep" ascii wide
|
|
$a6 = "InstallUtil.cpp" ascii wide
|
|
$a7 = "BrandedUpdater.cpp" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or (any of ($a*))
|
|
}rule BetterSurfASample
|
|
{
|
|
meta:
|
|
Description = "Adware.BetterSurf.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$n1 = "Media Buzz" ascii wide
|
|
$n2 = "MediaBuzz" ascii wide
|
|
|
|
//$script1 = "document.getElementById('wsu_js" ascii wide
|
|
//$script2 = "script.setAttribute('id','wsu_js" ascii wide
|
|
|
|
condition:
|
|
all of ($n*)
|
|
}rule AdwareBrowseFoxSample
|
|
{
|
|
meta:
|
|
Description = "Adware.BrowseFox.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$a2 = ".expextdll.dll" ascii wide
|
|
$a3 = ".IEUpdate.pdb" ascii wide
|
|
$a4 = ".Repmon.dll" ascii wide
|
|
$a5 = ".BRT.Helper.exe" ascii wide
|
|
$a6 = ".BrowserAdapter.pdb" ascii wide
|
|
$a7 = ".expextdll.dll" ascii wide
|
|
$a8 = ".browseradapter64.exe" ascii wide
|
|
$a9 = ".purbrowse.exe" ascii wide
|
|
$a10 = "BrowserFilter.exe" ascii wide
|
|
$a11 = ".Bromon.dll" ascii wide
|
|
$a12 = ".OfSvc.dll" ascii wide
|
|
$a13 = ".GCUpdate.dll" ascii wide
|
|
$a14 = ".BroStats.dll" ascii wide
|
|
$a15 = ".BOAS.dll" ascii wide
|
|
$a16 = ".BrowserAdapterS.dll" ascii wide
|
|
$a17 = ".PurBrowse64.exe" ascii wide
|
|
|
|
$b1 = "system32\\drivers\\%s.sys" ascii wide
|
|
$b2 = "FilterApp" ascii wide
|
|
|
|
condition:
|
|
(any of ($a*)) or (all of ($b*))
|
|
}rule ConduitASample
|
|
{
|
|
meta:
|
|
Description = "Adware.Conduit.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "GetSpeedBrowserInstalled" ascii wide
|
|
$ = "SpeedBrowserAlreadyInstalled" ascii wide
|
|
$ = "Injekt SVN - client" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule ConduitBSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Conduit.B.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "CAboutTabsInjector_" ascii wide
|
|
$ = "AboutTabsDataUrlPublisher" ascii wide
|
|
$ = "AboutTabsDataUrlConduit" ascii wide
|
|
$ = "AboutTabsUsageUrl" ascii wide
|
|
$ = "AboutTabsEnabledByUser" ascii wide
|
|
$ = "AboutTabsEnabledByConduit" ascii wide
|
|
$ = "AboutTabsEnabledByPublisher" ascii wide
|
|
$ = "SearchInNewTabContent.xml" ascii wide
|
|
$ = "CONDUIT_CHEVRON_MUTEX" ascii wide
|
|
$ = "CConduitExternalForTBAPI" ascii wide
|
|
$ = "EI_Toolbar_Update_Mutex" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareConvertAdSample
|
|
{
|
|
meta:
|
|
Description = "Adware.ConvertAd.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "http://download-servers.com/SysInfo/adrouteservice/adrouter.php" ascii wide
|
|
$ = "ConvertAd.html" ascii wide
|
|
$ = "ConvertAd.exe" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareCrossriderSampleA
|
|
{
|
|
meta:
|
|
Description = "Adware.Crossrider.A.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "-bho.dll" ascii wide
|
|
$ = "-bho64.dll" ascii wide
|
|
$ = "-buttonutil64.dll" ascii wide
|
|
$ = "-buttonutil.dll" ascii wide
|
|
$ = "-BrowserEventSandBox" ascii wide
|
|
$ = "CrossriderApp" ascii wide
|
|
$ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\chrome.exe" ascii wide
|
|
$ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe" ascii wide
|
|
$ = "IEInject_Win32.dll" ascii wide
|
|
$ = "bg_debug.js" ascii wide
|
|
$ = "new_debug.js" ascii wide
|
|
$ = "Browser Process id" ascii wide
|
|
$ = "BHO Process id" ascii wide
|
|
$ = "BhoRunningVersion" ascii wide
|
|
$ = "-nova64.dll" ascii wide
|
|
|
|
$str1 = "crossrider-buttonutil.pdb" ascii wide
|
|
$str2 = "AVCCrossriderButtonHelper" ascii wide
|
|
$str3 = "AVCCrossRiderLogger" ascii wide
|
|
$str5 = "AddCrossRiderSearchProvider" ascii wide
|
|
$str6 = "C:\\BUILD_AVZR2\\WhiteRabbit" ascii wide
|
|
$str7 = "CrossriderBHO" ascii wide
|
|
$str8 = "215AppVerifier" ascii wide
|
|
$str9 = "Crossrider BHO Version" ascii wide
|
|
$str10 = "brightcircleinvestments.com" ascii wide
|
|
$str11 = "CrossriderNotification.pdb" ascii wide
|
|
$str12 = "C:\\Users\\cross\\Desktop\\compilation_bot_area" ascii wide
|
|
condition:
|
|
(3 of them) or (any of ($str*))
|
|
}
|
|
|
|
rule AdwareCrossriderSampleB
|
|
{
|
|
meta:
|
|
Description = "Adware.Crossrider.B.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "crossbrowse/updater/{{camp_id}}/{{version}}/{{secret}}/update.json" ascii wide
|
|
$ = "Crossbrowse\\Crossbrowse\\Application\\crossbrowse.exe" ascii wide
|
|
$ = "allnetserveline.com/crossbrowse" ascii wide
|
|
$ = "C:\\workspace\\crossbrowse" ascii wide
|
|
$ = "CrossriderBrowserInstaller.pdb" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
rule AdwareDealPlySample
|
|
{
|
|
meta:
|
|
Description = "Adware.DealPly.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "dealply.prq" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareDlhelperAdSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Dlhelper.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "trifonov@onegbsoft.ru" ascii wide
|
|
$ = "bulovackiy@dontehnoservis.com.ua" ascii wide
|
|
$ = "contacts@dayzgames.com" ascii wide
|
|
$ = "admin@mayris.org" ascii wide
|
|
|
|
$ = "Panel_OffersList" ascii wide
|
|
|
|
$ = "support@dlhelper.com" ascii wide
|
|
$ = "http://dlhelper.com" ascii wide
|
|
|
|
$ = "http://sendme9.ru" ascii wide
|
|
$ = "http://sendme3.ru" ascii wide
|
|
$ = "http://trustfile3.ru" ascii wide
|
|
$ = "http://trustfile9.ru" ascii wide
|
|
$ = "http://downloaditeasy.ru" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareDownloaderA
|
|
{
|
|
meta:
|
|
Description = "Adware.Downloader.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "odiassi" ascii wide
|
|
$ = "stavers" ascii wide
|
|
$ = "trollimog" ascii wide
|
|
$ = "diapause" ascii wide
|
|
$ = "UserControl1" ascii wide
|
|
$ = "listboxmod01" ascii wide
|
|
|
|
condition:
|
|
all of them
|
|
}rule AdwareELEXSampleA
|
|
{
|
|
meta:
|
|
Description = "Adware.ELEX.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "www.freeappstools.com" ascii wide
|
|
$ = "dl.elex.soft365.com" ascii wide
|
|
$ = "E:\\Code\\FileSyn\\Bin" ascii wide
|
|
$ = "E:\\Code_SVN\\FileSyn\\Bin" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
|
|
rule AdwareELEXSampleB
|
|
{
|
|
meta:
|
|
Description = "Adware.ELEX.B.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$pdb = "Release\\SFKEX.pdb" ascii wide
|
|
$ = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma" ascii wide
|
|
$ = "http://xa.xingcloud.com/v4/sof-everything" ascii wide
|
|
$ = "http://www.mysearch123.com" ascii wide
|
|
$ = "SFKEX.exe" ascii wide
|
|
$ = "SFKEX.dll" ascii wide
|
|
$ = "SFKURL" ascii wide
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
|
|
rule AdwareELEXSampleCommon
|
|
{
|
|
meta:
|
|
Description = "Adware.ELEX.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "\\Mozilla\\Firefox\\" ascii wide
|
|
$ = "profiles.ini" ascii wide
|
|
$ = "Profile0" ascii wide
|
|
$ = "\\prefs.js" ascii wide
|
|
$ = "\\Google\\Chrome\\User Data\\" ascii wide
|
|
$ = "\\Secure Preferences" ascii wide
|
|
$ = "Software\\Microsoft\\Internet Explorer\\Main" ascii wide
|
|
$ = "Start Page" ascii wide
|
|
$ = "chrome.exe" ascii wide
|
|
$ = "iexplore.exe" ascii wide
|
|
$ = "firefox.exe" ascii wide
|
|
$ = "user_pref" ascii wide
|
|
$ = "browser.startup.homepage" ascii wide
|
|
$ = "startup_urls" ascii wide
|
|
|
|
condition:
|
|
all of them
|
|
}rule AdwareStormWatchSample
|
|
{
|
|
meta:
|
|
Description = "Adware.StormWatch.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "localstormwatch.com" ascii wide
|
|
$ = "StormWatch.pdb" ascii wide
|
|
$ = "StormWatch.exe" ascii wide
|
|
$ = "ActiveDeals" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareGenieoSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Genieo.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$h1 = "gentray.pdb" ascii wide
|
|
$h2 = "genupdater.pdb" ascii wide
|
|
$h3 = "www.genieo.com" ascii wide
|
|
$h4 = "userfeedback-genieo.appspot.com" ascii wide
|
|
$h5 = "Genieo Innovation LTD" ascii wide
|
|
|
|
$str1 = "Software\\Genieo" ascii wide
|
|
$str2 = "SOFTWARE\\Genieo" ascii wide
|
|
|
|
$str5 = "genieo.exe" ascii wide
|
|
$str6 = "genieutils.exe" ascii wide
|
|
$str7 = "genupdater.exe" ascii wide
|
|
|
|
$str8 = "__Genieo_" ascii wide
|
|
$str9 = "GenieoUpdaterServiceCleaner" ascii wide
|
|
$str10 = "GENIEO_TRAY_UI" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareImaliSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Imali.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "www.freemediaplayer.tv" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareInstallCoreSample
|
|
{
|
|
meta:
|
|
Description = "Adware.InstallCore.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "www.mynicepicks.com" ascii wide
|
|
$ = "www.ultimatepdfconverter.com" ascii wide
|
|
$ = "www.coolpdfcreator.com" ascii wide
|
|
$ = "cdnus.ironcdn.com" ascii wide
|
|
$ = "esd.baixaki.com.br" ascii wide
|
|
$ = "cdneu2.programmersupply.com" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule LinkuryASample
|
|
{
|
|
meta:
|
|
Description = "Adware.Linkury.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "Smartbar" ascii wide
|
|
$ = "Linkury" ascii wide
|
|
$ = "ChromeUtils" ascii wide
|
|
$ = "FirefoxUtils" ascii wide
|
|
$ = "AddBundledSoftware" ascii wide
|
|
$ = "UpdateToolbarState" ascii wide
|
|
$ = "New Tab Search" ascii wide
|
|
$ = "get_BrowserIsOpen" ascii wide
|
|
$ = "get_BetterSearchResults" ascii wide
|
|
$ = "get_AllYourBrowsers" ascii wide
|
|
$ = "get_ChangeHomepageAndSearch" ascii wide
|
|
$ = "get_BrowserSettingsProtectOk" ascii wide
|
|
$ = "get_BrowserSettingsChange" ascii wide
|
|
$ = "get_BrowserSettingsProtectChange" ascii wide
|
|
$ = "get_BrowserSettingsProtectDescription" ascii wide
|
|
$ = "get_BrowserSettingsProtectHeader" ascii wide
|
|
$ = "get_BrowserSettingsProtectKeep" ascii wide
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule LinkuryBSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Linkury.B.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "C:\\Cranberry\\bin\\CaraDelevigne\\Cara.pdb" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule MyWebSearchSample
|
|
{
|
|
meta:
|
|
Description = "Adware.MyWebSearch.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "t8Setup1.pdb" ascii wide
|
|
$ = "t8EIPlug.pdb" ascii wide
|
|
$ = "t8EzSetp.pdb" ascii wide
|
|
$ = "NPt8EISB.pdb" ascii wide
|
|
$ = "Mindspark Interactive Network" ascii wide
|
|
$ = "mindspark.com" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule NextLiveSample
|
|
{
|
|
meta:
|
|
Description = "Adware.NextLive.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "nengine.pdb" ascii wide
|
|
$ = "nengine.dll" ascii wide
|
|
$ = "D:\\svn.thecodeway.com\\private\\nlive\\trunk" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule ObronaAdsSample
|
|
{
|
|
meta:
|
|
Description = "Adware.ObronaAds.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$i1 = "ObronaBlockAds" ascii wide
|
|
$i2 = "Obrona Block Ads" ascii wide
|
|
$i3 = "ObronaVPN" ascii wide
|
|
$i4 = "OBRONA_PROXY" ascii wide
|
|
$i5 = "SecurityAndShoppingAdvisor" ascii wide
|
|
$i6 = "SASAService" ascii wide
|
|
$i7 = "http://update.obrona.org" ascii wide
|
|
$i8 = "Proxy-agent: SASA Proxy" ascii wide
|
|
$i9 = "Proxy\\AdsInjectionContentProvider.cpp" ascii wide
|
|
|
|
$ = "sendBrowsersHistoryKeywords" ascii wide
|
|
$ = "startWatcher" ascii wide
|
|
$ = "HelperApplication" ascii wide
|
|
$ = "enableAds" ascii wide
|
|
$ = "enableInjecting" ascii wide
|
|
$ = "disableInjecting" ascii wide
|
|
$ = "requestNewAdsUrl" ascii wide
|
|
$ = "requestAdsIgnoredDomains" ascii wide
|
|
$ = "startSendingSearchKeywords" ascii wide
|
|
$ = "AdsService" ascii wide
|
|
$ = "ServiceProxy.cpp" ascii wide
|
|
$ = "HelperApplication.cpp" ascii wide
|
|
$ = "Updater.cpp" ascii
|
|
$ = "WebProxy.cpp" ascii wide
|
|
|
|
condition:
|
|
(any of ($i*)) or (3 of them)
|
|
}rule AdwareOpenCandySample
|
|
{
|
|
meta:
|
|
Description = "Adware.OpenCandy.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "http://cdn.opencandy.com" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareOutBrowseSample
|
|
{
|
|
meta:
|
|
Description = "Adware.OutBrowse.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "cdn.install.playbryte.com" ascii wide
|
|
$ = "download.2yourface.com" ascii wide
|
|
$ = "www.default-page.com" ascii wide
|
|
$ = "install2.optimum-installer.com" ascii wide
|
|
$ = "downloadzone.org" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwarePullUpdateSample
|
|
{
|
|
meta:
|
|
Description = "Adware.PullUpdate.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "gettvwizard.com" ascii wide
|
|
$ = "getsharethis.com" ascii wide
|
|
$ = "thewebguard.com" ascii wide
|
|
$ = "astro-arcade.com" ascii wide
|
|
$ = "instashareonline.com" ascii wide
|
|
$ = "safewebonline.com" ascii wide
|
|
$ = "downloadmeteoroids.com" ascii wide
|
|
$ = "moviemasterapp.com" ascii wide
|
|
$ = "watchzombieinvasion.com" ascii wide
|
|
$ = "freevideoconverterapp.com" ascii wide
|
|
|
|
// $ = "TVWizard" ascii wide
|
|
//$ = "TV Wizard" ascii wide
|
|
$ = "AstroArcade" ascii wide
|
|
$ = "WebGuard Deleter" ascii wide
|
|
$ = "SmallIslandDevelopment" ascii wide
|
|
|
|
$ = "AVFirefoxCookieReader" ascii wide
|
|
$ = "AVChromeCookieReader" ascii wide
|
|
$ = "AVInternetExplorerCookieReader" ascii wide
|
|
$ = "AVBrowserCookieReader" ascii wide
|
|
$ = "Data Protection Solutions" ascii wide
|
|
|
|
|
|
$ = "VideoDimmer.exe" ascii wide
|
|
$ = "VideoDimmerService.exe" ascii wide
|
|
|
|
$ = "WebGuard.exe" ascii wide
|
|
$ = "WebGuardService.exe" ascii wide
|
|
|
|
$ = "HealthAlert.exe" ascii wide
|
|
$ = "HealthAlertService.exe" ascii wide
|
|
|
|
$ = "CrimeWatch.exe" ascii wide
|
|
$ = "CrimeWatchService.exe" ascii wide
|
|
|
|
$ = "SafeWeb.exe" ascii wide
|
|
$ = "SafeWebService.exe" ascii wide
|
|
|
|
$ = "Meteoroids.exe" ascii wide
|
|
$ = "MeteoroidsService.exe" ascii wide
|
|
|
|
$ = "Websteroids.exe" ascii wide
|
|
$ = "WebsteroidsService.exe" ascii wide
|
|
|
|
$ = "WebShield.exe" ascii wide
|
|
$ = "WebShieldService.exe" ascii wide
|
|
|
|
$ = "ZombieNews.exe" ascii wide
|
|
$ = "ZombieNewsService.exe" ascii wide
|
|
|
|
$ = "CelebrityAlertService.exe" ascii wide
|
|
$ = "CelebrityAlert.exe" ascii wide
|
|
|
|
$ = "MovieMaster.exe" ascii wide
|
|
$ = "MovieMasterService.exe" ascii wide
|
|
|
|
$ = "ZombieInvasionService.exe" ascii wide
|
|
$ = "ZombieInvasion.exe" ascii wide
|
|
|
|
$ = "BreakingNewsAlertService.exe" ascii wide
|
|
$ = "BreakingNewsAlert.exe" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule SearchProtectSample
|
|
{
|
|
meta:
|
|
Description = "Adware.SProtect.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "Search Protect" ascii wide
|
|
$ = "SearchProtect" ascii wide
|
|
$ = "Search Protector" ascii wide
|
|
$ = "SearchProtector" ascii wide
|
|
$ = "ClientConnect" ascii wide
|
|
$ = "SPVC32.dll" ascii wide
|
|
$ = "SPVC32Loader.dll" ascii wide
|
|
$ = "SPVC64.dll" ascii wide
|
|
$ = "SPVC64Loader.dll" ascii wide
|
|
$ = "SProtector" ascii wide
|
|
$ = "AppendInit.dll" ascii wide
|
|
$ = "{12DA0E6F-5543-440C-BAA2-28BF01070AFA}" ascii wide
|
|
$pdb1 = "CltMngSvc.pdb" ascii wide
|
|
$pdb2 = "SPtool.pdb" ascii wide
|
|
$pdb3 = "SPtool64.pdb" ascii wide
|
|
$pdb4 = "SPVC32.pdb" ascii wide
|
|
$pdb5 = "SPVC64.pdb" ascii wide
|
|
$pdb6 = "SPVC32Loader.pdb" ascii wide
|
|
$pdb7 = "SPVC64Loader.pdb" ascii wide
|
|
$pdb8 = "cltmng.pdb" ascii wide
|
|
$pdb9 = "MiniStubUtils.pdb" ascii wide
|
|
$pdb10 = "Search Protector" ascii wide
|
|
$pdb11 = "%programfiles%\\Free Offers from" ascii wide
|
|
$pdb12 = "TestSearchProtect" ascii wide
|
|
$pdb13 = "ProtectService.pdb" ascii wide
|
|
$pdb14 = "E:\\supsoft" ascii wide
|
|
$pdb15 = "BrowerWatch.dll" ascii wide
|
|
|
|
condition:
|
|
(2 of them) or (any of ($pdb*))
|
|
}rule SearchSuiteSample
|
|
{
|
|
meta:
|
|
Description = "Adware.SearchSuite.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
//$ = "SearchSuite" ascii wide
|
|
$ = "searchcore.net" ascii wide
|
|
$ = "searchnu.com" ascii wide
|
|
$ = "searchqu.com" ascii wide
|
|
$ = "searchsheet.com" ascii wide
|
|
$ = "adoresearch.com" ascii wide
|
|
$ = "newsearchtab.com" ascii wide
|
|
$ = "searchsupreme.com" ascii wide
|
|
$ = "mlsearch.com" ascii wide
|
|
$ = "insertsearch.com" ascii wide
|
|
$ = "gotsearch.com" ascii wide
|
|
$ = "search.ask.com" ascii wide
|
|
$ = "search-results.com" ascii wide
|
|
$ = "default-search.net" ascii wide
|
|
$ = "imesh web search" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareSendoriSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Sendori.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "SendoriSvc.pdb" ascii wide
|
|
$ = "SendoriTray.pdb" ascii wide
|
|
$ = "sendori64f.sys" ascii wide
|
|
$ = "sendori64r.sys" ascii wide
|
|
$ = "sendori32.sys" ascii wide
|
|
$ = "Sendori.dll" ascii wide
|
|
$ = "SendoriProxy.dll" ascii wide
|
|
$ = "SendoriUp.exe" ascii wide
|
|
$ = "SendoriSvc.exe" ascii wide
|
|
$ = "SendoriTray.exe" ascii wide
|
|
$ = "SendoriControl.exe" ascii wide
|
|
$ = "sendori-win-upgrader.exe" ascii wide
|
|
$ = "\\\\.\\pipe\\Sendori" ascii wide
|
|
$ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sendori" ascii wide
|
|
$ = "SOFTWARE\\Sendori" ascii wide
|
|
$ = "Sendori, Inc" ascii wide
|
|
$ = "Sendori Service" ascii wide
|
|
$ = "Service Sendori" ascii wide
|
|
$ = "Application Sendori" ascii wide
|
|
$ = "SendoriLSP" ascii wide
|
|
$ = "Sendori Elevated Service Controller" ascii wide
|
|
$ = "Sendori-Client" ascii wide
|
|
$ = "SENDORI_UPGRADE_ASSISTANT" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule SimplyTechSample
|
|
{
|
|
meta:
|
|
Description = "Adware.SimplyTech.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "wtb_64.pdb" ascii wide
|
|
$ = "wtb_64.DLL" ascii wide
|
|
$ = "wtb.ToolbarInfo" ascii wide
|
|
$ = "Surf Canyon" ascii wide
|
|
$ = "surfcanyon" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule SmartAppsSample
|
|
{
|
|
meta:
|
|
Description = "Adware.SmartApps.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$a1 = "Unicows.dll" ascii wide
|
|
$a2 = "FrameworkBHO.DLL" ascii wide
|
|
$a3 = "URLDownloadToFile" ascii wide
|
|
$a4 = "getExtensionFileContents" ascii wide
|
|
$a5 = "Toolbar" ascii wide
|
|
$a6 = "GdiplusStartup" ascii wide
|
|
|
|
$b1 = "getCookieW" ascii wide
|
|
$b2 = "setCookieW" ascii wide
|
|
$b3 = "InternetSetCookieW" ascii wide
|
|
$b5 = "InternetGetCookieExW" ascii wide
|
|
|
|
condition:
|
|
(all of ($b*)) and (any of ($a*))
|
|
}rule AdwareSolimbdaSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Solimbda.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "http://api.downloadmr.com" ascii wide
|
|
$ = "SuggestedApps" ascii wide
|
|
|
|
condition:
|
|
all of them
|
|
}rule TriorisSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Trioris.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "instamarket.js" ascii wide
|
|
$ = "instamarketoff.js" ascii wide
|
|
$ = "trioris.net" ascii wide
|
|
$ = "storegid.com" ascii wide
|
|
$ = "screentoolkit.com" ascii wide
|
|
$ = "Sergey Cherezov" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareVitruvianSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Vitruvian.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "WordProser" ascii wide
|
|
$ = "vitruvian" ascii wide
|
|
$ = "gethighlightly.com" ascii wide
|
|
$ = "betterbrainapp.com" ascii wide
|
|
$ = "wordproser.com" ascii wide
|
|
$ = "intellitermapp.com" ascii wide
|
|
$ = "BetterBrainClientIE.pdb" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareWajamSample
|
|
{
|
|
meta:
|
|
Description = "Adware.Wajam.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "fastnfreedownload.com" ascii wide
|
|
$ = "InternetEnhancer.exe" ascii wide
|
|
$ = "InternetEnhancerService.exe" ascii wide
|
|
$ = "WJManifest" ascii wide
|
|
$ = "WaInterEnhance" ascii wide
|
|
$ = "ping_wajam" ascii wide
|
|
$ = "D:\\jenkins\\workspace" ascii wide
|
|
$ = "WajamService" ascii wide
|
|
$ = "AVCWJService" ascii wide
|
|
$ = "Internet Enhancer Service" ascii wide
|
|
|
|
$a1 = "WajamInternetEnhancerService.pdb" ascii wide
|
|
$a4 = "WHttpServer.pdb" ascii wide
|
|
$a2 = "Wajam. All right reserved" ascii wide
|
|
$a3 = "Wajam.Proxy" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or (any of ($a*))
|
|
}rule RootkitSampleDriverAgony
|
|
{
|
|
meta:
|
|
Description = "Trojan.Agony.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "DosDevices\\agony" ascii wide
|
|
$ = "Device\\agony" ascii wide
|
|
$ = "VOLUME.INI" ascii wide
|
|
$ = "ERVICES.EXE" ascii wide
|
|
$ = "ervices.exe" ascii wide
|
|
$ = "agony rootkit" ascii wide
|
|
$ = "agony" ascii wide
|
|
$ = "for exemple: agony -p process1.exe process2.exe" ascii wide
|
|
$a = "i386\\agony.pdb" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or $a
|
|
}
|
|
|
|
rule AdwareSampleWebTools
|
|
{
|
|
meta:
|
|
Description = "Adware.WebTools.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "IEctrl.log" ascii wide
|
|
$ = "agony" ascii wide
|
|
$s1 = "Gates.pdb" ascii wide
|
|
$s0 = "GatesInstall.pdb" ascii wide
|
|
$s2 = "IECtrl.pdb" ascii wide
|
|
$s3 = "svch0st.exe" ascii wide
|
|
$s4 = "SESDKDummy.dll" ascii wide
|
|
$s5 = "SESDKDummy64.dll" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or (any of ($s*))
|
|
}rule AdwareWebWatcherSample
|
|
{
|
|
meta:
|
|
Description = "Adware.WebWatcher.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "E:\\BuildSource\\7\\WindowsClient\\WindowsClient.Client.RC\\Binaries" ascii wide
|
|
$ = "Release DlpHook\\mcapp.pdb" ascii wide
|
|
$ = "Release DlpHook\\mcsc.pdb" ascii wide
|
|
$ = "Release Sonar\\Shim64.pdb" ascii wide
|
|
$ = "Release Sonar\\Shim.pdb" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareiBryteSample
|
|
{
|
|
meta:
|
|
Description = "Adware.iBryte.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "install.ibryte.com" ascii wide
|
|
$ = "pn-installer28.com" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule AdwareUCSKoreaSample
|
|
{
|
|
meta:
|
|
Description = "Adware.uKor.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "_uninstall_Mutex" ascii wide
|
|
$ = "_updater_Mutex" ascii wide
|
|
$ = "_main_Mutex" ascii wide
|
|
$ = "_install_Mutex" ascii wide
|
|
$ = "main_agent" ascii wide
|
|
$ = "updater_agent" ascii wide
|
|
$ = "APP/bundle.php" ascii wide
|
|
$ = "APP/update_ck.php?v1" ascii wide
|
|
$ = "APP/bundle_stat.php?v1" ascii wide
|
|
$ = "APP/stat.php?v1" ascii wide
|
|
$ = "co.kr/mbk.php?v1" ascii wide
|
|
$ = "co.kr/etc/yak_app.htm" ascii wide
|
|
|
|
$hex1 = { 51 a1 ?? ?? ?? ?? 56 68 80 1f 40 00 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 d2 68 b8 0b 00 00 8d ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 04 85 c0 74 ?? 68 3f 00 0f 00 6a 00 6a 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8b ?? ?? ?? ?? ?? 68 ff 01 0f 00 51 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 74 ?? 6a 00 6a 04 e8 ?? ?? ?? ?? 83 c4 08 68 c8 e8 41 00 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 6a 00 6a 01 e8 ?? ?? ?? ?? 83 c4 08 eb ?? 8b ?? ?? ?? 68 28 6e 42 00 6a 01 56 ff ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 5e 74 ?? 6a 00 ff ?? ?? ?? ?? ?? 8b d0 b8 01 00 00 00 e8 ?? ?? ?? ?? 83 c4 04 59 c2 08 00}
|
|
|
|
condition:
|
|
(2 of them) or (any of ($hex*))
|
|
}rule BladabindiASample
|
|
{
|
|
meta:
|
|
Description = "Backdoor.Bladabindi.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "shutdown -r -t 00" ascii wide
|
|
$ = "netsh firewall add allowedprogram" ascii wide
|
|
$ = "netsh firewall delete allowedprogram" ascii wide
|
|
$ = "cmd.exe /k ping 0 & del" ascii wide
|
|
$ = "ReceiveBufferSize" ascii wide
|
|
$ = "SendBufferSize" ascii wide
|
|
$ = "restartcomputer" ascii wide
|
|
$ = "NoWindowsUpdate" ascii wide
|
|
$ = "winupdateoff" ascii wide
|
|
$ = "DisableTaskMgr" ascii wide
|
|
$ = "set cdaudio door closed" ascii wide
|
|
$ = "set cdaudio door open" ascii wide
|
|
$ = "VMDragDetectWndClass" ascii wide
|
|
$ = "%dark%" ascii wide
|
|
$ = "microwaveone.ddns.net" ascii wide
|
|
|
|
condition:
|
|
5 of them
|
|
}rule BackdoorDediprosA
|
|
{
|
|
meta:
|
|
Description = "Backdoor.Dedipros.rc"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/advapi32.dll" ascii wide
|
|
$ = "rundll32.exe %s, CodeMain lpServiceName" ascii wide
|
|
$ = "C:\\Windows\\System32\\Rundlla.dll" ascii wide
|
|
$ = "s%\\pmeT\\SWODNIW\\:C" ascii wide
|
|
$ = "SYSTEM\\CurrentControlSet\\Services\\%s" ascii wide
|
|
$ = "\\keylog.dat" ascii wide
|
|
condition:
|
|
2 of them
|
|
}rule BackdoorWin32FynloskiASample
|
|
{
|
|
meta:
|
|
Description = "Backdoor.Fynloski.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "#BOT#VisitUrl" ascii wide
|
|
$ = "#BOT#OpenUrl" ascii wide
|
|
$ = "#BOT#Ping" ascii wide
|
|
$ = "BTRESULTPing|Res" ascii wide
|
|
$ = "#BOT#RunPrompt" ascii wide
|
|
$ = "BTRESULTClose" ascii wide
|
|
$ = "#BOT#SvrUninstal" ascii wide
|
|
$ = "#BOT#URLUpdate" ascii wide
|
|
$ = "BTERRORUpdate" ascii wide
|
|
$ = "BTRESULTUpdate" ascii wide
|
|
$ = "#BOT#URLDownload" ascii wide
|
|
$ = "BTRESULTOpen" ascii wide
|
|
$ = "BTERRORDownload" ascii wide
|
|
$ = "BTRESULTDownload" ascii wide
|
|
$ = "BTRESULTMass" ascii wide
|
|
$ = "BTRESULTHTTP" ascii wide
|
|
$ = "BTERRORVisit" ascii wide
|
|
$ = "BTRESULTSyn" ascii wide
|
|
$ = "BTRESULTUDP" ascii wide
|
|
$ = "Flood|UDP Flood task finished" ascii wide
|
|
$ = "Flood|Syn task finished" ascii wide
|
|
$ = "Flood|Http Flood task finished" ascii wide
|
|
|
|
condition:
|
|
3 of them
|
|
}rule BackdoorGenASample
|
|
{
|
|
meta:
|
|
Description = "Backdoor.Gen.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "Form1" ascii wide
|
|
$ = "Flamand" ascii wide
|
|
$ = "Afildoe.Belver" ascii wide
|
|
$ = "FromBase64String" ascii wide
|
|
$ = "TeAdor.Properties.Resources" ascii wide
|
|
|
|
condition:
|
|
3 of them
|
|
}rule BackdoorLiudoor
|
|
{
|
|
meta:
|
|
author = "RSA FirstWatch"
|
|
date = "2015-07-23"
|
|
Description = "Backdoor.Liudoor.sm"
|
|
ThreatLevel = "5"
|
|
hash0 = "78b56bc3edbee3a425c96738760ee406"
|
|
hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
|
|
hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
|
|
hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
|
|
hash4 = "6093505c7f7ec25b1934d3657649ef07"
|
|
type = "Win32 DLL"
|
|
|
|
strings:
|
|
$string0 = "Succ" ascii wide
|
|
$string1 = "Fail" ascii wide
|
|
$string2 = "pass" ascii wide
|
|
$string3 = "exit" ascii wide
|
|
$string4 = "svchostdllserver.dll" ascii wide
|
|
$string5 = "L$,PQR" ascii wide
|
|
$string6 = "0/0B0H0Q0W0k0" ascii wide
|
|
$string7 = "QSUVWh" ascii wide
|
|
$string8 = "Ht Hu[" ascii wide
|
|
condition:
|
|
all of them
|
|
}
|
|
rule MirageAPTBackdoorSample
|
|
{
|
|
meta:
|
|
Description = "Backdoor.Mirage.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a1 = "welcome to the desert of the real" ascii wide
|
|
$a2 = "Mirage" ascii wide
|
|
$b = "Encoding: gzip" ascii wide
|
|
$c = /\/[A-Za-z]*\?hl=en/
|
|
condition:
|
|
(($a1 or $a2) or $b) and $c
|
|
}rule TrojanWin32Vawtrak_BackDoor
|
|
{
|
|
meta:
|
|
Description = "Backdoor.Win32.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "[VNC] New Client" ascii wide
|
|
$ = "[VNC] Fail init BC" ascii wide
|
|
$ = "[VNC] Fail addr proto BC" ascii wide
|
|
$ = "[VNC] Fail connect BC" ascii wide
|
|
$ = "[VNC] Fail init work:" ascii wide
|
|
$ = "[VNC] Start Sever" ascii wide
|
|
$ = "[VNC] Parse param error:" ascii wide
|
|
$ = "[VNC] Fail create process:" ascii wide
|
|
$ = "[VNC] Fail inject to process:" ascii wide
|
|
$ = "[Socks] New Client" ascii wide
|
|
$ = "[Socks] Failt Init BC" ascii wide
|
|
$ = "[Socks] Fail add proto BC" ascii wide
|
|
$ = "[Socks] Failt connect BC" ascii wide
|
|
$ = "[Socks] Fail parse param:" ascii wide
|
|
$ = "[Pony] Fail Get Pass" ascii wide
|
|
$ = "DL_EXEC Status [Pipe]" ascii wide
|
|
$ = "DL_EXEC Status[Local]" ascii wide
|
|
$ = "Start Socks addr:" ascii wide
|
|
$ = "Start Socks Status[Pipe]" ascii wide
|
|
$ = "Start Socks Status[Local]" ascii wide
|
|
$ = "Start VNC addr: %s" ascii wide
|
|
$ = "Start VNC Status[Pipe]: %u-%u-%u" ascii wide
|
|
$ = "Start VNC Status[Local]: %u" ascii wide
|
|
$ = "PID: %u [%0.2u:%0.2u:%0.2u]" ascii wide
|
|
$ = "[BC] Cmd Ver Error" ascii wide
|
|
$ = "[BC] Wait Ping error %u[%u]" ascii wide
|
|
$ = "[BC] Fail Connect" ascii wide
|
|
$ = "[BC] Fail send auth" ascii wide
|
|
$ = "[BC] Fail read cmd" ascii wide
|
|
$ = "[BC] cmd error: %u" ascii wide
|
|
$ = "[BC] Cmd need disconnect" ascii wide
|
|
$ = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins" ascii wide
|
|
|
|
$str_0 = "T:\\Develop\\EQ2\\bin\\tmp" ascii wide
|
|
$str_1 = "T:\\Develop\\EQ2\\bin\\tmp\\client_32.pdb" ascii wide
|
|
$str_2 = "T:\\Develop\\EQ2\\bin\\tmp\\client_64.pdb" ascii wide
|
|
$str_3 = "client_64.dll" ascii wide
|
|
$str_4 = "client_32.dll" ascii wide
|
|
|
|
condition:
|
|
(5 of them) or (any of ($str_*))
|
|
}
|
|
rule BackdoorZegostSampleA
|
|
{
|
|
meta:
|
|
Description = "Backdoor.Zegost.rc"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = "VIPBlackDDOS" ascii wide
|
|
$b = "SynFlood" ascii wide
|
|
$c = "ICMPFlood" ascii wide
|
|
$d = "UDPFlood" ascii wide
|
|
$e = "DNSFlood" ascii wide
|
|
$f = "Game2Flood" ascii wide
|
|
$g = "HTTPGetFlood" ascii wide
|
|
condition:
|
|
2 of them
|
|
}rule MalwareBitCoinMinerSample_A
|
|
{
|
|
meta:
|
|
Description = "Malware.BitCoinMiner.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "Min3Win.exe" ascii wide
|
|
$ = "bitcoin-miner.exe" ascii wide
|
|
$ = "WINSXS32" ascii wide
|
|
$ = "http://xhuehs.cantvenlinea.ru:1942" ascii wide
|
|
$ = "bigbob0000001@gmail.com" ascii wide
|
|
|
|
condition:
|
|
3 of them
|
|
}rule TinyLoaderSample
|
|
{
|
|
meta:
|
|
Description = "Malware.TinyLoader.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "B1 Tiny Loader/1.0" ascii wide
|
|
|
|
condition:
|
|
all of them
|
|
}rule PWSPasswordsToDBApp
|
|
{
|
|
meta:
|
|
Description = "PWS.PassDB.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$pdb0 = "PasswordsToDB.pdb" ascii wide
|
|
$ipa0 = "82.146.47.116" ascii wide
|
|
$ipa1 = "82.146.54.187" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule PUPSystemOptimizerASample
|
|
{
|
|
meta:
|
|
Description = "PUP.SystemOptimizer.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "http://bitest.softservers.net" ascii wide
|
|
$ = "http://bi.softservers.net" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule PUPSystweakSample
|
|
{
|
|
meta:
|
|
Description = "PUP.Systweak.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "Systweak Software0" ascii wide
|
|
$ = "pc-updater.com/miscservice/miscservice.asmx" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule RansomCryptoApp_A
|
|
{
|
|
meta:
|
|
Description = "Ransom.CryptoApp.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$pdb0 = "CryptoApp.pdb" ascii wide
|
|
$pdb1 = "KeepAlive.pdb" ascii wide
|
|
$pdb2 = "SelfDestroy.pdb" ascii wide
|
|
$pdb3 = "CoreDownloader.pdb" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or (any of ($pdb*))
|
|
}
|
|
|
|
rule RansomCryptoWallApp_3
|
|
{
|
|
meta:
|
|
Description = "Ransom.CryptoWall.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$s0 = "spatopayforwin.com" ascii wide
|
|
$s1 = "bythepaywayall.com" ascii wide
|
|
$s2 = "lowallmoneypool.com" ascii wide
|
|
$s3 = "transoptionpay.com" ascii wide
|
|
$s4 = "HELP_DECRYPT" ascii wide nocase
|
|
|
|
$s5 = "speralreaopio.com" ascii wide
|
|
$s6 = "vremlreafpa.com" ascii wide
|
|
$s7 = "wolfwallsreaetpay.com" ascii wide
|
|
$s8 = "askhoreasption.com" ascii wide
|
|
|
|
condition:
|
|
any of ($s*)
|
|
}
|
|
|
|
rule RansomCBTLockerApp
|
|
{
|
|
meta:
|
|
Description = "Ransom.CBTLocker.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$s0 = "Your personal files are encrypted by CTB-Locker" ascii wide
|
|
$s1 = "Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key,generated for this computer" ascii wide
|
|
$s2 = "Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key." ascii wide
|
|
$s3 = "If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program" ascii wide
|
|
|
|
$s6 = "keme132.DLL" ascii wide
|
|
$s7 = "klospad.pdb" ascii wide
|
|
|
|
condition:
|
|
(any of ($s*)) or (3 of them)
|
|
}
|
|
|
|
rule RansomEncryptorRaaSApp
|
|
{
|
|
meta:
|
|
Description = "Ransom.EncryptorRaaS.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$s0 = "decryptoraveidf7.onion.to" ascii wide
|
|
$s1 = "encryptor_raas_readme_liesmich.txt" ascii wide
|
|
$s2 = "The files on your computer have been securely encrypted by Encryptor RaaS" ascii wide
|
|
$s3 = "Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt" ascii wide
|
|
$s4 = "encryptor3awk6px.onion" ascii wide
|
|
|
|
condition:
|
|
any of ($s*)
|
|
}
|
|
|
|
rule RansomSampleTeslaCryptA
|
|
{
|
|
meta:
|
|
Description = "Ransom.TeslaCrypt.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "HOWTO_RESTORE_FILES.TXT" ascii wide nocase
|
|
$ = "HOWTO_RESTORE_FILES.bmp" ascii wide nocase
|
|
$ = "HOWTO_RESTORE_FILES.HTML" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule RansomSampleTeslaCryptB
|
|
{
|
|
meta:
|
|
Description = "Ransom.TeslaCrypt.B.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "help_recover_instructions" ascii wide nocase
|
|
$ = "help_recover_instructions.TXT" ascii wide nocase
|
|
$ = "help_recover_instructions.png" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule RansomSampleChimeraB
|
|
{
|
|
meta:
|
|
Description = "Ransom.Win32.Chimera.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "YOUR_FILES_ARE_ENCRYPTED.HTML" ascii wide nocase
|
|
$ = "Projects\\Ransom\\bin\\Release\\Core.pdb" ascii wide nocase
|
|
$ = "BM-2cW44Yq9DWbHYnRSfzBLVxvE6WjadchNBt" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule RansomSampleLeChiffre
|
|
{
|
|
meta:
|
|
Description = "Ransom.Win32.LeChiffre.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "LeChiffre" ascii wide nocase
|
|
$ = "decrypt.my.files@gmail.com" ascii wide nocase
|
|
$ = "http://184.107.251.146/sipvoice.php?" ascii wide nocase
|
|
$ = "_secret_code.txt" ascii wide nocase
|
|
$ = "_How to decrypt LeChiffre files.html" ascii wide nocase
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule RansomSampleHydraCrypt
|
|
{
|
|
meta:
|
|
Description = "Ransom.Win32.HydraCrypt.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "README_DECRYPT_HYDRA_ID_" ascii wide nocase
|
|
$ = "hydracrypt_ID_" ascii wide nocase
|
|
$ = "HYDRACRYPT" ascii wide nocase
|
|
$ = "ccc=hydra01_" ascii wide nocase
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule RansomFilecoderA
|
|
{
|
|
meta:
|
|
Description = "Ransom.FileCoder.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "Guji36" ascii wide
|
|
$ = "Burnamedoxi" ascii wide
|
|
$ = "S48H1G54JSPSODKMGdfH1FD5G8DSDPSDKMFSSJJPGMCNDHS2FH5" ascii wide
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule RansomSampleLockyCrypt
|
|
{
|
|
meta:
|
|
Description = "Ransom.Win32.Locky.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$s1 = ".locky" ascii wide nocase
|
|
$ = "&encrypted=" ascii wide nocase
|
|
$s2 = "_Locky_recover_instructions.txt" ascii wide nocase
|
|
$s3 = "_Locky_recover_instructions.bmp" ascii wide nocase
|
|
$ = "94.242.57.45" ascii wide nocase
|
|
$ = "46.4.239.76" ascii wide nocase
|
|
$s6 = "Software\\Locky" ascii wide nocase
|
|
$ = "vssadmin.exe Delete Shadows" ascii wide nocase
|
|
$ = "Locky" ascii wide nocase
|
|
|
|
$o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7
|
|
$o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863
|
|
|
|
condition:
|
|
(3 of them) or (any of ($s*)) or (all of ($o*))
|
|
}
|
|
|
|
import "pe"
|
|
rule RansomLocky
|
|
{
|
|
meta:
|
|
Description = "Ransom.Locky.ab"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
|
|
$inst1 = "_HELP_instructions.bmp" ascii wide
|
|
$inst2 = "_HELP_instructions.html" ascii wide
|
|
$inst3 = "_HELP_instructions.txt" ascii wide
|
|
$inst4 = "_Locky_recover_instructions.bmp" ascii wide
|
|
$inst5 = "_Locky_recover_instructions.txt" ascii wide
|
|
$deleteShadows = "vssadmin.exe" ascii wide // universal Ransom detect :)
|
|
|
|
$cyrptEP1 = {e8 95 23 ff ff 86 c8 86 ea e9 8d 23 ff ff 86 f4 e9 84 23 ff ff 86 c5} // EP paked locy
|
|
$cyrptEP2 = {55 8b ec eb 68 eb 66 eb 64 6a 00 6a 00 6a 00 6a 00 6a 00} // EP packed locy 2
|
|
|
|
condition:
|
|
( $mz at 0 ) and
|
|
(
|
|
$cyrptEP1 at pe.entry_point or
|
|
$cyrptEP2 at pe.entry_point or
|
|
(any of ($inst*)) or
|
|
$deleteShadows
|
|
)
|
|
}
|
|
|
|
rule RansomImportDetect
|
|
{
|
|
meta:
|
|
Description = "Ransom.Gen.ab"
|
|
ThreatLevel = "3"
|
|
condition:
|
|
(pe.imports("Kernel32.dll", "FindFirstFileW") or pe.imports("Kernel32.dll", "FindFirstFileA")) and
|
|
(pe.imports("Kernel32.dll", "FindNextFileW") or pe.imports("Kernel32.dll", "FindNextFileA")) and
|
|
(pe.imports("Advapi32.dll", "CryptAcquireContextW") or pe.imports("Advapi32.dll", "CryptAcquireContextA")) and
|
|
pe.imports("Advapi32.dll", "CryptEncrypt") and
|
|
pe.imports("Advapi32.dll", "CryptGenRandom")
|
|
}
|
|
|
|
rule VMdetectMisc
|
|
{
|
|
meta:
|
|
Description = "Risk.VMDtc.sm"
|
|
ThreatLevel = "3"
|
|
|
|
strings:
|
|
$vbox1 = "VBoxService" nocase ascii wide
|
|
$vbox2 = "VBoxTray" nocase ascii wide
|
|
$vbox3 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide
|
|
$vbox4 = "SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions" nocase ascii wide
|
|
|
|
$wine1 = "wine_get_unix_file_name" ascii wide
|
|
|
|
$vmware1 = "vmmouse.sys" ascii wide
|
|
$vmware2 = "VMware Virtual IDE Hard Drive" ascii wide
|
|
|
|
$miscvm1 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase ascii wide
|
|
$miscvm2 = "SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum" nocase ascii wide
|
|
|
|
$vmdrv1 = "hgfs.sys" ascii wide
|
|
$vmdrv2 = "vmhgfs.sys" ascii wide
|
|
$vmdrv3 = "prleth.sys" ascii wide
|
|
$vmdrv4 = "prlfs.sys" ascii wide
|
|
$vmdrv5 = "prlmouse.sys" ascii wide
|
|
$vmdrv6 = "prlvideo.sys" ascii wide
|
|
$vmdrv7 = "prl_pv32.sys" ascii wide
|
|
$vmdrv8 = "vpc-s3.sys" ascii wide
|
|
$vmdrv9 = "vmsrvc.sys" ascii wide
|
|
$vmdrv10 = "vmx86.sys" ascii wide
|
|
$vmdrv11 = "vmnet.sys" ascii wide
|
|
|
|
$vmsrvc1 = "vmicheartbeat" ascii wide
|
|
$vmsrvc2 = "vmicvss" ascii wide
|
|
$vmsrvc3 = "vmicshutdown" ascii wide
|
|
$vmsrvc4 = "vmicexchange" ascii wide
|
|
$vmsrvc5 = "vmci" ascii wide
|
|
$vmsrvc6 = "vmdebug" ascii wide
|
|
$vmsrvc7 = "vmmouse" ascii wide
|
|
$vmsrvc8 = "VMTools" ascii wide
|
|
$vmsrvc9 = "VMMEMCTL" ascii wide
|
|
$vmsrvc10 = "vmware" ascii wide
|
|
$vmsrvc11 = "vmx86" ascii wide
|
|
$vmsrvc12 = "vpcbus" ascii wide
|
|
$vmsrvc13 = "vpc-s3" ascii wide
|
|
$vmsrvc14 = "vpcuhub" ascii wide
|
|
$vmsrvc15 = "msvmmouf" ascii wide
|
|
$vmsrvc16 = "VBoxMouse" ascii wide
|
|
$vmsrvc17 = "VBoxGuest" ascii wide
|
|
$vmsrvc18 = "VBoxSF" ascii wide
|
|
$vmsrvc19 = "xenevtchn" ascii wide
|
|
$vmsrvc20 = "xennet" ascii wide
|
|
$vmsrvc21 = "xennet6" ascii wide
|
|
$vmsrvc22 = "xensvc" ascii wide
|
|
$vmsrvc23 = "xenvdb" ascii wide
|
|
|
|
$miscproc1 = "vmware2" ascii wide
|
|
$miscproc2 = "vmount2" ascii wide
|
|
$miscproc3 = "vmusrvc" ascii wide
|
|
$miscproc4 = "vmsrvc" ascii wide
|
|
$miscproc5 = "vboxservice" ascii wide
|
|
$miscproc6 = "vboxtray" ascii wide
|
|
$miscproc7 = "xenservice" ascii wide
|
|
|
|
$vmware_mac_1a = "00-05-69"
|
|
$vmware_mac_1b = "00:05:69"
|
|
$vmware_mac_2a = "00-50-56"
|
|
$vmware_mac_2b = "00:50:56"
|
|
$vmware_mac_3a = "00-0C-29"
|
|
$vmware_mac_3b = "00:0C:29"
|
|
$vmware_mac_4a = "00-1C-14"
|
|
$vmware_mac_4b = "00:1C:14"
|
|
$virtualbox_mac_1a = "08-00-27"
|
|
$virtualbox_mac_1b = "08:00:27"
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule SandboxDetectMisc
|
|
{
|
|
meta:
|
|
Description = "Risk.SBDtc.sm"
|
|
ThreatLevel = "3"
|
|
|
|
strings:
|
|
$sbxie1 = "sbiedll" nocase ascii wide
|
|
|
|
$prodid1 = "55274-640-2673064-23950" ascii wide
|
|
$prodid2 = "76487-644-3177037-23510" ascii wide
|
|
$prodid3 = "76487-337-8429955-22614" ascii wide
|
|
|
|
$proc1 = "joeboxserver" ascii wide
|
|
$proc2 = "joeboxcontrol" ascii wide
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule avdetect_procs
|
|
{
|
|
meta:
|
|
Description = "Risk.AVDtc.sm"
|
|
ThreatLevel = "3"
|
|
|
|
strings:
|
|
$proc2 = "LMon.exe" ascii wide
|
|
$proc3 = "sagui.exe" ascii wide
|
|
$proc4 = "RDTask.exe" ascii wide
|
|
$proc5 = "kpf4gui.exe" ascii wide
|
|
$proc6 = "ALsvc.exe" ascii wide
|
|
$proc7 = "pxagent.exe" ascii wide
|
|
$proc8 = "fsma32.exe" ascii wide
|
|
$proc9 = "licwiz.exe" ascii wide
|
|
$proc10 = "SavService.exe" ascii wide
|
|
$proc11 = "prevxcsi.exe" ascii wide
|
|
$proc12 = "alertwall.exe" ascii wide
|
|
$proc13 = "livehelp.exe" ascii wide
|
|
$proc14 = "SAVAdminService.exe" ascii wide
|
|
$proc15 = "csi-eui.exe" ascii wide
|
|
$proc16 = "mpf.exe" ascii wide
|
|
$proc17 = "lookout.exe" ascii wide
|
|
$proc18 = "savprogress.exe" ascii wide
|
|
$proc19 = "lpfw.exe" ascii wide
|
|
$proc20 = "mpfcm.exe" ascii wide
|
|
$proc21 = "emlproui.exe" ascii wide
|
|
$proc22 = "savmain.exe" ascii wide
|
|
$proc23 = "outpost.exe" ascii wide
|
|
$proc24 = "fameh32.exe" ascii wide
|
|
$proc25 = "emlproxy.exe" ascii wide
|
|
$proc26 = "savcleanup.exe" ascii wide
|
|
$proc27 = "filemon.exe" ascii wide
|
|
$proc28 = "AntiHook.exe" ascii wide
|
|
$proc29 = "endtaskpro.exe" ascii wide
|
|
$proc30 = "savcli.exe" ascii wide
|
|
$proc31 = "procmon.exe" ascii wide
|
|
$proc32 = "xfilter.exe" ascii wide
|
|
$proc33 = "netguardlite.exe" ascii wide
|
|
$proc34 = "backgroundscanclient.exe" ascii wide
|
|
$proc35 = "Sniffer.exe" ascii wide
|
|
$proc36 = "scfservice.exe" ascii wide
|
|
$proc37 = "oasclnt.exe" ascii wide
|
|
$proc38 = "sdcservice.exe" ascii wide
|
|
$proc39 = "acs.exe" ascii wide
|
|
$proc40 = "scfmanager.exe" ascii wide
|
|
$proc41 = "omnitray.exe" ascii wide
|
|
$proc42 = "sdcdevconx.exe" ascii wide
|
|
$proc43 = "aupdrun.exe" ascii wide
|
|
$proc44 = "spywaretermin" ascii wide
|
|
$proc45 = "atorshield.exe" ascii wide
|
|
$proc46 = "onlinent.exe" ascii wide
|
|
$proc47 = "sdcdevconIA.exe" ascii wide
|
|
$proc48 = "sppfw.exe" ascii wide
|
|
$proc49 = "spywat~1.exe" ascii wide
|
|
$proc50 = "opf.exe" ascii wide
|
|
$proc51 = "sdcdevcon.exe" ascii wide
|
|
$proc52 = "spfirewallsvc.exe" ascii wide
|
|
$proc53 = "ssupdate.exe" ascii wide
|
|
$proc54 = "pctavsvc.exe" ascii wide
|
|
$proc55 = "configuresav.exe" ascii wide
|
|
$proc56 = "fwsrv.exe" ascii wide
|
|
$proc57 = "terminet.exe" ascii wide
|
|
$proc58 = "pctav.exe" ascii wide
|
|
$proc59 = "alupdate.exe" ascii wide
|
|
$proc60 = "opfsvc.exe" ascii wide
|
|
$proc61 = "tscutynt.exe" ascii wide
|
|
$proc62 = "pcviper.exe" ascii wide
|
|
$proc63 = "InstLsp.exe" ascii wide
|
|
$proc64 = "uwcdsvr.exe" ascii wide
|
|
$proc65 = "umxtray.exe" ascii wide
|
|
$proc66 = "persfw.exe" ascii wide
|
|
$proc67 = "CMain.exe" ascii wide
|
|
$proc68 = "dfw.exe" ascii wide
|
|
$proc69 = "updclient.exe" ascii wide
|
|
$proc70 = "pgaccount.exe" ascii wide
|
|
$proc71 = "CavAUD.exe" ascii wide
|
|
$proc72 = "ipatrol.exe" ascii wide
|
|
$proc73 = "webwall.exe" ascii wide
|
|
$proc74 = "privatefirewall3.exe" ascii wide
|
|
$proc75 = "CavEmSrv.exe" ascii wide
|
|
$proc76 = "pcipprev.exe" ascii wide
|
|
$proc77 = "winroute.exe" ascii wide
|
|
$proc78 = "protect.exe" ascii wide
|
|
$proc79 = "Cavmr.exe" ascii wide
|
|
$proc80 = "prifw.exe" ascii wide
|
|
$proc81 = "apvxdwin.exe" ascii wide
|
|
$proc82 = "rtt_crc_service.exe" ascii wide
|
|
$proc83 = "Cavvl.exe" ascii wide
|
|
$proc84 = "tzpfw.exe" ascii wide
|
|
$proc85 = "as3pf.exe" ascii wide
|
|
$proc86 = "schedulerdaemon.exe" ascii wide
|
|
$proc87 = "CavApp.exe" ascii wide
|
|
$proc88 = "privatefirewall3.exe" ascii wide
|
|
$proc89 = "avas.exe" ascii wide
|
|
$proc90 = "sdtrayapp.exe" ascii wide
|
|
$proc91 = "CavCons.exe" ascii wide
|
|
$proc92 = "pfft.exe" ascii wide
|
|
$proc93 = "avcom.exe" ascii wide
|
|
$proc94 = "siteadv.exe" ascii wide
|
|
$proc95 = "CavMud.exe" ascii wide
|
|
$proc96 = "armorwall.exe" ascii wide
|
|
$proc97 = "avkproxy.exe" ascii wide
|
|
$proc98 = "sndsrvc.exe" ascii wide
|
|
$proc99 = "CavUMAS.exe" ascii wide
|
|
$proc100 = "app_firewall.exe" ascii wide
|
|
$proc101 = "avkservice.exe" ascii wide
|
|
$proc102 = "snsmcon.exe" ascii wide
|
|
$proc103 = "UUpd.exe" ascii wide
|
|
$proc104 = "blackd.exe" ascii wide
|
|
$proc105 = "avktray.exe" ascii wide
|
|
$proc106 = "snsupd.exe" ascii wide
|
|
$proc107 = "cavasm.exe" ascii wide
|
|
$proc108 = "blackice.exe" ascii wide
|
|
$proc109 = "avkwctrl.exe" ascii wide
|
|
$proc110 = "procguard.exe" ascii wide
|
|
$proc111 = "CavSub.exe" ascii wide
|
|
$proc112 = "umxagent.exe" ascii wide
|
|
$proc113 = "avmgma.exe" ascii wide
|
|
$proc114 = "DCSUserProt.exe" ascii wide
|
|
$proc115 = "CavUserUpd.exe" ascii wide
|
|
$proc116 = "kpf4ss.exe" ascii wide
|
|
$proc117 = "avtask.exe" ascii wide
|
|
$proc118 = "avkwctl.exe" ascii wide
|
|
$proc119 = "CavQ.exe" ascii wide
|
|
$proc120 = "tppfdmn.exe" ascii wide
|
|
$proc121 = "aws.exe" ascii wide
|
|
$proc122 = "firewall.exe" ascii wide
|
|
$proc123 = "Cavoar.exe" ascii wide
|
|
$proc124 = "blinksvc.exe" ascii wide
|
|
$proc125 = "bgctl.exe" ascii wide
|
|
$proc126 = "THGuard.exe" ascii wide
|
|
$proc127 = "CEmRep.exe" ascii wide
|
|
$proc128 = "sp_rsser.exe" ascii wide
|
|
$proc129 = "bgnt.exe" ascii wide
|
|
$proc130 = "spybotsd.exe" ascii wide
|
|
$proc131 = "OnAccessInstaller.exe" ascii wide
|
|
$proc132 = "op_mon.exe" ascii wide
|
|
$proc133 = "bootsafe.exe" ascii wide
|
|
$proc134 = "xauth_service.exe" ascii wide
|
|
$proc135 = "SoftAct.exe" ascii wide
|
|
$proc136 = "cmdagent.exe" ascii wide
|
|
$proc137 = "bullguard.exe" ascii wide
|
|
$proc138 = "xfilter.exe" ascii wide
|
|
$proc139 = "CavSn.exe" ascii wide
|
|
$proc140 = "VCATCH.EXE" ascii wide
|
|
$proc141 = "cdas2.exe" ascii wide
|
|
$proc142 = "zlh.exe" ascii wide
|
|
$proc143 = "Packetizer.exe" ascii wide
|
|
$proc144 = "SpyHunter3.exe" ascii wide
|
|
$proc145 = "cmgrdian.exe" ascii wide
|
|
$proc146 = "adoronsfirewall.exe" ascii wide
|
|
$proc147 = "Packetyzer.exe" ascii wide
|
|
$proc148 = "wwasher.exe" ascii wide
|
|
$proc149 = "configmgr.exe" ascii wide
|
|
$proc150 = "scfservice.exe" ascii wide
|
|
$proc151 = "zanda.exe" ascii wide
|
|
$proc152 = "authfw.exe" ascii wide
|
|
$proc153 = "cpd.exe" ascii wide
|
|
$proc154 = "scfmanager.exe" ascii wide
|
|
$proc155 = "zerospywarele.exe" ascii wide
|
|
$proc156 = "dvpapi.exe" ascii wide
|
|
$proc157 = "espwatch.exe" ascii wide
|
|
$proc158 = "dltray.exe" ascii wide
|
|
$proc159 = "zerospywarelite_installer.exe" ascii wide
|
|
$proc160 = "clamd.exe" ascii wide
|
|
$proc161 = "fgui.exe" ascii wide
|
|
$proc162 = "dlservice.exe" ascii wide
|
|
$proc163 = "Wireshark.exe" ascii wide
|
|
$proc164 = "sab_wab.exe" ascii wide
|
|
$proc165 = "filedeleter.exe" ascii wide
|
|
$proc166 = "ashwebsv.exe" ascii wide
|
|
$proc167 = "tshark.exe" ascii wide
|
|
$proc168 = "SUPERAntiSpyware.exe" ascii wide
|
|
$proc169 = "firewall.exe" ascii wide
|
|
$proc170 = "ashdisp.exe" ascii wide
|
|
$proc171 = "rawshark.exe" ascii wide
|
|
$proc172 = "vdtask.exe" ascii wide
|
|
$proc173 = "firewall2004.exe" ascii wide
|
|
$proc174 = "ashmaisv.exe" ascii wide
|
|
$proc175 = "Ethereal.exe" ascii wide
|
|
$proc176 = "asr.exe" ascii wide
|
|
$proc177 = "firewallgui.exe" ascii wide
|
|
$proc178 = "ashserv.exe" ascii wide
|
|
$proc179 = "Tethereal.exe" ascii wide
|
|
$proc180 = "NetguardLite.exe" ascii wide
|
|
$proc181 = "gateway.exe" ascii wide
|
|
$proc182 = "aswupdsv.exe" ascii wide
|
|
$proc183 = "Windump.exe" ascii wide
|
|
$proc184 = "nstzerospywarelite.exe" ascii wide
|
|
$proc185 = "hpf_.exe" ascii wide
|
|
$proc186 = "avastui.exe" ascii wide
|
|
$proc187 = "Tcpdump.exe" ascii wide
|
|
$proc188 = "cdinstx.exe" ascii wide
|
|
$proc189 = "iface.exe" ascii wide
|
|
$proc190 = "avastsvc.exe" ascii wide
|
|
$proc191 = "Netcap.exe" ascii wide
|
|
$proc192 = "cdas17.exe" ascii wide
|
|
$proc193 = "invent.exe" ascii wide
|
|
$proc194 = "Netmon.exe" ascii wide
|
|
$proc195 = "fsrt.exe" ascii wide
|
|
$proc196 = "ipcserver.exe" ascii wide
|
|
$proc197 = "CV.exe" ascii wide
|
|
$proc198 = "VSDesktop.exe" ascii wide
|
|
$proc199 = "ipctray.exe" ascii wide
|
|
condition:
|
|
3 of them
|
|
}
|
|
|
|
|
|
rule dbgdetect_procs
|
|
{
|
|
meta:
|
|
Description = "Risk.DbgDtc.sm"
|
|
ThreatLevel = "3"
|
|
|
|
strings:
|
|
$proc1 = "wireshark" nocase ascii wide
|
|
$proc2 = "filemon" nocase ascii wide
|
|
$proc3 = "procexp" nocase ascii wide
|
|
$proc4 = "procmon" nocase ascii wide
|
|
$proc5 = "regmon" nocase ascii wide
|
|
$proc6 = "idag" nocase ascii wide
|
|
$proc7 = "immunitydebugger" nocase ascii wide
|
|
$proc8 = "ollydbg" nocase ascii wide
|
|
$proc9 = "petools" nocase ascii wide
|
|
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule dbgdetect_files
|
|
{
|
|
meta:
|
|
Description = "Risk.DbgDtc.sm"
|
|
ThreatLevel = "3"
|
|
|
|
strings:
|
|
$file1 = "syserdbgmsg" nocase ascii wide
|
|
$file2 = "syserboot" nocase ascii wide
|
|
$file3 = "SICE" nocase ascii wide
|
|
$file4 = "NTICE" nocase ascii wide
|
|
condition:
|
|
2 of them
|
|
}rule RiskNetFilterSampleA
|
|
{
|
|
meta:
|
|
Description = "Risk.NetFilter.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\epfwwfp" ascii wide
|
|
$ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\epfwwfpr" ascii wide
|
|
$ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\nisdrv" ascii wide
|
|
$ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\symnets" ascii wide
|
|
$ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\klwfp" ascii wide
|
|
$ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\amoncdw8" ascii wide
|
|
$ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\amoncdw7" ascii wide
|
|
$ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\bdfwfpf_pc" ascii wide
|
|
$ = "NFSDK Flow Established Callout" ascii wide
|
|
$ = "Flow Established Callout" ascii wide
|
|
$ = "NFSDK Stream Callout" ascii wide
|
|
$ = "Stream Callout" ascii wide
|
|
$ = "\\Device\\CtrlSM" ascii wide
|
|
$ = "\\DosDevices\\CtrlSM" ascii wide
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
rule RogueDownloaderLoaderAVSoftA
|
|
{
|
|
meta:
|
|
Description = "Trojan.Loader.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "/info.php?idd=" ascii wide
|
|
$ = "{95B8F20E-4BC6-4E22-9442-BFB69ED62879}" ascii wide
|
|
//$ = "CheckExeSignatures" ascii wide
|
|
//$ = "RunInvalidSignatures" ascii wide
|
|
$ = "ELEVATECREATEPROCESS" ascii wide
|
|
$ = "srvdev.dll" ascii wide
|
|
//$ = "EntryPoint" ascii wide
|
|
|
|
condition:
|
|
3 of them
|
|
}
|
|
|
|
rule RogueModuleAVSoftA
|
|
{
|
|
meta:
|
|
Description = "Rogue.AVSoft.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "sec-red-alert-s.gif" ascii wide
|
|
$ = "sec-red-alert-b.gif" ascii wide
|
|
$ = "scaning.gif" ascii wide
|
|
$ = "scaning-stopped.gif" ascii wide
|
|
$ = "rezult-table-head-bg.gif" ascii wide
|
|
$ = "banner-get-protection.gif" ascii wide
|
|
$ = "netalrt.htm" ascii wide
|
|
$ = "alrt.htm" ascii wide
|
|
|
|
$hex1 = { e8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? e8 ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 73 ?? e8 ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 84 c0 75 ?? e8 ?? ?? ?? ?? 6a 1e 99 59 f7 f9 83 c2 14 69 d2 60 ea 00 00 52 ff d7 e8 ?? ?? ?? ?? 83 f8 01 75 ?? e8 ?? ?? ?? ??}
|
|
|
|
condition:
|
|
(3 of them) or ( any of ($hex*))
|
|
}
|
|
rule RogueBraviaxSampleA
|
|
{
|
|
meta:
|
|
Description = "Rogue.Braviax.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "background_gradient_red.jpg" ascii wide
|
|
$ = "red_shield_48.png" ascii wide
|
|
$ = "pagerror.gif" ascii wide
|
|
$ = "green_shield.png" ascii wide
|
|
$ = "refresh.gif" ascii wide
|
|
$ = "red_shield.png" ascii wide
|
|
$ = "avp:scan" ascii wide
|
|
$ = "avp:site" ascii wide
|
|
$str1 = "Trojan-BNK.Win32.Keylogger.gen" ascii wide
|
|
$str2 = "Trojan-PSW.Win32.Coced.219" ascii wide
|
|
$str3 = "Email-Worm.Win32.Eyeveg.f" ascii wide
|
|
$str4 = "Virus.BAT.Batalia1.840" ascii wide
|
|
$str5 = "Trojan-SMS.SymbOS.Viver.a" ascii wide
|
|
$str6 = "Trojan-Spy.HTML.Bankfraud.jk" ascii wide
|
|
$str7 = "glohhstt7.com" ascii wide
|
|
//$str8 = "Zorton" ascii wide
|
|
//$str9 = "Rango" ascii wide
|
|
//$str10 = "Sirius" ascii wide
|
|
//$str11 = "A-Secure" ascii wide
|
|
$str12 = "%1 Protection 201" ascii wide
|
|
$str13 = "%1 Antivirus 201" ascii wide
|
|
$str14 = "siriuc2014.com" ascii wide
|
|
$str15 = "siriucs2016.com" ascii wide
|
|
$str16 = "zorton2016.com" ascii wide
|
|
$str17 = "zorton2015.com" ascii wide
|
|
$str18 = "stormo10.com" ascii wide
|
|
$str19 = "fscurat20.com" ascii wide
|
|
$str20 = "fscurat21.com" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or (any of ($str*))
|
|
}rule RogueFakePAVSample
|
|
{
|
|
meta:
|
|
Description = "Rogue.FakePAV.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "ZALERT" ascii wide
|
|
$ = "ZAPFrm" ascii wide
|
|
$ = "ZAbout" ascii wide
|
|
$ = "ZAutoRunFrame" ascii wide
|
|
$ = "ZCheckBox" ascii wide
|
|
$ = "ZCplAll" ascii wide
|
|
$ = "ZFogWnd" ascii wide
|
|
$ = "ZFrameDEt" ascii wide
|
|
$ = "ZIEWnd" ascii wide
|
|
$ = "ZMainFrame" ascii wide
|
|
$ = "ZMainWnd" ascii wide
|
|
$ = "ZOptionsFrame" ascii wide
|
|
$ = "ZProcessFrame" ascii wide
|
|
$ = "ZProgressBar" ascii wide
|
|
$ = "ZPromo" ascii wide
|
|
$ = "ZReg" ascii wide
|
|
$ = "ZResFR" ascii wide
|
|
$ = "ZServiceFrame" ascii wide
|
|
$ = "ZUpdate" ascii wide
|
|
$ = "ZWarn" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule RogueFakeDefenderSample
|
|
{
|
|
meta:
|
|
Description = "Rogue.FakeDef.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = "pcdfdata" ascii wide
|
|
$b = "toplevel_pcdef" ascii wide
|
|
|
|
$ = "%spld%d.exe" ascii wide
|
|
$ = "avsrun.exe" ascii wide
|
|
$ = "avsdel.exe" ascii wide
|
|
|
|
$ = "vl.bin" ascii wide
|
|
$ = "reginfo.bin" ascii wide
|
|
|
|
$ = "%s%s.lnk" ascii wide
|
|
$ = "%sRemove %s.lnk" ascii wide
|
|
$ = "Uninstaller application" ascii wide
|
|
$ = "%s%s Help and Support.lnk" ascii wide
|
|
|
|
$ = "pavsdata" ascii wide
|
|
$ = "avsmainwnd" ascii wide
|
|
$ = "avsdsvc" ascii wide
|
|
$ = "ovcf" ascii wide
|
|
|
|
$ = "Global\\avsinst" ascii wide
|
|
$ = "Global\\avscfglock" ascii wide
|
|
$ = "\\loc\\reg\\conn\\activate" ascii wide
|
|
$ = "\\forms\\alerts\\vulner" ascii wide
|
|
$ = "\\forms\\alerts\\hack" ascii wide
|
|
|
|
$ = "Software\\Classes\\.exe" ascii wide
|
|
|
|
$ = "%s was infected with %s and has been successfully repaired" ascii wide
|
|
$ = "Attack %s from remote host %d.%d.%d.%d has been successfully blocked" ascii wide
|
|
|
|
$ = "http://%s/api/ping?stage=1&uid=%S&id=%d&subid=%d&os=%d&avf=%d" ascii wide
|
|
$ = "http://%s/api/ping?stage=2&uid=%S&success=%d" ascii wide
|
|
$ = "http://%s/api/ping?stage=3&uid=%S" ascii wide
|
|
$ = "http://%s/content/scc" ascii wide
|
|
$ = "http://%s/postload2/?uid=%S" ascii wide
|
|
$ = "http://%S/api/test" ascii wide
|
|
$ = "http://%s/load/?uid=%S" ascii wide
|
|
$ = "http://%s/html/viruslist/?uid=%S" ascii wide
|
|
$ = "https://%s/billing/key/?uid=%S" ascii wide
|
|
$ = "https://%s/html/billing/?uid=%S" ascii wide
|
|
|
|
condition:
|
|
3 of them
|
|
}
|
|
|
|
rule RogueFakeReanInternetSecuritySample
|
|
{
|
|
meta:
|
|
Description = "Rogue.FakeRean.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "VB82ea936a-6aa61dbf" ascii wide
|
|
$ = "VBOX HARDDISK" ascii wide
|
|
$ = "avbase.dat" ascii wide
|
|
$ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
|
|
$ = "ORDER #:" ascii wide
|
|
$ = "Thank you, the program is now registered!" ascii wide
|
|
$ = "To continue please restart the program. Press OK to close the program." ascii wide
|
|
$ = "Wrong activation code! Please check and retry" ascii wide
|
|
$ = "license. As soon as you complete the activation you will" ascii wide
|
|
$ = "This option is available only in the activated version of " ascii wide
|
|
$ = "You must activate the program by entering registration information " ascii wide
|
|
$ = "has detected that a new Threat Database is available." ascii wide
|
|
$ = "items are critical privacy compromising content"
|
|
$ = "items is medium privacy threats" ascii wide
|
|
$ = "items are junk content of low privacy threats" ascii wide
|
|
$ = "has detected a leak of your files though the Internet. " ascii wide
|
|
$ = "We strongly recommend that you block the attack immediately" ascii wide
|
|
$ = "All threats has been succesfully removed." ascii wide
|
|
$ = "Attention! We strongly recommend that you activate " ascii wide
|
|
$ = "for the safety and faster running of your PC." ascii wide
|
|
$ = "No new update available" ascii wide
|
|
$ = "Could not connect to server!" ascii wide
|
|
$ = "New updates are installed successfully!" ascii wide
|
|
$ = "Security Warning!" ascii wide
|
|
$ = "Malicious program has been detected." ascii wide
|
|
$ = "Click here to protect your computer." ascii wide
|
|
$ = "is infected by W32/Blaster.worm" ascii wide
|
|
$ = "$$$$$$$$.bat" ascii wide
|
|
$ = "Completed!" ascii wide
|
|
$ = "Antivirus software uninstalled successfully" ascii wide
|
|
$ = "Antivirus uninstall is not success. Please try again..." ascii wide
|
|
$ = "-uninstall" ascii wide
|
|
$ = "_MUTEX" ascii wide
|
|
$ = "/min" ascii wide
|
|
|
|
condition:
|
|
7 of them
|
|
}
|
|
|
|
rule RogueUnknownFakeAV
|
|
{
|
|
meta:
|
|
Description = "Rogue.FakeRean.rc"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = "S:\\appointed\\commanding\\general\\Moravia\\Image[01].exe" ascii wide
|
|
$b = "Dresden blockade" ascii wide
|
|
$c = "37592837532" ascii wide
|
|
$d = "39874598234" ascii wide
|
|
$e = "465234750238947532649587203948523-4572304750329458-23459723450-23457" ascii wide
|
|
|
|
condition:
|
|
($a and $b) or ($c and $d) or $e
|
|
}
|
|
|
|
rule RoguePCDefender
|
|
{
|
|
meta:
|
|
Description = "Rogue.FakeDef.rc"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$hex0 = { 8A 4A 01 56 57 33 FF 47 8B C7 8D 72 03 85 C0 74 28 80 C1 0B 80 F9 5A 7E 11 0F BE C1 83 E8 41 6A 19 99 59 F7 F9 80 C2 41 8A CA 33 C0 38 0E 0F 94 C0 47 46 46 83 FF 10 7C D4 5F 5E C3 }
|
|
|
|
condition:
|
|
any of ($hex*)
|
|
}rule RogueFakeSysDefSample
|
|
{
|
|
meta:
|
|
Description = "Rogue.FakeSysDef.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "smtmp" ascii wide
|
|
$ = "attrib -h" ascii wide
|
|
$ = "%s\\license.dat" ascii wide
|
|
$ = "Thank you for purchasing %s" ascii wide
|
|
$ = "%s\\%s_License.txt" ascii wide
|
|
$ = "Bad sectors" ascii wide
|
|
$ = "Lost cluster chains" ascii wide
|
|
$ = "Relocate bad sectors: " ascii wide
|
|
$ = "Fix corrupted files: " ascii wide
|
|
$ = "Fix cluster chain: " ascii wide
|
|
$ = "No errors found. Disk%s health summary %d%%." ascii wide
|
|
$ = "Error 0x00000024 - %s_FILE_SYSTEM" ascii wide
|
|
$ = "Verifying disk consistency..." ascii wide
|
|
$ = "Hard drive spin failure detected" ascii wide
|
|
$ = "Checking S.M.A.R.T. attributes" ascii wide
|
|
$a = "S.M.A.R.T reports" ascii wide
|
|
$ = "Checking HDD surface for bad sectors.." ascii wide
|
|
$ = "Scanning sectors 0x%04X-0x%04X..." ascii wide
|
|
$ = "Check cancelled." ascii wide
|
|
$ = "Hard disk error detected" ascii wide
|
|
$ = "Repair volumes" ascii wide
|
|
$ = "Hard disk verification completed. No errors found." ascii wide
|
|
$ = "Exception Processing Message 0x%08X Parameters" ascii wide
|
|
$ = "Windows - Read error" ascii wide
|
|
$ = "File system on local disk %s contains critical errors" ascii wide
|
|
$ = "explorer.exe - Corrupt Disk" ascii wide
|
|
$ = "svchost.exe - Corrupt Disk" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or $a
|
|
}rule RogueWin32LiveSecurityProfessional
|
|
{
|
|
meta:
|
|
Description = "Rogue.LiveSP.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$ = "W32.SillyFDC.BDQ" ascii wide
|
|
$ = "Trojan.Peancomm" ascii wide
|
|
$ = "Adware.Borlan" ascii wide
|
|
$ = "Trojan.Exprez" ascii wide
|
|
$ = "Sunshine.B" ascii wide
|
|
$ = "SecurityRisk.URLRedir" ascii wide
|
|
$ = "Spyware.Ezurl" ascii wide
|
|
$ = "W32.Azero.A" ascii wide
|
|
$ = "W32.Downloadup.B" ascii wide
|
|
$ = "Hacktool.Unreal.A" ascii wide
|
|
$ = "Backdoor.Rustock.B" ascii wide
|
|
$ = "Infostealer.Snifula.B" ascii wide
|
|
$ = "Adware.FCHelp" ascii wide
|
|
$ = "Adware.Invinciblekey" ascii wide
|
|
$ = "Packed.Dromedan!gen5" ascii wide
|
|
$ = "Downloader.Jadelile" ascii wide
|
|
$ = "SecShieldFraud!gen7" ascii wide
|
|
$ = "Trojan.Komodola" ascii wide
|
|
$ = "W32.Stekct" ascii wide
|
|
$ = "Packed.Generic.368" ascii wide
|
|
$ = "VirusDoctor!gen12" ascii wide
|
|
$ = "UnlockAV" ascii wide
|
|
$ = "Sign Up in Live Security Professional" ascii wide
|
|
$ = "General security:" ascii wide
|
|
$ = "Real-Time Shields:" ascii wide
|
|
$ = "Self-protection from malware:" ascii wide
|
|
$ = "Definitions auto updates:" ascii wide
|
|
$ = "Virus definition version:" ascii wide
|
|
$ = "Program version:" ascii wide
|
|
$ = "Live Security Professional %s." ascii wide
|
|
$ = "You have a license" ascii wide
|
|
$ = "Your system is protected from possible threats." ascii wide
|
|
$ = "3.13.44.20" ascii wide
|
|
$ = "Protection level:" ascii wide
|
|
$ = "Your computer is fully protected." ascii wide
|
|
$ = "Your protection against viruses and spyware is weak" ascii wide
|
|
$ = "You must enter the serial number that came to your email to activate your license." ascii wide
|
|
$ = "Live Security Professional - Unregistered version" ascii wide
|
|
$ = "Scan stopped..." ascii wide
|
|
$ = "Scan paused..." ascii wide
|
|
$ = "http://185.6.80.65/index.php?r=checkout" ascii wide
|
|
$ = "To complete the registration, check your data for correctness." ascii wide
|
|
$ = "You have successfully signed up and choose a license. After confirming the payment (about 10 minutes), you get a completely secure system." ascii wide
|
|
$ = "Live Security Professional has blocked" ascii wide
|
|
$ = "Live security professional" ascii wide
|
|
$ = "Successfully Cleared!" ascii wide
|
|
$ = "DETECTED VIRUSES" ascii wide
|
|
$ = "List of detected viruses." ascii wide
|
|
$ = "Total infected:" ascii wide
|
|
$ = "10% of the viruses were treated free. For the cure of all viruses, you must purchase a license Pro or Pro Plus." ascii wide
|
|
condition:
|
|
5 of them
|
|
}rule RogueSpywareDefenderSample
|
|
{
|
|
meta:
|
|
Description = "Rogue.SDef.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$str1 = "/get_two.php?" ascii wide
|
|
$str2 = "spyware-defender.com" ascii wide
|
|
$str3 = "Spyware Defender 2014" ascii wide
|
|
$str4 = "Antivirus MAC 2014" ascii wide
|
|
$str5 = "Antivirus WIN 2014" ascii wide
|
|
$ = "Delete" ascii wide
|
|
$ = "NoRemove" ascii wide
|
|
$ = "ForceRemove" ascii wide
|
|
$ = "RunInvalidSignatures" ascii wide
|
|
$ = "CheckExeSignatures" ascii wide
|
|
condition:
|
|
(5 of them) or (any of ($str*))
|
|
}rule RogueWin32SystemDoctorA
|
|
{
|
|
meta:
|
|
Description = "Rogue.SysDoct.rc"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$hex0 = { 55 8b ec 83 ec 7c a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 68 90 d0 47 00 8d ?? ?? e8 ?? ?? ?? ?? 83 ?? ?? ?? 8b ?? ?? 73 ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 83 f8 ff 74 ?? 6a 00 6a 01 e8 ?? ?? ?? ?? 33 c0 8b ?? ?? 33 cd 5e e8 ?? ?? ?? ?? c9 c3 53 57 33 db 53 6a 01 e8 ?? ?? ?? ?? be a4 d0 47 00 8d ?? ?? a5 a4 be ac d0 47 00 8d ?? ?? a5 a4 be b4 d0 47 00 8d ?? ?? a5 66 ?? a4 be bc d0 47 00 8d ?? ?? a5 a5 66 ?? a4 be 90 88 45 00 8d ?? ?? a5 a5 a5 a5 be 00 10 00 00 56 e8 ?? ?? ?? ?? 59 6a 02 53 89 ?? ?? 53 8d ?? ?? 50 c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b f8 83 ff ff 0f ?? ?? ?? ?? ?? 8d ?? ?? 50 53 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 50 56 8b ?? ?? 56 8d ?? ?? 50 6a 0c 8d ?? ?? 50 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 ff ?? ?? ?? ?? ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 74 ?? 33 db 43 56 e8 ?? ?? ?? ?? 59 5f 8b c3 5b e9 ?? ?? ?? ?? 8b ?? ?? eb ?? }
|
|
$ = "http://sys-doctor.com" ascii wide
|
|
$ = "AA39754E-715219CE" ascii wide
|
|
$ = "System Doctor" ascii wide
|
|
$ = "C:\\sd.dbg" ascii wide
|
|
$ = "C:\\sd1.dbg" ascii wide
|
|
condition:
|
|
(2 of them) or (any of ($hex*))
|
|
}
|
|
|
|
rule RogueWin32FufelAVA
|
|
{
|
|
meta:
|
|
Description = "Rogue.FufelAV.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$ = "avp:buy" ascii wide
|
|
$ = "avp:scan" ascii wide
|
|
$ = "Protection software" ascii wide
|
|
$ = "Invalid registration key!" ascii wide
|
|
$ = "Unprotected mode request" ascii wide
|
|
$ = "Are you sure want to continue in unprotected mode?" ascii wide
|
|
$ = "I have serial key" ascii wide
|
|
$ = "Continue unprotected" ascii wide
|
|
$ = "trying to infect your files" ascii wide
|
|
$ = "Your computer was attacked from" ascii wide
|
|
$ = "Attack was blocked" ascii wide
|
|
$ = "Please register product to block hackers attack" ascii wide
|
|
$ = "Scanning completed. No threads found." ascii wide
|
|
$ = "Scanning completed. Cleanup is required." ascii wide
|
|
$ = "Warning! %d Infections found!" ascii wide
|
|
$ = "Registered version" ascii wide
|
|
$ = "Unregistered version (Please register)" ascii wide
|
|
$ = "Cured" ascii wide
|
|
$ = "Infected process" ascii wide
|
|
$str_0 = "Sinergia Cleaner" ascii wide
|
|
$str_1 = "Sinergia software.lnk" ascii wide
|
|
|
|
$str_2 = "fufel-av-2.com" ascii wide
|
|
$str_3 = "fufel-av.com" ascii wide
|
|
condition:
|
|
(3 of them) or (any of ($str_*))
|
|
}
|
|
rule RogueWinwebsecSample
|
|
{
|
|
meta:
|
|
Description = "Rogue.Winwebsec.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = "%s%s\\%s.ico" ascii wide
|
|
$b = "%s%s\\%s.exe" ascii wide
|
|
condition:
|
|
$a or $b
|
|
}
|
|
|
|
rule RogueSShieldSample
|
|
{
|
|
meta:
|
|
Description = "Rogue.SShield.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = "64C665BE" wide
|
|
$b = "BC0172B25DF2" wide
|
|
condition:
|
|
$a or $b
|
|
}rule TrojanWin32AntivarSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Antivar.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$ = "ServerNabs4" ascii wide
|
|
$ = "\\system32\\antivar.exe" ascii wide
|
|
condition:
|
|
any of them
|
|
}rule TrojanDownloaderCbeplaySample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Cbeplay.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "wireshark.exe" ascii wide
|
|
$ = "pstorec.dll" ascii wide
|
|
$ = "ROOT\\SecurityCenter2" ascii wide
|
|
$ = "Select * from AntiVirusProduct" ascii wide
|
|
$ = "SbieDll.dll" ascii wide
|
|
$ = "OPEN %s.mp3 TYPE MpegVideo ALIAS MP3" ascii wide
|
|
$ = "PLAY MP3 wait" ascii wide
|
|
$ = "CLOSE MP3" ascii wide
|
|
$ = "VIRTUALBOX" ascii wide
|
|
$ = "VideoBiosVersion" ascii wide
|
|
$ = "QEMU" ascii wide
|
|
$ = "VMWARE" ascii wide
|
|
$ = "VBOX" ascii wide
|
|
$ = "VIRTUAL" ascii wide
|
|
$ = "taskmgr.exe" ascii wide
|
|
$ = "explorer.exe" ascii wide
|
|
$ = "Program Manager" ascii wide
|
|
$ = "Shell_TrayWnd" ascii wide
|
|
$ = "FriendlyName" ascii wide
|
|
$ = "Capture Filter" ascii wide
|
|
$ = "SampleGrab" ascii wide
|
|
$ = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" ascii wide
|
|
$ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
|
|
$ = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot" ascii wide
|
|
$ = "Hello, visitor from: <strong>" ascii wide
|
|
$ = "SendVoucher" ascii wide
|
|
$ = "winver" ascii wide
|
|
$ = "AVID" ascii wide
|
|
$ = "Emsisoft" ascii wide
|
|
$ = "Lavasoft" ascii wide
|
|
$ = "avast" ascii wide
|
|
$ = "Avira" ascii wide
|
|
$ = "BitDef" ascii wide
|
|
$ = "COMODO" ascii wide
|
|
$ = "F-Secure" ascii wide
|
|
$ = "G Data" ascii wide
|
|
$ = "Kaspersky" ascii wide
|
|
$ = "McAfee" ascii wide
|
|
$ = "ESET" ascii wide
|
|
$ = "Norton" ascii wide
|
|
$ = "Microsoft Security Essentials" ascii wide
|
|
$ = "Panda" ascii wide
|
|
$ = "Sophos" ascii wide
|
|
$ = "Trend Micro" ascii wide
|
|
$ = "Symantec" ascii wide
|
|
$ = "BullGuard" ascii wide
|
|
$ = "VIPRE" ascii wide
|
|
$ = "Webroot" ascii wide
|
|
condition:
|
|
8 of them
|
|
}rule TrojanChangeStartPageSampleA
|
|
{
|
|
meta:
|
|
Description = "Trojan.CStartPage.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "chrome.exe" ascii wide
|
|
$ = "urls_to_restore_on_startup" ascii wide
|
|
$ = "restore_on_startup" ascii wide
|
|
$ = "restore_on_startup_migrated" ascii wide
|
|
$ = "urls_to_restore_on_startup" ascii wide
|
|
$ = "translate_accepted_count" ascii wide
|
|
$ = "translate_denied_count" ascii wide
|
|
$ = "translate_site_blacklist" ascii wide
|
|
$ = "netsh firewall add allowedprogram" ascii wide
|
|
$ = "homepage_is_newtabpage" ascii wide
|
|
$ = "Start Page" ascii wide
|
|
$ = "user_pref(%cbrowser.startup.homepage%c" ascii wide
|
|
$ = "%ws\\mozilla\\firefox\\profiles" ascii wide
|
|
$ = "c:\\windows\\sms.exe" ascii wide
|
|
condition:
|
|
3 of them
|
|
}
|
|
rule TrojanWin32CitadelSampleA
|
|
{
|
|
meta:
|
|
Description = "Trojan.Citadel.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = "Coded by BRIAN KREBS for personal use only. I love my job & wife." ascii wide
|
|
$hex_string = {85 C0 7? ?? 8A 4C 30 FF 30 0C 30 48 7?}
|
|
$ = "softpc.new" ascii wide
|
|
$ = "CS:%04x IP:%04x OP:%02x %02x %02x %02x %02x" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}rule TrojanWin32ComfooSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Comfoo.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "exclusiveinstance12" ascii wide
|
|
$ = "MYGAMEHAVESTART" ascii wide
|
|
$ = "MYGAMEHAVEstarted" ascii wide
|
|
$ = "MYGAMEHAVESTARTEd" ascii wide
|
|
$ = "MYGAMEHAVESTARTED" ascii wide
|
|
$ = "thisisanewfirstrun" ascii wide
|
|
$ = "THISISASUPERNEWGAMENOWBEGIN" ascii wide
|
|
$ = "thisisnewtrofor024" ascii wide
|
|
|
|
$ = "cabinet.dll" ascii wide
|
|
$ = "09lkjds" ascii wide
|
|
$ = "perfdi.ini" ascii wide
|
|
$ = "msobj.sys" ascii wide
|
|
$ = "usbak.sys" ascii wide
|
|
$ = "\\\\.\\DevCtrlKrnl" ascii wide
|
|
$ = "THIS324NEWGAME" ascii wide
|
|
$ = "watchevent29021803" ascii wide
|
|
$ = "iamwaitingforu653890" ascii wide
|
|
$ = "Call to GetAdaptersInfo failed. Return Value" ascii wide
|
|
$ = "Hard Disk(%s--LocalDisk)" ascii wide
|
|
$ = "Total size: %I64d (MB)" ascii wide
|
|
|
|
$ = "SYSTEM\\CurrentControlSet\\Services\\%s" ascii wide
|
|
|
|
$hex0 = { 6a ff 68 1b 04 01 10 64 ?? ?? ?? ?? ?? 50 64 ?? ?? ?? ?? ?? ?? 51 56 57 68 30 17 00 00 e8 ?? ?? ?? ?? 83 c4 04 89 ?? ?? ?? 85 c0 c7 ?? ?? ?? ?? ?? ?? ?? 74 ?? 8b c8 e8 ?? ?? ?? ?? 8b f0 eb ?? 33 f6 8b ?? 6a 01 8b ce c7 ?? ?? ?? ?? ?? ?? ?? ff ?? ?? bf 30 3b 01 10 83 c9 ff 33 c0 8b ?? f2 ?? f7 d1 49 51 68 30 3b 01 10 8b ce ff ?? ?? 8b ?? 68 81 3e 00 00 8b ce ff ?? ?? 8b ?? ?? ?? 8b ?? 50 8b ce ff ?? ?? 8b ?? ?? ?? 8b ?? 50 8b ce ff ?? ?? 56 e8 ?? ?? ?? ?? 8b f8 83 c4 04 f7 df 1b ff 47 85 f6 74 ?? 8b ce e8 ?? ?? ?? ?? 56 e8 ?? ?? ?? ?? 83 c4 04 8b ?? ?? ?? 8b c7 5f 5e 64 ?? ?? ?? ?? ?? ?? 83 c4 10 c3}
|
|
$hex1 = { 55 56 57 6a 08 33 ed e8 ?? ?? ?? ?? 8b f0 83 c4 04 85 f6 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 89 ?? ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 7f 03 0f 00 55 68 94 32 01 10 89 ?? ?? ff ?? ?? ?? ?? ?? 8b f8 85 ff 74 ?? 53 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 68 ff 01 0f 00 55 55 68 e8 30 01 10 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 53 ff ?? ?? ?? ?? ?? 85 c0 74 ?? bd 01 00 00 00 53 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 85 ed 5b 74 ?? 8b c6 5f 5e 5d c3}
|
|
$hex2 = { 53 53 6a 03 53 53 68 00 00 00 c0 68 78 33 01 10 ff ?? ?? ?? ?? ?? 89 ?? ?? 83 f8 ff 75 ?? 33 c0 8b ?? ?? 64 ?? ?? ?? ?? ?? ?? 5f 5e 5b 8b e5 5d c3 89 ?? ?? 89 ?? ?? 89 ?? ?? be 88 33 01 10 8b c7 8a ?? 8a ca 3a ?? 75 ?? 3a cb 74 ?? 8a ?? ?? 8a ca 3a ?? ?? 75 ?? 83 c0 02 83 c6 02 3a cb 75 ?? 33 c0 eb ?? 1b c0 83 d8 ff 3b c3 75 ?? 89 ?? ?? eb ?? 57 ff ?? ?? ?? ?? ?? 89 ?? ?? 83 f8 ff 74 ?? 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 53 8d ?? ?? 51 6a 04 8d ?? ?? 52 6a 06 8d ?? ?? 50 8b ?? ?? 56 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 81 fe c8 20 22 00 75 ?? c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 64 ?? ?? ?? ?? ?? ?? 5f 5e 5b 8b e5 5d c3}
|
|
|
|
condition:
|
|
(3 of them) or (any of ($hex*))
|
|
}rule TrojanBotnetWin32CutwailSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Cutwail.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "PreLoader.pdb" ascii wide
|
|
$ = "magadan21" ascii wide
|
|
$ = "RkInstall.pdb" ascii wide
|
|
$ = "InnerDrv.pdb" ascii wide
|
|
$ = "Protect.pdb" ascii wide
|
|
$ = "MailerApp.pdb" ascii wide
|
|
$ = "revolution6" ascii wide
|
|
$ = "bot25" ascii wide
|
|
condition:
|
|
any of them
|
|
}rule TrojanDllpatcherA
|
|
{
|
|
meta:
|
|
Description = "Trojan.Dllpatcher.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$str1 = "Global\\Matil da" ascii wide
|
|
$str2 = "Global\\Nople Mento" ascii wide
|
|
$str3 = "%s\\System32\\dnsapi.dll" ascii wide
|
|
$str4 = "%s\\SysWOW64\\dnsapi.dll" ascii wide
|
|
|
|
condition:
|
|
3 of them
|
|
}
|
|
rule TrojanDownloaderWin32KaraganySampleA
|
|
{
|
|
meta:
|
|
Description = "Trojan.Karagany.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$hex0 = { e8 ?? ?? ?? ?? 68 b4 05 00 00 e8 ?? ?? ?? ?? 83 c4 04 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? 99 b9 05 00 00 00 f7 f9 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 c0 24 40 00 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 78 24 40 00 a1 ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 30 24 40 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 e8 23 40 00 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 a0 23 40 00 a1 ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 c4 08 8d ?? ?? ?? ?? ?? 51 68 00 03 00 84 6a 00 6a 00 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ??}
|
|
$hex1 = { 55 8b ec 83 ec 18 e8 ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 a3 ?? ?? ?? ?? 68 d0 21 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 6a 00 6a 00 68 38 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 2c 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 20 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? ?? ?? ?? 52 8b ?? ?? 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? a1 ?? ?? ?? ?? 50 8b ?? ?? 51 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 6a 00 6a 00 68 14 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 04 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 8b e5 5d c3}
|
|
$hex2 = { 55 8b ec 81 ec 20 04 00 00 a1 ?? ?? ?? ?? 89 ?? ?? 68 e0 30 40 00 68 48 23 40 00 8d ?? ?? ?? ?? ?? 51 ff ?? ?? 83 c4 0c 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 83 c4 0c b8 01 00 00 00 8b e5 5d c3}
|
|
condition:
|
|
any of ($hex*)
|
|
}
|
|
|
|
rule TrojanDownloaderWin32WaledacSampleR
|
|
{
|
|
meta:
|
|
Description = "Trojan.Waledac.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$hex0 = { 55 8b ec 81 ec 6c 02 00 00 56 57 68 80 00 00 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 68 1c 21 40 00 8d ?? ?? ?? ?? ?? 50 ff d6 e8 ?? ?? ?? ?? 8d ?? ?? 51 50 e8 ?? ?? ?? ?? 8b ?? ?? 59 59 8b ?? ?? 8d ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff d6 8d ?? ?? 50 e8 ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 50 ff d6 33 f6 56 56 6a 02 56 56 68 00 00 00 40 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f8 3b fe 75 ?? 32 c0 eb ?? 56 8d ?? ?? 50 53 ff ?? ?? 57 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 39 ?? ?? 75 ?? 6a 44 5f 57 8d ?? ?? 56 50 e8 ?? ?? ?? ?? 83 c4 0c 33 c0 66 ?? ?? ?? 8d ?? ?? 50 8d ?? ?? 50 56 56 56 56 56 56 8d ?? ?? ?? ?? ?? 50 56 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? f7 d8 1b c0 f7 d8 5f 5e c9 c3 55}
|
|
$hex1 = { 55 8b ec 83 e4 f8 83 ec 10 56 57 e8 ?? ?? ?? ?? be 10 30 40 00 56 68 02 02 00 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 6a 02 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 68 01 01 00 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 6a ff ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? a3 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? be 30 21 40 00 8d ?? ?? ?? a5 a5 59 a3 ?? ?? ?? ?? a5 8d ?? ?? ?? 50 68 40 21 40 00 a4 e8 ?? ?? ?? ?? 59 59 84 c0 75 ?? 8d ?? ?? ?? 50 68 4c 21 40 00 e8 ?? ?? ?? ?? 59 59 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 5f 33 c0 5e 8b e5 5d c3}
|
|
$hex2 = { 55 8b ec 51 83 ?? ?? ?? 53 8b ?? ?? ?? ?? ?? 56 57 bf 00 90 01 00 eb ?? 7c ?? 8b ?? ?? 56 ff ?? ?? ?? ?? ?? 03 c3 50 e8 ?? ?? ?? ?? 01 ?? ?? 8b ?? ?? 8b ?? ?? 83 c4 0c e8 ?? ?? ?? ?? 83 e8 00 74 ?? 48 75 ?? 6a 00 57 ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? 8b f0 85 f6 75 ?? 8b ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? f7 d8 1b c0 40 eb ?? 48 32 c0 eb ?? b0 01 5f 5e 5b c9 c3}
|
|
condition:
|
|
any of ($hex*)
|
|
}
|
|
|
|
rule TrojanDownloaderWin32PerkeshSamle
|
|
{
|
|
meta:
|
|
Description = "Trojan.Perkesh.rc"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$a = "698d51" ascii wide
|
|
$b = "%s~%x.dat" ascii wide
|
|
$c = "\\drivers\\etc\\hosts" ascii wide
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule TrojanDownloaderWin32PerkeshDriverSamle
|
|
{
|
|
meta:
|
|
Description = "Trojan.Perkesh.rc"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$a = "C:\\FOUND.001\\333888\\sys\\Driver\\i386\\feiji.pdb" ascii wide
|
|
condition:
|
|
$a
|
|
}
|
|
import"pe"
|
|
rule TrojanDropperMicrojoin
|
|
{
|
|
meta:
|
|
Description = "Trojan.Microjoin.rc"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ep = { 55 8B EC 6A FF 68 00 00 00 00 68 00 00 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 5F 5E 5B 33 C0 83 C4 78 5D }
|
|
|
|
condition:
|
|
$ep at pe.entry_point
|
|
}rule TrojanDownloaderWin32Frethog_E_Sample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Frethog.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "C:\\WINDOWS\\system32\\msvbvm60.dll\\3" ascii wide
|
|
$ = "DownLoad File:" ascii wide
|
|
$ = "\\system32\\mswinsck.ocx" ascii wide
|
|
|
|
$ = "http://www.pc918.net/file.txt" ascii wide
|
|
$ = "http://www.yswm.net/file.txt" ascii wide
|
|
$ = "http://www.v138.net/file.txt" ascii wide
|
|
$ = "http://www.v345.net/file.txt" ascii wide
|
|
$ = "http://www.ahwm.net/file.txt" ascii wide
|
|
$ = "http://user.yswm.net/yswm" ascii wide
|
|
|
|
$ = "so118config" ascii wide
|
|
$ = "http://user.yswm.net" ascii wide
|
|
$ = "hide.exe" ascii wide
|
|
$ = "\\win.ini" ascii wide
|
|
$ = "\\system32\\svchost.exe" ascii wide
|
|
$ = "P2P DownFile:" ascii wide
|
|
$ = "yswm.runsoft" ascii wide
|
|
$ = "\\sys.dat" ascii wide
|
|
|
|
condition:
|
|
4 of them
|
|
}rule TrojanGBotSampleA_Malex
|
|
{
|
|
meta:
|
|
Description = "Trojan.GBot.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "My name is \"G-Bot\" or \"GBot\"!"ascii wide
|
|
$ = "C:\\WINDOWS\\WinUpdaterstd\\svchost.exe"ascii wide
|
|
$hex0 = { 85 d2 74 ?? 8b ?? ?? 41 7f ?? 50 52 8b ?? ?? e8 ?? ?? ?? ?? 89 c2 58 52 8b ?? ?? e8 ?? ?? ?? ?? 5a 58 eb ?? f0 ?? ?? ?? 87 ?? 85 d2 74 ?? 8b ?? ?? 49 7c ?? f0 ?? ?? ?? 75 ?? 8d ?? ?? e8 ?? ?? ?? ?? c3}
|
|
$hex1 = { 53 56 8b f2 8b d8 66 ?? ?? ?? 66 3d b0 d7 72 ?? 66 3d b3 d7 76 ?? bb 66 00 00 00 eb ?? 66 3d b0 d7 74 ?? 8b c3 e8 ?? ?? ?? ?? 66 ?? ?? ?? 80 ?? ?? ?? 75 ?? 83 ?? ?? ?? 75 ?? c7 ?? ?? ?? ?? ?? ?? 8b c3 ff ?? ?? 8b d8 85 db 74 ?? 8b c3 e8 ?? ?? ?? ?? 8b c3 5e 5b c3}
|
|
|
|
condition:
|
|
any of them
|
|
}rule TrojanDropperWin32Gamarue_A_Andromeda
|
|
{
|
|
meta:
|
|
Description = "Trojan.Andromeda.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = { 66 8B 10 66 3B 11 75 1E 66 3B D3 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 3B D3 75 DE 33 C0 EB 05 1B C0 83 D8 FF 3B C3 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? ?? 56 FF D7 85 C0 75 ?? }
|
|
$a = "ldr\\CUSTOM\\local\\local\\Release\\ADropper.pdb" ascii wide
|
|
$ = "EpisodeNorth.exe" ascii wide
|
|
$ = "HandballChampionship.exe" ascii wide
|
|
$ = "\\#MSI" ascii wide
|
|
$ = "\\MSI" ascii wide
|
|
$ = "\\msiexec.exe" ascii wide
|
|
$ = "avp.exe" ascii wide
|
|
$ = "\\(empty).lnk" ascii wide
|
|
$b = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or $a or $b
|
|
}
|
|
rule TrojanInjectorA
|
|
{
|
|
meta:
|
|
Description = "Trojan.Injector.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "KERNEO32.nll" ascii wide
|
|
$ = "CfeateFileAaocwwA" ascii wide
|
|
$ = "RGPdFileREjhsoX" ascii wide
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
rule TrojanWin32KovterSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Kovter.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "AntiVirtualBox" ascii wide
|
|
$ = "AntiVMware" ascii wide
|
|
$ = "AntiVMwareEx" ascii wide
|
|
$ = "AntiVirtualPC" ascii wide
|
|
$ = "AntiSandboxie" ascii wide
|
|
$ = "AntiThreadExpert" ascii wide
|
|
$ = "AntiWireshark" ascii wide
|
|
$ = "AntiJoeBox" ascii wide
|
|
$ = "AntiRFP" ascii wide
|
|
$ = "AntiAllDebugger" ascii wide
|
|
$ = "AntiODBG" ascii wide
|
|
$ = "AntiSoftIce" ascii wide
|
|
$ = "AntiSyserDebugger" ascii wide
|
|
$ = "AntiTrwDebugger" ascii wide
|
|
$ = "AntiVirtualMachine" ascii wide
|
|
$ = "AntiSunbeltSandboxie" ascii wide
|
|
|
|
$a = "i:\\MySoft\\project Locker\\optimize orig Binary\\kol\\err.pas" ascii wide
|
|
|
|
condition:
|
|
3 of them or $a
|
|
}rule TrojanDownloaderWin32KuluozSampleB
|
|
{
|
|
meta:
|
|
Description = "Trojan.Asprox.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$ = "svchost.exe" ascii wide
|
|
$ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
|
|
$ = "/index.php?r=gate&id=" ascii wide
|
|
$ = "/index.php?r=gate/getipslist&id=" ascii wide
|
|
$ = "You fag" ascii wide
|
|
$ = "For group" ascii wide
|
|
$hex0 = { 55 8b ec 81 ec dc 00 00 00 90 68 1c 10 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 68 28 10 40 00 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 44 10 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 58 10 40 00 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 6c 10 40 00 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 7c 10 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? 68 94 10 40 00 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? b8 50 89 40 00 2d b0 10 40 00 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c1 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? c6 ?? ?? ?? ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c0 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? c6 ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? 90 8d ?? ?? ?? ?? ?? 52 8d ?? ?? 50 6a 00 6a 00 6a 04 6a 00 6a 00 6a 00 68 a4 10 40 00 6a 00 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 00 6a 18 8d ?? ?? 50 6a 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 83 c2 08 89 ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 6a 04 8d ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 00 68 00 00 00 08 6a 40 8d ?? ?? ?? ?? ?? 52 6a 00 68 1f 00 0f 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 52 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 50 6a ff 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 8b ?? ?? 3b ?? ?? 73 ?? b9 b0 10 40 00 03 ?? ?? 8b ?? ?? ?? ?? ?? 03 ?? ?? 8a ?? 88 ?? eb ?? 90 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 51 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? 6a 40 68 00 30 00 00 68 00 00 50 00 6a 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 8d ?? ?? ?? ?? ?? 50 68 00 10 00 00 8b ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 03 ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 51 8b ?? ?? 52 8b ?? ?? 50 8b ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 00 68 00 00 00 08 6a 40 8d ?? ?? ?? ?? ?? 51 6a 00 68 1f 00 0f 00 8d ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 51 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 6a ff 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c0 01 89 ?? ?? 8b ?? ?? 3b ?? ?? 73 ?? 8b ?? ?? ?? ?? ?? 03 ?? ?? 8b ?? ?? 03 ?? ?? 8a ?? 88 ?? eb ?? 90 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 50 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 e8 03 00 00 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 8b e5 5d c3}
|
|
condition:
|
|
(3 of them) or $hex0
|
|
}rule TrojanWin32LethicBSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Lethic.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$ = "zaproxza" ascii wide
|
|
$ = "93.190.137.51" ascii wide
|
|
$ = "antaw" ascii wide
|
|
$hex0 = { e8 ?? ?? ?? ?? 8b ?? ?? 52 e8 ?? ?? ?? ?? 8b ?? ?? 50 e8 ?? ?? ?? ?? 68 74 43 40 00 e8 ?? ?? ?? ?? 89 ?? ?? 6a 33 68 00 40 40 00 8b ?? ?? 51 e8 ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? e9 ?? ?? ?? ?? 8b ?? ??}
|
|
condition:
|
|
(2 of them) or (any of ($hex*))
|
|
}rule TrojanWin32NecursSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Necurs.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "some stupid error %u" ascii wide
|
|
$ = "loading" ascii wide
|
|
$ = "unloading" ascii wide
|
|
$ = "exception %08x %swhen %s at %p" ascii wide
|
|
$ = "microsoft.com" ascii wide
|
|
$ = "facebook.com" ascii wide
|
|
$a = "NitrGB" ascii wide
|
|
$ = "\\Installer\\{" ascii wide
|
|
$ = "%s%0.8X-%0.4X-%0.4X-%0.4X-%0.8X%0.4X}\\" ascii wide
|
|
$ = "syshost32" ascii wide
|
|
$ = "%s\\svchost.exe" ascii wide
|
|
|
|
condition:
|
|
(8 of them) or $a
|
|
}
|
|
|
|
rule TrojanWinNTNecursSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Necurs.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = "F:\\cut\\abler\\detecting\\overlapping\\am.pdb" ascii wide
|
|
$ = "VirusBuster Ltd" ascii wide
|
|
$ = "Beijing Jiangmin" ascii wide
|
|
$ = "SUNBELT SOFTWARE" ascii wide
|
|
$ = "Sunbelt Software" ascii wide
|
|
$ = "K7 Computing" ascii wide
|
|
$ = "Immunet Corporation" ascii wide
|
|
$ = "Beijing Rising" ascii wide
|
|
$ = "G DATA Software" ascii wide
|
|
$ = "Quick Heal Technologies" ascii wide
|
|
$ = "Comodo Security Solutions" ascii wide
|
|
$ = "CJSC Returnil Software" ascii wide
|
|
$ = "NovaShield Inc" ascii wide
|
|
$ = "BullGuard Ltd" ascii wide
|
|
$ = "Check Point Software Technologies Ltd" ascii wide
|
|
$ = "Panda Software International" ascii wide
|
|
$ = "Kaspersky Lab" ascii wide
|
|
$ = "FRISK Software International Ltd" ascii wide
|
|
$ = "ESET, spol. s r.o." ascii wide
|
|
$ = "Doctor Web Ltd" ascii wide
|
|
$ = "BitDefender SRL" ascii wide
|
|
$ = "BITDEFENDER LLC" ascii wide
|
|
$ = "Avira GmbH" ascii wide
|
|
$ = "GRISOFT, s.r.o." ascii wide
|
|
$ = "PC Tools" ascii wide
|
|
$ = "ALWIL Software" ascii wide
|
|
$ = "Agnitum Ltd" ascii wide
|
|
|
|
condition:
|
|
(8 of them) or $a
|
|
}rule TrojanWin32NedsymGSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Nedsym.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "qwertyuiopasdfghjklzxcvbnm123456789" ascii wide
|
|
$ = "svcnost.exe" ascii wide
|
|
$ = "Windows Init" ascii wide
|
|
$ = "\\drivers\\etc\\hosts" ascii wide
|
|
|
|
condition:
|
|
2 of them
|
|
}rule TrojanWin32NeurevtA_BackDoor
|
|
{
|
|
meta:
|
|
Description = "Trojan.Neurevt.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "%s\\__%08x.lnk" ascii wide
|
|
$ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" ascii wide
|
|
$ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ascii wide
|
|
$ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
|
|
$ = "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
|
|
$ = "{2227A280-3AEA-1069-A2DE-08002B30309D}" ascii wide
|
|
$ = "schtasks.exe" ascii wide
|
|
$ = "SYSTEM\\CurrentControlSet\\Control\\Session Manager" ascii wide
|
|
$ = "Software\\Classes\\CLSID\\%s\\%08X\\%s" ascii wide
|
|
$ = "%s\\%08X.pif" ascii wide
|
|
$ = "Windows ha detectado una carpeta da" ascii wide
|
|
$ = "Mostrar Detalles" ascii wide
|
|
$ = "Mas informaci" ascii wide
|
|
$ = "Restaurar archivos" ascii wide
|
|
$ = "Restaurar archivos y chequear el disco en busca de errores" ascii wide
|
|
$ = "Erro de Disco Cr" ascii wide
|
|
$ = "O Windows encontrou uma pasta corrompida no seu disco r" ascii wide
|
|
$ = "Mostrar detalhes" ascii wide
|
|
$ = "Mais detalhes sobre esse erro" ascii wide
|
|
$ = "Restaurar os arquivos" ascii wide
|
|
$ = "Restaurar os arquivos e verificar erros no disco" ascii wide
|
|
$ = "Kritischer Festplattenfehler" ascii wide
|
|
$ = "Windows hat einen fehlerhaften Ordner auf deiner Festplatte vorgefunden." ascii wide
|
|
$ = "Mehrere fehlerhafte Dateien wurden in dem Ordner 'Eigene Dokumente' gefunden. Um Datenverlust zu ver" ascii wide
|
|
$ = "Details anzeigen" ascii wide
|
|
$ = "Mehr Details zu diesem Fehler" ascii wide
|
|
$ = "Dateien wiederherstellen" ascii wide
|
|
$ = "Dateien wiederherstellen und Festplatte auf Fehler " ascii wide
|
|
$ = "Erreur Critique" ascii wide
|
|
$ = "Windows a trouv" ascii wide
|
|
$ = "Plusieurs fichiers corrompu sont trouv" ascii wide
|
|
$ = "Montre d" ascii wide
|
|
$ = "Plus de d" ascii wide
|
|
$ = "Kritieke foutmelding" ascii wide
|
|
$ = "Windows heeft een beschadigde map gevonden" ascii wide
|
|
$ = "Meerdere beschadigde bestanden zijn in de map 'Mijn Documenten' gevonden. Om dataverlies te voorkome" ascii wide
|
|
$ = "Toon details" ascii wide
|
|
$ = "Meer details over deze foutmelding" ascii wide
|
|
$ = "Herstel bestanden" ascii wide
|
|
$ = "Herstel bestanden en controleer de harde schijf voor errors" ascii wide
|
|
$ = "Kritik disk hatas" ascii wide
|
|
$ = "Windows sabit diskinizde bozuk bir klas" ascii wide
|
|
$ = "Bu hata hakk" ascii wide
|
|
$ = "Dosyalar" ascii wide
|
|
$ = "Hata ayr" ascii wide
|
|
$ = "Kritis Disk Kesalahan" ascii wide
|
|
$ = "Windows telah mengalami rusak folder pada hard drive Anda" ascii wide
|
|
$ = "Beberapa file rusak telah ditemukan di folder 'My Documents'. Untuk mencegah kerugian serius data, p" ascii wide
|
|
$ = "Tampilkan detail" ascii wide
|
|
$ = "Lebih rinci tentang kesalahan ini" ascii wide
|
|
$ = "mengembalikan file" ascii wide
|
|
$ = "Kembalikan file dan memeriksa disk untuk kesalahan" ascii wide
|
|
$ = "Errore critico dell'hard disk" ascii wide
|
|
$ = "Windows ha trovato una cartella corrotta nel vostro hard disk." ascii wide
|
|
$ = "Mostra dettagli" ascii wide
|
|
$ = "Maggiori dettagli su quest'errore" ascii wide
|
|
$ = "Ripristina i file" ascii wide
|
|
$ = "Ripristina i file e controlla il disco per errori." ascii wide
|
|
$ = "Kriittinen Levy Virhe" ascii wide
|
|
$ = "Windows on t" ascii wide
|
|
$ = "Useita korruptoituneita tiedostoja on l" ascii wide
|
|
$ = "Palauta tiedostot" ascii wide
|
|
$ = "Palauta tiedostot ja etsi virheit" ascii wide
|
|
$ = "Problem, krytyczny stan dysku" ascii wide
|
|
$ = "Windows znalazl korupcyjny folder w twoim twardym dysku." ascii wide
|
|
$ = "Duza ilosc zepsutych plikow zostala znaleziona w swoim folderze 'My Documents'. Zeby zachowac pamiec" ascii wide
|
|
$ = "Pokaz wiecej informacji" ascii wide
|
|
$ = "Wiecej danych na temat bledu" ascii wide
|
|
$ = "Przywracanie plik" ascii wide
|
|
$ = "Critical Disk Error" ascii wide
|
|
$ = "Windows has encountered a corrupted folder on your hard drive" ascii wide
|
|
$ = "Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of da" ascii wide
|
|
$ = "Show details" ascii wide
|
|
$ = "More details about this error" ascii wide
|
|
$ = "Restore files and check disk for errors" ascii wide
|
|
$ = "http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535" ascii wide
|
|
$ = "uac" ascii wide
|
|
$ = "nuac" ascii wide
|
|
$ = "Has denegado los privilegios de Windows para la utilidad de restauraci" ascii wide
|
|
$ = "Error en los privilegios" ascii wide
|
|
$ = "Erro de privil" ascii wide
|
|
$ = "Sie verweigerten Windows die Privilegien, das Dateiwiederherstellungswerkzeug zu nutzen. Bitte w" ascii wide
|
|
$ = "Privilegfehler" ascii wide
|
|
$ = "Vous avez rejet" ascii wide
|
|
$ = "Erreur de privil" ascii wide
|
|
$ = "U heeft de nodige rechten afgewezen voor de Windows herstelprocedure. Selecteer JA op de volgende UA" ascii wide
|
|
$ = "Toestemming error" ascii wide
|
|
$ = "Windows dosya restorasyon program" ascii wide
|
|
$ = "Izin hatas" ascii wide
|
|
$ = "Anda menyangkal hak-hak istimewa yang tepat untuk utilitas restorasi file Windows. Silakan pilih YES" ascii wide
|
|
$ = "Privilege Kesalahan" ascii wide
|
|
$ = "Hai negato i privilegi necessari a Windows per riparare i file. Selezione \"Si\" nella seguente finest" ascii wide
|
|
$ = "Errore nei privilegi" ascii wide
|
|
$ = "Et sallinut oikeuksia Windowsin tiedostojen palautus ohjelmistolle. Ole hyv" ascii wide
|
|
$ = "Windows file restoration utility" ascii wide
|
|
$ = "You denied the proper privileges to the Windows file restoration utility. Please select YES on the f" ascii wide
|
|
$ = "Privilege Error" ascii wide
|
|
$ = "local ip detected" ascii wide
|
|
|
|
$hex0 = { 55 8b ec 81 ec 04 01 00 00 83 ?? ?? ?? 56 57 0f ?? ?? ?? ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? be 34 71 42 00 8b ce e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 81 c2 ae 17 00 00 8b ca e8 ?? ?? ?? ?? 83 f8 08 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 8b f8 85 ff 74 ?? 68 04 01 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? a1 ?? ?? ?? ?? 56 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 57 68 68 a3 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 14 57 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 d2 04 00 00 ff ?? ?? ?? ?? ?? 8b f0 ff ?? ?? ?? ?? ?? ff ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 8b f8 83 fe 01 75 ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b c7 eb ?? 33 c0 5f 5e c9 c2 04 00 55}
|
|
$hex1 = { 55 8b ec 81 ec 04 01 00 00 53 33 db 57 39 ?? ?? 0f ?? ?? ?? ?? ?? 8b ?? ?? 3b cb 0f ?? ?? ?? ?? ?? 39 ?? ?? 0f ?? ?? ?? ?? ?? 3b f3 0f ?? ?? ?? ?? ?? 39 ?? 0f ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 81 c2 ae 17 00 00 8b ca e8 ?? ?? ?? ?? 83 f8 08 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 8b f8 3b fb 0f ?? ?? ?? ?? ?? 68 04 01 00 00 53 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? ff ?? ?? a1 ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 57 68 68 a3 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 14 57 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 d2 04 00 00 ff ?? ?? ?? ?? ?? 8b f8 ff ?? ?? ?? ?? ?? ff ?? ?? 8b ?? ff ?? ?? 8d ?? ?? ?? ?? ?? 50 68 01 00 00 80 e8 ?? ?? ?? ?? 89 ?? 83 ff 01 75 ?? 53 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 39 ?? 0f 95 c0 eb ?? 32 c0 5f 5b c9 c2 0c 00}
|
|
$hex2 = { 55 8b ec 81 ec 98 06 00 00 8b cf e8 ?? ?? ?? ?? 83 f8 01 73 ?? 33 c0 40 c9 c3 53 56 57 32 db ff ?? ?? ?? ?? ?? 68 08 02 00 00 8b f0 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 68 03 01 00 00 57 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 05 f2 14 00 00 50 56 ff ?? ?? ?? ?? ?? 85 c0 74 ?? a1 ?? ?? ?? ?? 05 f2 14 00 00 50 8b d7 e8 ?? ?? ?? ?? 85 c0 78 ?? 33 c0 40 e9 ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 57 e8 ?? ?? ?? ?? be 80 00 00 00 eb ?? ff ?? ?? ?? ?? ?? 83 f8 05 75 ?? 84 db 75 ?? 8b cf e8 ?? ?? ?? ?? 83 f8 01 72 ?? 57 e8 ?? ?? ?? ?? b3 01 56 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 57 ff ?? ?? ?? ?? ?? 8b f0 85 f6 74 ?? 68 00 c1 42 00 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 68 0c c1 42 00 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 6a 5c 5e 8b d7 e8 ?? ?? ?? ?? 40 50 57 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 68 18 c1 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 10 6a 08 8d ?? ?? ?? ?? ?? 50 57 ff ?? ?? ?? ?? ?? 85 c0 75 ?? 6a 04 50 57 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? 68 8c 00 00 00 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 83 f8 05 75 ?? 8b cf e8 ?? ?? ?? ?? 83 f8 01 72 ?? 57 e8 ?? ?? ?? ?? eb ?? 32 c0 fe c8 0f b6 c0 f7 d8 1b c0 83 e0 02 eb ?? 6a 03 58 eb ?? 33 c0 5e 5b c9 c3}
|
|
$hex3 = { 55 8b ec 83 e4 f8 51 8b ?? ?? 57 85 d2 0f ?? ?? ?? ?? ?? 0f ?? ?? 66 85 c9 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 83 e8 00 0f ?? ?? ?? ?? ?? 48 74 ?? 48 0f ?? ?? ?? ?? ?? 48 0f ?? ?? ?? ?? ?? b8 1c 03 00 00 66 3b c8 0f ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 0f ?? ?? ?? 50 e8 ?? ?? ?? ?? 3c 01 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? b8 18 01 00 00 66 3b c8 75 ?? a1 ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 8d ?? ?? 8b cf e8 ?? ?? ?? ?? 83 f8 02 76 ?? 8b ?? ?? f6 c2 01 74 ?? e8 ?? ?? ?? ?? 83 f8 fe 75 ?? a1 ?? ?? ?? ?? 03 c0 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? eb ?? f6 c2 02 74 ?? 57 e8 ?? ?? ?? ?? eb ?? f6 c2 04 74 ?? e8 ?? ?? ?? ?? eb ?? b8 24 14 00 00 66 3b c8 75 ?? a1 ?? ?? ?? ?? 0f ?? ?? ?? 50 e8 ?? ?? ?? ?? 3c 01 75 ?? 8b c2 e8 ?? ?? ?? ?? 33 c0 40 eb ?? 33 c0 5f 8b e5 5d c2 04 00}
|
|
$hex4 = { 8b ?? ?? c6 ?? ?? ?? ?? ff ?? ?? 83 f9 37 8b ?? ?? 7e ?? eb ?? c6 ?? ?? ?? ?? ff ?? ?? 8b ?? ?? 83 f9 40 7c ?? e8 ?? ?? ?? ?? eb ?? 8b ?? ?? c6 ?? ?? ?? ?? ff ?? ?? 83 ?? ?? ?? 7c ?? eb ?? c6 ?? ?? ?? ?? ff ?? ?? 8b ?? ?? 83 f9 38 7c ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? e9 ?? ?? ?? ??}
|
|
$hex5 = { 55 8b ec 51 51 56 33 f6 57 8b f9 3b c6 74 ?? 39 ?? ?? 74 ?? 3b fe 74 ?? 39 ?? ?? 74 ?? 6a 07 5a 39 ?? ?? 72 ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 76 ?? 53 eb ?? 33 f6 3b ?? ?? 77 ?? 8b ?? ?? 8d ?? ?? ?? 8a ?? ?? 3a ?? ?? 75 ?? ff ?? ?? 83 ?? ?? ?? 75 ?? 8d ?? ?? eb ?? 8a ?? ?? 88 ?? ?? 41 3b ca 72 ?? ff ?? ?? 46 83 fe 07 72 ?? eb ?? 83 ?? ?? ?? 42 8d ?? ?? 4f 3b ?? ?? 72 ?? 5b 8b ?? ?? eb ?? 83 c8 ff 5f 5e c9 c2 08 00}
|
|
|
|
|
|
condition:
|
|
(10 of them) or (any of ($hex*))
|
|
}rule MalwarePowerLoaderSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.PowerLoader.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$str_1 = "powerloader" ascii wide
|
|
|
|
$ = "inject64_section" ascii wide
|
|
$ = "inject64_event" ascii wide
|
|
$ = "inject_section" ascii wide
|
|
$ = "inject_event" ascii wide
|
|
$ = "loader.dat" ascii wide
|
|
$ = "Inject64End" ascii wide
|
|
$ = "Inject64Normal" ascii wide
|
|
$ = "Inject64Start" ascii wide
|
|
$ = "UacInject64End" ascii wide
|
|
$ = "UacInject64Start" ascii wide
|
|
condition:
|
|
(2 of them) or (any of ($str_*))
|
|
}rule TrojanRansomRevetonSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Reveton.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = "JimmMonsterNew" ascii wide
|
|
$ = "regedit.exe" ascii wide
|
|
$ = "rundll32.exe" ascii wide
|
|
$ = "msconfig.lnk" ascii wide
|
|
$ = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" ascii wide
|
|
$ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" ascii wide
|
|
$ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ctfmon.exe" ascii wide
|
|
condition:
|
|
(3 of them) or $a
|
|
}
|
|
|
|
rule TrojanWin32UrausySampleA
|
|
{
|
|
meta:
|
|
Description = "Trojan.Urausy.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$a = { 55 89 E5 53 56 57 83 0D ?? ?? ?? ?? 01 31 C0 5F 5E 5B C9 C2 04 00 }
|
|
$b = { FF 15 ?? ?? ?? ?? 09 C0 0F 84 ?? ?? ?? ?? 8B 75 ?? 89 C3 6A 01 6A FF 6A 05 56 E8 }
|
|
|
|
condition:
|
|
$a and $b
|
|
}
|
|
|
|
rule TrojanRansomWin32TobfySample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Tobfy.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "http://62.109.28.231/gtx3d16bv3/upload/img.jpg" ascii wide
|
|
$ = "http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3" ascii wide
|
|
|
|
$ = "Pay MoneyPak" ascii wide
|
|
$ = "You have 72 hours to pay the fine!" ascii wide
|
|
$ = "Wait! Your request is processed within 24 hours." ascii wide
|
|
$a = "G:\\WORK\\WORK_PECEPB\\Work_2012 Private\\Project L-0-ck_ER\\NEW Extern\\inject\\injc\\Release\\injc.pdb" ascii wide
|
|
$b = "G:\\WORK\\WORK_PECEPB\\Work_2012 Private\\Project L-0-ck_ER\\Version V 1.0\\V1.0\\Release\\te.pdb" ascii wide
|
|
$ = "picture.php?pin=" ascii wide
|
|
$ = "s\\sound.mp3" ascii wide
|
|
$ = "s\\1.jpg" ascii wide
|
|
$ = "s\\1.bmp" ascii wide
|
|
$ = "getunlock.php" ascii wide
|
|
|
|
condition:
|
|
(4 of them) or $a or $b
|
|
}rule Regin_APT_KernelDriver_Generic_A {
|
|
meta:
|
|
Description = "Trojan.Regin.A.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
|
|
|
|
$s0 = "atapi.sys" fullword wide
|
|
$s1 = "disk.sys" fullword wide
|
|
$s3 = "h.data" fullword ascii
|
|
$s4 = "\\system32" fullword ascii
|
|
$s5 = "\\SystemRoot" fullword ascii
|
|
$s6 = "system" fullword ascii
|
|
$s7 = "temp" fullword ascii
|
|
$s8 = "windows" fullword ascii
|
|
|
|
$x1 = "LRich6" fullword ascii
|
|
$x2 = "KeServiceDescriptorTable" fullword ascii
|
|
condition:
|
|
$m1 and all of ($s*) and 1 of ($x*)
|
|
}
|
|
|
|
rule Regin_APT_KernelDriver_Generic_B {
|
|
meta:
|
|
Description = "Trojan.Regin.B.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
|
|
$s2 = "H.data" fullword ascii nocase
|
|
$s3 = "INIT" fullword ascii
|
|
$s4 = "ntoskrnl.exe" fullword ascii
|
|
|
|
$v1 = "\\system32" fullword ascii
|
|
$v2 = "\\SystemRoot" fullword ascii
|
|
$v3 = "KeServiceDescriptorTable" fullword ascii
|
|
|
|
$w1 = "\\system32" fullword ascii
|
|
$w2 = "\\SystemRoot" fullword ascii
|
|
$w3 = "LRich6" fullword ascii
|
|
|
|
$x1 = "_snprintf" fullword ascii
|
|
$x2 = "_except_handler3" fullword ascii
|
|
|
|
$y1 = "mbstowcs" fullword ascii
|
|
$y2 = "wcstombs" fullword ascii
|
|
$y3 = "KeGetCurrentIrql" fullword ascii
|
|
|
|
$z1 = "wcscpy" fullword ascii
|
|
$z2 = "ZwCreateFile" fullword ascii
|
|
$z3 = "ZwQueryInformationFile" fullword ascii
|
|
$z4 = "wcslen" fullword ascii
|
|
$z5 = "atoi" fullword ascii
|
|
condition:
|
|
all of ($s*) and ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
|
|
}
|
|
|
|
rule Regin_APT_KernelDriver_Generic_C {
|
|
meta:
|
|
Description = "Trojan.Regin.C.sm"
|
|
ThreatLevel = "5"
|
|
/*description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
|
|
author = "@Malwrsignatures - included in APT Scanner THOR"
|
|
date = "23.11.14"
|
|
hash1 = "e0895336617e0b45b312383814ec6783556d7635"
|
|
hash2 = "732298fa025ed48179a3a2555b45be96f7079712" */
|
|
strings:
|
|
|
|
$s0 = "KeGetCurrentIrql" fullword ascii
|
|
$s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
|
|
$s2 = "usbclass" fullword wide
|
|
|
|
$x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
|
|
$x2 = "Universal Serial Bus Class Driver" fullword wide
|
|
$x3 = "5.2.3790.0" fullword wide
|
|
|
|
$y1 = "LSA Shell" fullword wide
|
|
$y2 = "0Richw" fullword ascii
|
|
condition:
|
|
all of ($s*) and ( all of ($x*) or all of ($y*) )
|
|
}
|
|
|
|
rule Regin_sig_svcsstat {
|
|
meta:
|
|
Description = "Trojan.Regin.sm"
|
|
ThreatLevel = "5"
|
|
/*description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
|
|
author = "@Malwrsignatures"
|
|
date = "25.11.14"
|
|
score = 70
|
|
hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"*/
|
|
strings:
|
|
$s0 = "Service Control Manager" fullword ascii
|
|
$s1 = "_vsnwprintf" fullword ascii
|
|
$s2 = "Root Agency" fullword ascii
|
|
$s3 = "Root Agency0" fullword ascii
|
|
$s4 = "StartServiceCtrlDispatcherA" fullword ascii
|
|
$s5 = "\\\\?\\UNC" fullword ascii
|
|
$s6 = "%ls%ls" fullword wide
|
|
condition:
|
|
all of them and filesize < 15KB and filesize > 10KB
|
|
}rule TrojanWin32RovnixSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Rovnix.sm"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$ = "dropper.exe" ascii wide
|
|
$ = "dropper_x64.exe" ascii wide
|
|
$ = "Inject64Start" ascii wide
|
|
$ = "Inject64End" ascii wide
|
|
$ = "Inject64Normal" ascii wide
|
|
$ = "inject_section" ascii wide
|
|
$ = "inject_event" ascii wide
|
|
$ = "0:/plugins/%s" ascii wide
|
|
$ = "0:/plugins/base" ascii wide
|
|
$ = "0:/plugins/base/binary" ascii wide
|
|
$ = "0:/plugins/base/mask" ascii wide
|
|
$ = "0:/plugins/base/version" ascii wide
|
|
$ = "0:/plugins/base/once" ascii wide
|
|
$ = "0:/plugins/rootkit" ascii wide
|
|
$ = "0:/plugins/rootkit/binary" ascii wide
|
|
$ = "0:/plugins/rootkit/version" ascii wide
|
|
$ = "0:/plugins/rootkit/binary" ascii wide
|
|
$ = "0:\\storage\\keylog" ascii wide
|
|
$ = "0:\\storage\\config" ascii wide
|
|
$ = "0:\\storage\\intrnl" ascii wide
|
|
$ = "0:\\storage\\passw" ascii wide
|
|
$ = "0:\\storage\\hunter" ascii wide
|
|
$ = "0:/hidden" ascii wide
|
|
$ = "0:/hidden/%s" ascii wide
|
|
$ = "0:/hidden/%s/path" ascii wide
|
|
$ = "0:/hidden/%s/binary" ascii wide
|
|
$ = "0:/hidden/%s/mask" ascii wide
|
|
condition:
|
|
3 of them
|
|
}rule TrojanDroppedBackdoorWin32SimdaSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Simda.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = ".driver" ascii wide
|
|
$ = ".userm" ascii wide
|
|
$ = ".uac64" ascii wide
|
|
$ = ".mcp" ascii wide
|
|
$ = ".cfgbin" ascii wide
|
|
$ = ".uacdll" ascii wide
|
|
$ = "%s\\%s.sys" ascii wide
|
|
$ = "%s\\%s.exe" ascii wide
|
|
$ = "%appdata%\\ScanDisc.exe" ascii wide
|
|
condition:
|
|
4 of them
|
|
}// Rule - Dropped file from Trojan Sirefef / ZeroAccess.
|
|
rule TrojanSirefefZerroAccess
|
|
{
|
|
meta:
|
|
Description = "Trojan.Sirefef.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
//$ = "n64" ascii wide
|
|
//$ = "n32" ascii wide
|
|
//$ = "$Recycle.Bin\\" ascii wide
|
|
$ = "\\$%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x" ascii wide
|
|
//$ = "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}" ascii wide
|
|
|
|
|
|
$ = "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" ascii wide
|
|
$ = "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
|
|
$ = "%wZ\\Software\\Classes\\clsid" ascii wide
|
|
$ = "\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\" ascii wide
|
|
$ = "\\registry\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
|
|
|
|
$ = "\\systemroot\\system32\\config" ascii wide
|
|
$ = "\\??\\ACPI#PNP0303#2&da1a3ff&0" ascii wide
|
|
$ = "GoogleUpdate.exe" ascii wide
|
|
$ = "Google Update Service (gupdate)" ascii wide
|
|
$ = "%sU\\%08x.@" ascii wide
|
|
$ = "\\??\\%sU" ascii wide
|
|
$ = "\\??\\%s@" ascii wide
|
|
$ = "%08x.@" ascii wide
|
|
$ = "%08x.$" ascii wide
|
|
$ = "%08x.~" ascii wide
|
|
$ = "\\??\\%08x" ascii wide
|
|
$ = "\\n." ascii wide
|
|
$ = "wbem\\fastprox.dll" ascii wide
|
|
|
|
$ = "c:\\windows\\system32\\z" ascii wide
|
|
$s1 = "e:\\sz\\x64\\release\\InCSRSS.pdb" ascii wide
|
|
|
|
$s2 = "C:\\Jinket\\Lownza\\Kueshmmba\\de.pdb" ascii wide
|
|
$s3 = "E:\\Marlne\\Bensjo\\Ernstedun\\Rugriayid\\Wasp851.pdb" ascii wide
|
|
|
|
$hex0 = { 55 8b ec 83 ec 48 53 56 57 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? 59 8b c6 e8 ?? ?? ?? ?? 8b c6 89 ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ff ?? ?? ?? ?? ?? 68 08 54 30 6a ff ?? ?? ff d6 ff ?? ?? ?? ?? ?? 68 18 54 30 6a ff ?? ?? ff d6 83 c4 18 83 ?? ?? ?? ?? ?? ?? 75 ?? 8b ?? ?? ?? ?? ?? bb 98 70 30 6a bf 00 00 10 00 eb ?? ff ?? ?? ff ?? ?? ?? ?? ?? 68 a0 0f 00 00 ff ?? ?? ?? ?? ?? 53 57 8d ?? ?? 50 ff d6 85 c0 7d ?? 68 60 ea 00 00 ff ?? ?? ?? ?? ?? bb 54 70 30 6a eb ?? ff ?? ?? ff ?? ?? ?? ?? ?? 6a 01 68 e0 93 04 00 ff ?? ?? ?? ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 53 57 8d ?? ?? 50 ff d6 85 c0 7d ?? bf 20 71 30 6a 57 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? 50 6a 00 ff ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 33 c0 8d ?? ?? 5f 5e 5b c9 c2 04 00}
|
|
$hex1 = { 55 8b ec 83 ec 18 56 57 8d ?? ?? 50 e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? be 00 08 00 00 8b c6 e8 ?? ?? ?? ?? 8b fc 33 c0 b9 30 00 fe 7f 66 ?? ?? ?? 66 ?? ?? ?? 89 ?? ?? 0f ?? ?? 0f ?? ?? ?? 8b ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 41 41 66 83 f8 5c 75 ?? 66 ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? b8 28 55 30 6a 72 ?? b8 3c 55 30 6a 50 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 0f b7 c8 01 ?? ?? 33 c0 50 66 ?? ?? ?? 8b ?? ?? ff ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 0f ?? ?? ?? 2b c8 83 f9 50 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 ff ?? ?? 8b ?? ?? 03 c1 68 58 55 30 6a 50 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 83 c4 38 6a 02 5a 40 33 c9 f7 e2 0f 90 c1 f7 d9 0b c1 50 6a 00 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 85 c0 74 ?? 57 50 ff ?? ?? ?? ?? ?? 59 33 c0 59 40 eb ?? 33 c0 8d ?? ?? 5f 5e c9 c2 04 00}
|
|
$hex2 = { 8b ?? ?? ?? 83 e8 00 74 ?? 48 75 ?? ff ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 74 ?? 6a 00 6a 00 ff ?? ?? ?? 68 62 13 30 6a 68 00 00 08 00 6a 00 ff ?? ?? ?? ?? ?? eb ?? a1 ?? ?? ?? ?? 85 c0 74 ?? 50 ff ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 85 c0 74 ?? 50 ff ?? ?? ?? ?? ?? 33 c0 40 c2 0c 00}
|
|
$hex3 = { 55 8b ec 51 51 53 56 8b ?? ?? 56 ff ?? ?? ?? ?? ?? 8b d8 85 db 0f ?? ?? ?? ?? ?? 57 6a 40 68 00 10 00 00 ff ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 8b f8 89 ?? ?? 85 ff 0f ?? ?? ?? ?? ?? 8b ?? ?? f3 ?? 0f ?? ?? ?? 0f ?? ?? ?? 8d ?? ?? ?? 83 c0 0c 8b ?? 8b ?? ?? 8b ?? ?? 03 f1 03 f9 8b ?? ?? 83 c0 28 4a f3 ?? 75 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? 2b ?? ?? 8d ?? ?? 50 6a 05 6a 01 ff ?? ?? ff d7 85 c0 74 ?? eb ?? 8b ?? ?? 29 ?? ?? 56 8d ?? ?? 8b ?? 03 ?? ?? 83 c1 f8 52 d1 e9 51 50 ff ?? ?? ?? ?? ?? 83 ?? ?? ?? 75 ?? 8d ?? ?? 50 6a 01 6a 01 ff ?? ?? ff d7 85 c0 74 ?? 8d ?? ?? 8b ?? 85 c0 74 ?? 8b f1 8b ?? ?? 03 c1 50 ff ?? ?? ?? ?? ?? 83 c6 14 8b ?? 85 c0 75 ?? 8b ?? ?? 5f 5e 5b c9 c2 04 00}
|
|
$hex4 = { 8b ?? ?? ?? ?? ?? b8 00 20 00 00 66 ?? ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? 48 75 ?? 56 ff ?? ?? ?? ff ?? ?? ?? ?? ?? 33 f6 56 6a 04 56 68 0a 1d 40 00 56 56 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 3b c6 74 ?? 56 50 ff ?? ?? ?? ?? ?? 5e b0 01 c2 0c 00}
|
|
$hex5 = { 55 8b ec 83 e4 f8 83 ec 34 53 56 57 33 db 53 6a 18 8d ?? ?? ?? 50 53 ff ?? ?? ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? 89 ?? ?? ?? 33 c0 8d ?? ?? ?? ab 8d ?? ?? ?? 50 68 00 90 42 00 68 ff ff 1f 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? 3b c3 74 ?? 48 50 ff ?? ?? e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 02 53 53 8d ?? ?? ?? 50 ff ?? ?? 6a ff 6a ff ff d6 85 c0 7c ?? 6a 02 53 53 8d ?? ?? ?? 50 ff ?? ?? 6a fe 6a ff ff d6 85 c0 7c ?? 6a 20 53 8d ?? ?? ?? 50 68 20 90 42 00 68 9f 01 12 00 8d ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? 53 53 6a 08 8d ?? ?? ?? 50 8d ?? ?? ?? 50 53 53 53 ff ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ff d7 68 18 90 42 00 6a 01 ff ?? ?? ?? ?? ?? ff ?? ?? ff d7 5f 5e 5b 8b e5 5d c2 08 00}
|
|
$hex6 = { 55 8b ec 51 68 c2 7e 42 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 51 68 02 23 00 00 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? a1 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 85 c0 75 ?? b8 53 50 43 33 68 00 00 40 00 50 ff ?? ?? ?? ?? ?? ff ?? ?? c9 c3}
|
|
$hex7 = { 55 8b ec 83 ec 64 53 56 57 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 db 53 53 ff ?? ?? ?? ?? ?? 50 68 4d 10 40 00 53 53 53 53 53 6a ff ff ?? ?? ?? ?? ?? b8 00 04 00 00 e8 ?? ?? ?? ?? 8b f4 89 ?? ?? 89 ?? ?? e9 ?? ?? ?? ?? 8d ?? ?? 50 56 c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 83 ?? ?? ?? 75 ?? 6a 30 53 ff ?? ?? ?? ?? ?? 3b c3 74 ?? 8b ?? ?? 8b ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? c6 ?? ?? ?? 8d ?? ?? 89 ?? ?? 89 ?? 8d ?? ?? 89 ?? ?? 89 ?? 8b ?? ?? ?? ?? ?? 89 ?? c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? a3 ?? ?? ?? ?? eb ?? 33 c0 3b c3 74 ?? 8d ?? ?? e8 ?? ?? ?? ?? ff ?? ?? e9 ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? e9 ?? ?? ?? ?? a1 ?? ?? ?? ?? b9 38 90 42 00 eb ?? 8b ?? ?? 3b ?? ?? 74 ?? 8b ?? 3b c1 75 ?? 33 ff 3b fb 0f ?? ?? ?? ?? ?? 8b ?? ?? 48 74 ?? 48 74 ?? 48 48 74 ?? 48 74 ?? 48 74 ?? 48 74 ?? 48 75 ?? 57 8d ?? ?? e8 ?? ?? ?? ?? eb ?? 8b f8 eb ?? 8d ?? ?? 8b ?? eb ?? 8b ?? ?? 3b ?? ?? 74 ?? 8b ?? 3b c1 75 ?? 33 c0 3b c3 74 ?? 8b f0 e8 ?? ?? ?? ?? eb ?? 8d ?? ?? 50 e8 ?? ?? ?? ?? eb ?? e8 ?? ?? ?? ?? ff ?? ?? eb ?? ff ?? ?? 8b cf e8 ?? ?? ?? ?? 3b c3 74 ?? 8b f0 e8 ?? ?? ?? ?? eb ?? 57 8d ?? ?? e8 ?? ?? ?? ?? eb ?? 8d ?? ?? e8 ?? ?? ?? ?? 89 ?? ?? ff ?? ?? 8b ?? ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 39 ?? ?? 74 ?? 53 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 5f 5e 5b c9 c2 08 00}
|
|
$hex8 = { 53 56 57 ff ?? ?? ?? ?? ?? 0f b7 c0 33 ff 57 6a 04 8b c8 68 04 e2 41 00 c1 e9 08 c0 e0 04 6a 1a 0a c8 6a ff 88 ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b d8 6a 3c 53 ff d6 59 59 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 57 e8 ?? ?? ?? ?? 68 a4 e0 41 00 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 6a 3e 53 ff d6 59 59 85 c0 74 ?? 6a 01 e8 ?? ?? ?? ?? eb ?? 8b ?? ?? ?? ?? ?? b8 00 20 00 00 66 ?? ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 e8 03 00 00 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? 2b c7 74 ?? 48 75 ?? ff ?? ?? ?? ff ?? ?? ?? ?? ?? 33 c0 40 e8 ?? ?? ?? ?? 8b f0 e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 57 57 56 68 10 1c 40 00 57 57 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? eb ?? e8 ?? ?? ?? ?? 5f 5e b0 01 5b c2 0c 00}
|
|
$hex9 = { 55 8b ec 83 e4 f8 81 ec 94 01 00 00 53 56 57 68 c0 bb 41 00 68 d4 bb 41 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 75 ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 6a 40 6a 07 8d ?? ?? 56 ff d7 85 c0 74 ?? b8 91 1b 40 00 2b c6 83 e8 05 89 ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? c6 ?? ?? 6a 07 56 c6 ?? ?? ?? c6 ?? ?? ?? ff d7 8d ?? ?? ?? 50 68 02 02 00 00 ff ?? ?? ?? ?? ?? 6a 0d e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 90 e0 41 00 6a 01 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 6a 40 6a 02 53 ff d7 85 c0 74 ?? b8 8b ff 00 00 66 ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? 6a 02 53 ff d7 5f 5e 33 c0 5b 8b e5 5d c2 04 00}
|
|
$hex10 ={ 55 8b ec 83 ec 18 a0 ?? ?? ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 53 56 0f b6 c0 57 c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? 39 ?? ?? 73 ?? 2b ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 2b c4 89 ?? ?? 89 ?? ?? 8b ?? ?? 8d ?? ?? 50 ff ?? ?? 53 6a 05 ff ?? ?? ?? ?? ?? 89 ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 c0 03 d8 6a 01 8d ?? ?? 57 68 e8 c1 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 08 c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 2c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 4c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 6c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 8c c2 41 00 ff d6 84 c0 74 ?? 8d ?? ?? ?? ?? ?? 50 68 00 e0 41 00 6a 01 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? 6a 00 ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? 8b ?? 85 c0 0f ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 8d ?? ?? 5f 5e 5b c9 c3}
|
|
$hex11 ={ 55 8b ec 81 ec ac 00 00 00 53 56 57 6a 20 6a 07 8d ?? ?? 50 68 6c e0 41 00 68 89 00 12 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 05 6a 10 8d ?? ?? 50 8d ?? ?? 50 ff ?? ?? ff d6 8b d8 bf 05 00 00 80 3b df 74 ?? 85 db 75 ?? 8b ?? ?? b8 80 00 04 00 23 c8 3b c8 75 ?? 6a 01 6a 18 8d ?? ?? 50 8d ?? ?? 50 ff ?? ?? ff d6 3b c7 74 ?? 85 c0 75 ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 6a 08 8d ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 6a 10 8d ?? ?? 50 68 14 e2 41 00 e8 ?? ?? ?? ?? 83 c4 0c 33 db eb ?? bb bb 00 00 c0 ff ?? ?? ff ?? ?? ?? ?? ?? 85 db 7d ?? 81 cb 00 00 01 00 5f 5e 8b c3 5b c9 c3}
|
|
condition:
|
|
(5 of them) or (any of ($hex*)) or (any of ($s*))
|
|
}
|
|
|
|
rule TrojanSirefefZerroAccessANModule
|
|
{
|
|
meta:
|
|
Description = "Trojan.Sirefef.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "%s\\%s\\%08x.@" ascii wide
|
|
$ = "%s\\%s\\%s" ascii wide
|
|
$ = "InstallFlashPlayer.exe" ascii wide
|
|
$ = "get/flashplayer/update/current/install/install_all_win_%s_sgn.z" ascii wide
|
|
$ = "download/C/C/0/CC0BD555-33DD-411E-936B-73AC6F95AE11/IE8-WindowsXP-x86-ENU.exe" ascii wide
|
|
$ = "\\??\\%08x" ascii wide
|
|
$ = "80000032.32" ascii wide
|
|
$ = "\\GLOBAL??\\{D1C8BD9B-9DF7-4fb6-A1C3-D96202C79FC0}" ascii wide
|
|
$ = "http://%.*s/_ylt=3648C868A1DB;" ascii wide
|
|
|
|
|
|
$hex0 = { 56 8b ?? ?? ?? 33 c0 8d ?? ?? 87 ?? 85 c0 74 ?? 6a 00 50 6a 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 83 c8 ff f0 ?? ?? ?? 75 ?? 85 f6 74 ?? 8b ?? 8b ?? 6a 01 8b ce ff d0 83 c8 ff 8d ?? ?? 87 ?? 83 f8 ff 74 ?? 50 ff ?? ?? ?? ?? ?? 8b ?? 8b ?? ?? 8b ce ff d0 8d ?? ?? 83 ca ff f0 ?? ?? ?? 75 ?? 85 f6 74 ?? 8b ?? 8b ?? 6a 01 8b ce ff d2 5e c2 08 00}
|
|
$hex1 = { 57 8b ?? ?? ?? ?? ?? 68 30 75 00 00 ff d7 a1 ?? ?? ?? ?? 85 c0 74 ?? 56 eb ?? 8d 9b 00 00 00 00 68 30 75 00 00 8b f0 ff d7 a1 ?? ?? ?? ?? 3b f0 75 ?? 5e 6a 00 ff ?? ?? ?? ?? ??}
|
|
$hex2 = { 83 ec 5c 56 8d ?? ?? ?? 50 68 ff 01 0f 00 83 ce ff 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? 57 8d ?? ?? ?? 51 6a 01 6a 00 68 90 61 01 10 68 ff 01 0f 00 52 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 85 c0 78 ?? 8b ?? ?? ?? 6a 04 8d ?? ?? ?? 50 6a 0c 51 ff ?? ?? ?? ?? ?? 6a 40 8d ?? ?? ?? 6a 00 52 c7 ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? 83 c4 0c 8d ?? ?? ?? 50 8b ?? ?? ?? 8d ?? ?? ?? 51 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 52 6a 00 50 c7 ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8b ?? ?? ?? 51 ff d7 8b ?? ?? ?? 8b ?? ?? ?? 52 ff d7 8b ?? ?? ?? 50 ff d7 5f 8b c6 5e 83 c4 5c c2 08 00}
|
|
$hex3 = { 56 8b f2 e8 ?? ?? ?? ?? 85 c0 74 ?? 83 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 20 8b 00 10 6a 00 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? b8 01 00 00 00 5e c3 33 c0 5e c3}
|
|
$hex4 = { 53 8b d9 8b ca e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 56 68 20 ca 01 10 ff ?? ?? ?? ?? ?? 8b f0 ff ?? ?? ?? ?? ?? ba f8 34 01 10 8b ce 57 8b ff 66 ?? ?? 66 ?? ?? 75 ?? 66 85 ff 74 ?? 66 ?? ?? ?? 66 ?? ?? ?? 75 ?? 83 c1 04 83 c2 04 66 85 ff 75 ?? 33 c9 eb ?? 1b c9 83 d9 ff 85 c9 75 ?? 68 10 35 01 10 50 ff ?? ?? ?? ?? ?? 83 c4 08 85 c0 74 ?? 68 30 be 00 10 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 00 6a 00 68 b0 04 00 00 68 a0 89 00 10 6a 00 6a 00 ff d6 8b ?? ?? ?? ?? ?? 50 ff d7 e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 20 83 00 10 6a 00 6a 00 ff d6 50 ff d7 5f 5e b8 01 00 00 00 5b c3 e8 ?? ?? ?? ?? 85 c0 74 ?? 68 30 be 00 10 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b c3 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 80 bd 00 10 6a 00 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 5f 5e b8 01 00 00 00 5b c3 5f 5e 33 c0 5b c3 83 ?? ?? ?? ?? ?? ?? 74 ?? 8b c3 e8 ?? ?? ?? ?? b8 01 00 00 00 5b c3 33 c0 5b c3}
|
|
|
|
|
|
condition:
|
|
(5 of them) or (any of ($hex*))
|
|
}
|
|
|
|
rule TrojanSirefefZerroAccessPlayloadModule
|
|
{
|
|
meta:
|
|
Description = "Trojan.Sirefef.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "U\\80000032.@" ascii wide
|
|
$ = "\\\\.\\globalroot\\systemroot\\system32\\mswsock.dll" ascii wide
|
|
$ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.AcceptEx" ascii wide
|
|
$ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.GetAcceptExSockaddrs" ascii wide
|
|
$ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.NSPStartup" ascii wide
|
|
$ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.TransmitFile" ascii wide
|
|
$ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.getnetbyname" ascii wide
|
|
$ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.inet_network" ascii wide
|
|
$ = "%sU\\%08x.@" ascii wide
|
|
$ = "\\??\\%s@" ascii wide
|
|
$ = "\\??\\%sU" ascii wide
|
|
$ = "\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters" ascii wide
|
|
$ = "\\KnownDlls\\mswsock.dll" ascii wide
|
|
$ = "\\systemroot\\assembly" ascii wide
|
|
$ = "GAC_MSIL" ascii wide
|
|
$ = "GAC" ascii wide
|
|
$ = "????????.@" ascii wide
|
|
$ = "%08x.@" ascii wide
|
|
$ = "%08x.$" ascii wide
|
|
$ = "%08x.~" ascii wide
|
|
|
|
$ = "\\systemroot\\assembly\\GAC\\Desktop.ini" ascii wide
|
|
|
|
condition:
|
|
(5 of them)
|
|
}
|
|
|
|
rule TrojanSirefefZerroAccessPluginModule
|
|
{
|
|
meta:
|
|
Description = "Trojan.Sirefef.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$hex0 = { 55 8b ec 81 ec 94 01 00 00 56 68 30 40 00 10 68 00 00 10 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 81 fe 00 00 00 40 75 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 85 f6 8b ?? ?? ?? ?? ?? 7c ?? 8d ?? ?? ?? ?? ?? 50 68 02 02 00 00 ff ?? ?? ?? ?? ?? 85 c0 75 ?? e8 ?? ?? ?? ?? 6a 20 68 60 ea 00 00 b9 80 40 00 10 e8 ?? ?? ?? ?? 69 c0 e8 03 00 00 50 6a 00 68 b7 15 00 10 6a 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 74 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 6a ff ff ?? ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff d6 a1 ?? ?? ?? ?? 85 c0 74 ?? b9 fb 15 00 10 ff ?? ?? e8 ?? ?? ?? ?? 68 28 40 00 10 6a 01 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff d6}
|
|
$hex1 = { 81 ?? ?? ?? ?? ?? 56 57 8b f9 75 ?? b9 fb 15 00 10 89 ?? ?? ?? ?? ?? ff ?? ?? 8b ?? ?? ?? ?? ?? 68 08 32 00 10 57 ff d6 59 59 50 b9 80 40 00 10 e8 ?? ?? ?? ?? 68 f0 31 00 10 57 ff d6 59 59 33 c9 8b d0 41 e8 ?? ?? ?? ?? 33 c0 50 50 50 68 85 16 00 10 50 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 33 c0 5f 40 5e c3}
|
|
$hex2 = { 55 8b ec 81 ec 90 00 00 00 53 56 57 6a 40 5e 8b d9 6a 04 8b c6 66 ?? ?? ?? 58 33 ff 57 66 ?? ?? ?? 57 8d ?? ?? 50 ff ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? ff ?? ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 6a 20 8d ?? ?? 6a 07 89 ?? ?? 8d ?? ?? 50 8d ?? ?? 50 89 ?? ?? 68 98 00 10 00 8d ?? ?? 56 c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ff ?? ?? ?? ?? ?? 85 c0 7c ?? 57 57 6a 18 68 0c 40 00 10 57 6a 60 8d ?? ?? ?? ?? ?? 50 8d ?? ?? 50 ff ?? e8 ?? ?? ?? ?? 85 c0 7c ?? 8d ?? ?? ?? ?? ?? 33 c9 03 c1 80 ?? ?? ?? 75 ?? 8b ?? ?? 81 f9 30 30 31 00 74 ?? 81 f9 30 30 32 00 75 ?? 66 ?? ?? ?? ?? 75 ?? 8b ?? ?? 89 ?? ?? eb ?? 66 ?? ?? ?? ?? 75 ?? 6a 10 8d ?? ?? 8d ?? ?? 59 f3 ?? 33 ff 8b ?? 3b cf 75 ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 33 d2 b9 80 51 01 00 f7 f1 6a 4c 53 66 ?? ?? ?? 8d ?? ?? 50 ff ?? ?? e8 ?? ?? ?? ?? 39 ?? ?? 75 ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 57 8b cb 89 ?? ?? e8 ?? ?? ?? ?? 5f 5e 5b c9 c2 04 00}
|
|
|
|
$hex3 = { 55 8b ec 83 ec 74 53 56 57 be 30 00 fe 7f 56 ff ?? ?? ?? ?? ?? 59 8d ?? ?? ?? e8 ?? ?? ?? ?? 89 ?? ?? 68 94 60 00 10 56 ff ?? ?? ff ?? ?? ?? ?? ?? 59 59 50 ff ?? ?? ?? ?? ?? 59 59 33 db 53 53 ff ?? ?? ?? ?? ?? 8b f0 3b f3 0f ?? ?? ?? ?? ?? 6a 70 8d ?? ?? 53 50 e8 ?? ?? ?? ?? 83 c4 0c 6a 70 8d ?? ?? 50 33 ff 6a 09 47 56 c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? 9c 81 ?? ?? ?? ?? ?? ?? 9d 90 68 08 70 00 10 57 8b ?? ?? ?? ?? ?? ff d7 85 c0 75 ?? 38 ?? ?? ?? ?? ?? 75 ?? ff ?? ?? ff ?? ?? 56 e8 ?? ?? ?? ?? 38 ?? ?? ?? ?? ?? 75 ?? 68 00 70 00 10 6a 01 ff d7 85 c0 74 ?? 56 ff ?? ?? ?? ?? ?? 33 c0 8d ?? ?? 5f 5e 5b c9 c2 04 00}
|
|
$hex4 = { 55 8b ec 51 53 56 57 68 24 70 00 10 68 00 00 10 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f8 81 ff 00 00 00 40 75 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 33 f6 3b fe 7c ?? 56 56 ff ?? ?? 68 88 13 00 10 56 56 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b f8 3b fe 74 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 57 c6 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 56 56 57 ff ?? ?? ?? ?? ?? 57 ff d3 ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff d3 ff ?? ?? ff ?? ?? ?? ?? ??}
|
|
$hex5 = { 53 56 57 8b d9 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 9c 81 ?? ?? ?? ?? ?? ?? 9d 90 53 ff ?? ?? ?? ?? ?? 59 6a 02 5a 8d ?? ?? ?? 33 c9 f7 e2 0f 90 c1 33 ff f7 d9 0b c1 50 57 ff ?? ?? ?? ?? ?? 8b f0 3b f7 74 ?? 53 68 50 61 00 10 56 ff ?? ?? ?? ?? ?? 83 c4 0c 57 57 56 68 77 14 00 10 57 57 ff ?? ?? ?? ?? ?? 3b c7 74 ?? 50 ff ?? ?? ?? ?? ?? 33 c0 40 eb ?? 56 ff ?? ?? ?? ?? ?? 33 c0 5f 5e 5b c3}
|
|
|
|
condition:
|
|
any of ($hex*)
|
|
}
|
|
|
|
rule TrojanSirefefZerroAccessPluginModuleZooCliccer
|
|
{
|
|
meta:
|
|
Description = "Trojan.ZooClicker.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "%s\\00000001.@" ascii wide
|
|
$ = "z00clicker3" ascii wide
|
|
$ = "z00clicker" ascii wide
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule TrojanSirefefZerroAccess2016
|
|
{
|
|
meta:
|
|
Description = "Trojan.Sirefef.E.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$ = "GoogleUpdate.exe" ascii wide
|
|
$ = "%08x.@" ascii wide
|
|
$ = "%08x.$" ascii wide
|
|
$ = "%08x.~" ascii wide
|
|
|
|
$s1 = "\\Google\\Desktop\\Install\\{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\\#." ascii wide
|
|
$s2 = "\\BaseNamedObjects\\Restricted\\{12E9D947-EDF5-4191-AADB-F51815F004D8}" ascii wide
|
|
$s3 = "\\BaseNamedObjects\\Restricted\\{889E2280-F15E-4330-A3F4-D4EEF899AAF6}" ascii wide
|
|
$s4 = "\\BaseNamedObjects\\Restricted\\{1FD06E7A-B215-4ae2-B209-AC869A3DF0B7}" ascii wide
|
|
$s5 = "\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D7A}" ascii wide
|
|
$s6 = "80000000.@" ascii wide
|
|
$s7 = "=cccctp=ddddt:=rrrrt<=sssst" ascii wide
|
|
$s8 = "=ccccta=ddddt+=rrrrt-=sssst" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or (any of ($s*))
|
|
}rule TrojanUpatreSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Upatre.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$hex_string = { 52 ba 6c 6c 00 00 52 ba 73 66 2e 64 52 ba 32 5c 71 61 52 ba 74 65 6d 33 52 ba 5c 73 79 73 52}
|
|
|
|
condition:
|
|
$hex_string
|
|
}rule TrojanVirtoolObfuscator
|
|
{
|
|
meta:
|
|
Description = "Trojan.Obfuscator.rc"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "1346243623461" ascii wide
|
|
$ = "3nterface" ascii wide
|
|
condition:
|
|
all of them
|
|
}rule TrojanPSWTepferSample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Tepfer.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "Software\\BPFTP" ascii wide
|
|
$ = "\\BulletProof Software\\BulletProof FTP Client" ascii wide
|
|
$ = "Software\\BPFTP\\Bullet Proof FTP" ascii wide
|
|
$ = "Software\\NCH Software\\ClassicFTP\\FTPAccounts" ascii wide
|
|
$ = "\\GlobalSCAPE\\CuteFTP" ascii wide
|
|
$ = "\\GlobalSCAPE\\CuteFTP Pro" ascii wide
|
|
$ = "\\GlobalSCAPE\\CuteFTP Lite" ascii wide
|
|
$ = "\\CuteFTP" ascii wide
|
|
$ = "\\GPSoftware\\Directory Opus\\ConfigFiles\\ftp.oxc" ascii wide
|
|
$ = "SOFTWARE\\Far\\Plugins\\FTP\\Hosts" ascii wide
|
|
$ = "SOFTWARE\\Far2\\Plugins\\FTP\\Hosts" ascii wide
|
|
$ = "Software\\Far\\Plugins\\FTP\\Hosts" ascii wide
|
|
$ = "Software\\Far2\\Plugins\\FTP\\Hosts" ascii wide
|
|
$ = "Software\\Far\\SavedDialogHistory\\FTPHost" ascii wide
|
|
$ = "Software\\Far2\\SavedDialogHistory\\FTPHost" ascii wide
|
|
$ = "Software\\Ghisler\\Windows Commander" ascii wide
|
|
$ = "Software\\Ghisler\\Total Commander" ascii wide
|
|
$ = "Software\\Sota\\FFFTP" ascii wide
|
|
$ = "Software\\FileZilla" ascii wide
|
|
$ = "FileZilla3" ascii wide
|
|
$ = "FlashFXP" ascii wide
|
|
$ = "FTP Commander Pro" ascii wide
|
|
$ = "FTP Navigator" ascii wide
|
|
$ = "FTP Commander" ascii wide
|
|
$ = "FTP Commander Deluxe" ascii wide
|
|
$ = "Software\\FTP Explorer\\Profiles" ascii wide
|
|
$ = "\\FTP Explorer\\profiles.xml" ascii wide
|
|
$ = "Windows/Total Commander" ascii wide
|
|
$ = "FTP Commander" ascii wide
|
|
$ = "BulletProof FTP Client" ascii wide
|
|
$ = "TurboFTP" ascii wide
|
|
$ = "SoftX FTP Client" ascii wide
|
|
$ = "LeapFTP" ascii wide
|
|
$ = "WinSCP" ascii wide
|
|
$ = "32bit FTP" ascii wide
|
|
$ = "FTP Control" ascii wide
|
|
$ = "SecureFX" ascii wide
|
|
$ = "BitKinex" ascii wide
|
|
$ = "CuteFTP" ascii wide
|
|
$ = "WS_FTP" ascii wide
|
|
$ = "FFFTP" ascii wide
|
|
$ = "Core FTP" ascii wide
|
|
$ = "WebDrive" ascii wide
|
|
$ = "Classic FTP" ascii wide
|
|
$ = "Fling" ascii wide
|
|
$ = "NetDrive" ascii wide
|
|
$ = "FileZilla" ascii wide
|
|
$ = "FTP Explorer" ascii wide
|
|
$ = "SmartFTP" ascii wide
|
|
$ = "FTPRush" ascii wide
|
|
$ = "UltraFXP" ascii wide
|
|
$ = "Frigate3 FTP" ascii wide
|
|
$ = "BlazeFtp" ascii wide
|
|
$ = "Software\\LeechFTP" ascii wide
|
|
$ = "SiteInfo.QFP" ascii wide
|
|
$ = "WinFTP" ascii wide
|
|
$ = "FreshFTP" ascii wide
|
|
$ = "BlazeFtp" ascii wide
|
|
condition:
|
|
9 of them
|
|
}rule TrojanZeusZbotSampleA
|
|
{
|
|
meta:
|
|
Description = "Trojan.ZBot.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "-m" ascii wide
|
|
$ = "-m%p" ascii wide
|
|
$ = ":d\\r\\ndel" ascii wide
|
|
$ = "@echo off\\r\\n%s\\r\\ndel /F" ascii wide
|
|
$hex0 = { 83 EC 0C 53 55 33 DB 56 8B C2 33 ED 57 89 44 24 18 89 4C 24 10 39 5C 24 20 0F 8E ?? ?? ?? ?? 8B 04 A8 83 3C C5 }
|
|
$hex1 = { E8 ?? ?? ?? ?? 83 C4 04 C7 45 FC 00 00 00 00 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 15 ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? 8B 45 08 83 C0 08 A3 ?? ?? ?? ?? 8B 4D FC 51 8B 15 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? }
|
|
$hex2 = { 6A 02 6A 00 FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 08 56 E8 ?? ?? ?? ?? EB 02 8A C3 84 C0 74 28 F6 44 24 36 08 75 0A E8 ?? ?? ?? ?? 83 4C 24 36 08 F6 44 24 36 40 75 0A E8 ?? ?? ?? ?? 83 4C 24 36 40 56 E8 ?? ?? ?? ?? 8D 44 24 08 50 E8 ?? ?? ?? ?? 8A C3 EB 02 32 C0 5E 5B 8B E5 5D C3 }
|
|
$hex3 = { 55 8b ec 81 ec 70 03 00 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 50 68 28 59 40 00 8d ?? ?? ?? ?? ?? 68 6c 02 00 00 50 e8 ?? ?? ?? ?? 83 c4 14 85 c0 7e ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 84 c0 74 ?? b0 01 eb ?? 32 c0 c9 c2 04 00}
|
|
$hex4 = { 55 8b ec 83 e4 f8 81 ec 4c 02 00 00 53 8b ?? ?? ?? ?? ?? 56 57 33 ff c6 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 57 6a 02 e8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 83 f8 ff 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? 8b ?? ?? ?? 3b cf 0f ?? ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 33 c0 39 ?? ?? ?? 76 ?? 8b ?? ?? ?? 39 ?? ?? 0f ?? ?? ?? ?? ?? 40 3b ?? ?? ?? 72 ?? 51 e8 ?? ?? ?? ?? 89 ?? ?? ?? 3b c7 0f ?? ?? ?? ?? ?? ff ?? ?? ?? 57 68 00 04 00 00 ff ?? ?? ?? ?? ?? 8b f0 3b f7 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 56 e8 ?? ?? ?? ?? 56 8b f8 ff d3 85 ff 74 ?? 8b ?? ?? ?? 3b ?? ?? ?? ?? ?? 75 ?? ff ?? ff ?? ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 75 ?? 8b ?? 50 a1 ?? ?? ?? ?? 8b ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 8b ?? ?? ?? 8d ?? ?? ?? ?? ?? ?? 50 8d ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 8b ?? ?? ?? 8b ?? ?? ?? ff ?? ?? ?? ff ?? ?? ?? ff ?? ?? ?? 89 ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? c6 ?? ?? ?? ?? 57 e8 ?? ?? ?? ?? 33 ff ff ?? ?? ?? ff d3 8d ?? ?? ?? 50 ff ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ff d3 39 ?? ?? ?? 0f ?? ?? ?? ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? 8a ?? ?? ?? 5f 5e 5b 8b e5 5d c3}
|
|
|
|
|
|
condition:
|
|
(3 of them) or (any of ($hex*))
|
|
}
|
|
rule TrojanSpyWin32UrsnifASample
|
|
{
|
|
meta:
|
|
Description = "Trojan.Ursnif.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "CreateProcessNotify" ascii wide
|
|
$ = "rundll32" ascii wide
|
|
$ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
|
|
$ = "System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" ascii wide
|
|
$ = "iexplore.exe" ascii wide
|
|
$ = "firefox.exe" ascii wide
|
|
$ = "Software\\AppDataLow\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing" ascii wide
|
|
$ = "/UPD" ascii wide
|
|
$ = "/sd %lu" ascii wide
|
|
$ = "%lu.bat" ascii wide
|
|
$ = "attrib -r -s -h %%1" ascii wide
|
|
$ = "S:(ML;;NW;;;LW)" ascii wide
|
|
$ = "D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)" ascii wide
|
|
$ = "%lu.exe" ascii wide
|
|
$ = "mashevserv.com" ascii wide
|
|
$ = "ericpotic.com" ascii wide
|
|
$ = "version=%u&user=%x%x%x%x&server=%u&id=%u&crc=%x&aid=%u" ascii wide
|
|
$ = "CHROME.DLL" ascii wide
|
|
$ = "chrome.exe" ascii wide
|
|
$ = "opera.exe" ascii wide
|
|
$ = "safari.exe" ascii wide
|
|
$ = "explorer.exe" ascii wide
|
|
|
|
condition:
|
|
6 of them
|
|
}rule ChirBSample
|
|
{
|
|
meta:
|
|
Description = "Virus.Chir.B.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "runouce.exe" ascii wide
|
|
$ = "imissyou@btamail.net.cn" ascii wide
|
|
$ = "ChineseHacker-2" ascii wide
|
|
|
|
condition:
|
|
all of them
|
|
}rule FileVirusWin32MaganASample
|
|
{
|
|
meta:
|
|
Description = "Virus.Madang.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$hex_string = { 60 78 ?? 79 ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? e8 ?? ?? ?? ?? 61 78 ?? 79 ?? ?? 68 ?? ?? ?? ?? C3 }
|
|
|
|
condition:
|
|
any of them
|
|
}rule WormWin32CridexSamlpeE
|
|
{
|
|
meta:
|
|
Description = "Worm.Cridex.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "Software\\Microsoft\\Windows NT\\C%08X" ascii wide
|
|
$ = "<server><![CDATA[%%u.%%u.%%u.%%u:%%u]]>" ascii wide
|
|
$ = "KB%08d.exe" ascii wide
|
|
$ = "Local\\XME%08X" ascii wide
|
|
$ = "Local\\XMM%08X" ascii wide
|
|
$ = "Local\\XMI%08X" ascii wide
|
|
$ = "Local\\XMS%08X" ascii wide
|
|
$ = "Local\\XMF%08X" ascii wide
|
|
$ = "Local\\XMR%08X" ascii wide
|
|
$ = "Local\\XMQ%08X" ascii wide
|
|
$ = "Local\\XMB%08X" ascii wide
|
|
condition:
|
|
2 of them
|
|
}rule WormWin32DorkbotSamlpeA
|
|
{
|
|
meta:
|
|
Description = "Worm.Dorkbot.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "from removing our bot file!" ascii wide
|
|
$ = "from moving our bot file" ascii wide
|
|
$ = "Message hijacked!" ascii wide
|
|
$ = "popgrab" ascii wide
|
|
$ = "ftpgrab" ascii wide
|
|
$ = "s.Blocked possible browser exploit pack call on URL" ascii wide
|
|
$ = "webroot." ascii wide
|
|
$ = "fortinet." ascii wide
|
|
$ = "virusbuster.nprotect." ascii wide
|
|
$ = "gdatasoftware." ascii wide
|
|
$ = "virus." ascii wide
|
|
$ = "precisesecurity." ascii wide
|
|
$ = "lavasoft." ascii wide
|
|
$ = "heck.tc" ascii wide
|
|
$ = "emsisoft." ascii wide
|
|
$ = "onlinemalwarescanner." ascii wide
|
|
$ = "onecare.live." ascii wide
|
|
$ = "f-secure." ascii wide
|
|
$ = "bullguard." ascii wide
|
|
$ = "clamav." ascii wide
|
|
$ = "pandasecurity." ascii wide
|
|
$ = "sophos." ascii wide
|
|
$ = "malwarebytes." ascii wide
|
|
$ = "sunbeltsoftware." ascii wide
|
|
$ = "norton." ascii wide
|
|
$ = "norman." ascii wide
|
|
$ = "mcafee." ascii wide
|
|
$ = "symantec" ascii wide
|
|
$ = "comodo." ascii wide
|
|
$ = "avast." ascii wide
|
|
$ = "avira." ascii wide
|
|
$ = "avg." ascii wide
|
|
$ = "bitdefender." ascii wide
|
|
$ = "eset." ascii wide
|
|
$ = "kaspersky." ascii wide
|
|
$ = "trendmicro." ascii wide
|
|
$ = "iseclab." ascii wide
|
|
$ = "virscan." ascii wide
|
|
$ = "garyshood." ascii wide
|
|
$ = "viruschief." ascii wide
|
|
$ = "jotti." ascii wide
|
|
$ = "threatexpert." ascii wide
|
|
$ = "novirusthanks." ascii wide
|
|
$ = "virustotal." ascii wide
|
|
$ = "you stupid cracker" ascii wide
|
|
$ = "ngrBot Error" ascii wide
|
|
$ = "Slowloris]: Finished flood on" ascii wide
|
|
$ = "UDP]: Finished flood on" ascii wide
|
|
$ = "SYN]: Finished flood on" ascii wide
|
|
$ = "USB]: Infected %s" ascii wide
|
|
$ = "MSN]: Updated MSN spread message to" ascii wide
|
|
$ = "MSN]: Updated MSN spread interval to" ascii wide
|
|
$ = "HTTP]: Updated HTTP spread message to" ascii wide
|
|
$ = "HTTP]: Injected value is now %s." ascii wide
|
|
$ = "HTTP]: Updated HTTP spread interval to" ascii wide
|
|
$ = "Visit]: Visited" ascii wide
|
|
$ = "DNS]: Blocked" ascii wide
|
|
$ = "RSOCK4]: Started rsock4" ascii wide
|
|
$ = "Visit]: Error visitng" ascii wide
|
|
$ = "FTP Login]: %s" ascii wide
|
|
$ = "POP3 Login]: %s" ascii wide
|
|
$ = "FTP Infect]: %s was iframed" ascii wide
|
|
$ = "HTTP Login]: %s" ascii wide
|
|
$ = "HTTP Traffic]: %s" ascii wide
|
|
$ = "Ruskill]: Detected File:" ascii wide
|
|
$ = "Ruskill]: Detected DNS:" ascii wide
|
|
$ = "Ruskill]: Detected Reg:" ascii wide
|
|
$ = "PDef+]: %s" ascii wide
|
|
$ = "DNS]: Blocked DNS" ascii wide
|
|
$ = "MSN]: %s" ascii wide
|
|
$ = "HTTP]: %s" ascii wide
|
|
condition:
|
|
8 of them
|
|
}
|
|
|
|
rule WormWin32DorkbotSamlpeB
|
|
{
|
|
meta:
|
|
Description = "Worm.Dorkbot.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "http://ht.ly/jZH8A?yd=" ascii wide
|
|
$ = "DecriptedFiles" ascii wide
|
|
$ = "Infected Drive: %s" ascii wide
|
|
$a = "snkb00pt" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or $a
|
|
}rule WormWin32PhorpiexSampleM
|
|
{
|
|
meta:
|
|
Description = "Worm.Phorpiex.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "paltalk.exe" ascii wide
|
|
$ = "Xfire.exe" ascii wide
|
|
$ = "googletalk.exe" ascii wide
|
|
$ = "Skype.exe" ascii wide
|
|
$ = "http://goo.gl" ascii wide
|
|
|
|
$ = "qemu" ascii wide
|
|
$ = "virtual" ascii wide
|
|
$ = "vmware" ascii wide
|
|
$ = "%s\\winsvcon.txt" ascii wide
|
|
$ = "%s\\rmrf%i%i%i%i.bat" ascii wide
|
|
$ = "%s%s.txt" ascii wide
|
|
$ = "%s%s.zip" ascii wide
|
|
$ = "IMG%s-JPG.scr" ascii wide
|
|
$ = "Microsoft Windows Manager" ascii wide
|
|
$ = "winbtc.exe" ascii wide
|
|
$ = "winmgr.exe" ascii wide
|
|
$ = "winraz.exe" ascii wide
|
|
$ = "winsam.exe" ascii wide
|
|
$ = "winsvc.exe" ascii wide
|
|
$ = "winsvn.exe" ascii wide
|
|
$ = ".exe" ascii wide
|
|
$ = ".bat" ascii wide
|
|
$ = ".vbs" ascii wide
|
|
$ = ".pif" ascii wide
|
|
$ = ".cmd" ascii wide
|
|
$ = "%s\\autorun.inf" ascii wide
|
|
|
|
$ = "ti piace la foto?" ascii wide
|
|
$ = "hai visto questa foto?" ascii wide
|
|
$ = "la foto e grandiosa!" ascii wide
|
|
$ = "ti ricordi la Foto?" ascii wide
|
|
$ = "conosci la persona in questa foto?" ascii wide
|
|
$ = "chi e in questa foto?" ascii wide
|
|
$ = "nu imi mai voi face niciodat poze!! toate ies urate ca asta." ascii wide
|
|
$ = "spune-mi ce crezi despre poza asta." ascii wide
|
|
$ = "asta e ce-a mai funny poza! tu ce zici?" ascii wide
|
|
$ = "zimi ce crezi despre poza asta?" ascii wide
|
|
$ = "pogled na ovu sliku" ascii wide
|
|
$ = "bu resmi bakmak" ascii wide
|
|
$ = "pozri sa na tento obr" ascii wide
|
|
$ = "pogled na to sliko" ascii wide
|
|
$ = "vaata seda pilti" ascii wide
|
|
$ = "spojrzec na to zdjecie" ascii wide
|
|
$ = "Ieskatieties " ascii wide
|
|
$ = "kyk na hierdie foto" ascii wide
|
|
$ = "tell me what you think of this picture i edited" ascii wide
|
|
$ = "this is the funniest photo ever!" ascii wide
|
|
$ = "tell me what you think of this photo" ascii wide
|
|
$ = "i don't think i will ever sleep again after seeing this photo" ascii wide
|
|
$ = "i cant believe i still have this picture" ascii wide
|
|
$ = "should i make this my default picture?" ascii wide
|
|
$ = "ken je dat foto nog?" ascii wide
|
|
$ = "kijk wat voor een foto ik heb gevonden" ascii wide
|
|
$ = "ik hoop dat jij het net bent op dit foto" ascii wide
|
|
$ = "ben jij dat op dit foto?" ascii wide
|
|
$ = "dit foto zal je echt eens bekijken!" ascii wide
|
|
$ = "ken je dit foto al?" ascii wide
|
|
$ = "olhar para esta foto" ascii wide
|
|
$ = "devrais-je mettre cette photo de profile?" ascii wide
|
|
$ = "c'est la photo la plus marrante!" ascii wide
|
|
$ = "dis moi ce que tu pense de cette photo de moi?" ascii wide
|
|
$ = "mes parents vont me tu" ascii wide
|
|
$ = "creo que no voy a poder dormir m" ascii wide
|
|
$ = "esta foto es gracios" ascii wide
|
|
$ = "mis padres me van a matar si ven esta foto mia, que decis?" ascii wide
|
|
$ = "mira como saliste en esta foto jajaja" ascii wide
|
|
$ = "wie findest du das foto?" ascii wide
|
|
$ = "hab ich dir das foto schon gezeigt?" ascii wide
|
|
$ = "schau mal welches foto ich gefunden hab" ascii wide
|
|
$ = "bist du das auf dem foto?" ascii wide
|
|
$ = "kennst du das foto schon?" ascii wide
|
|
$ = "I cant believe I still have this picture" ascii wide
|
|
$ = "I love your picture!" ascii wide
|
|
$ = "Is this you??" ascii wide
|
|
$ = "Picture of you???" ascii wide
|
|
$ = "Should I upload this picture on facebook?" ascii wide
|
|
$ = "Someone showed me your picture" ascii wide
|
|
$ = "Someone told me it's your picture" ascii wide
|
|
$ = "Take a look at my new picture please" ascii wide
|
|
$ = "Tell me what you think of this picture" ascii wide
|
|
$ = "This is the funniest picture ever!" ascii wide
|
|
$ = "What do you think of my new hair" ascii wide
|
|
$ = "What you think of my new hair color?" ascii wide
|
|
$ = "What you think of this picture?" ascii wide
|
|
$ = "You look so beautiful on this picture" ascii wide
|
|
$ = "You should take a look at this picture" ascii wide
|
|
$ = "Your photo isn't really that great" ascii wide
|
|
|
|
condition:
|
|
5 of them
|
|
}rule WormWin32SillyP2PSampleH
|
|
{
|
|
meta:
|
|
Description = "Worm.Silly.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "95BC789A" ascii wide
|
|
$ = "svchosts.exe" ascii wide
|
|
$ = "Failed to start dl thread." ascii wide
|
|
$ = "wo8T#$>X&D" ascii wide
|
|
|
|
$hex0 = { 55 8b ec 81 ec 8c 06 00 00 56 57 83 ?? ?? ?? ?? ?? ?? 8b ?? ?? b9 a5 00 00 00 8d ?? ?? ?? ?? ?? f3 ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 68 68 42 40 00 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 6a 00 68 60 42 40 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 58 42 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 83 ?? ?? ?? ?? ?? ?? 74 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 68 38 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 14 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 6a 06 ff ?? ?? e8 ?? ?? ?? ?? 83 c4 10 68 00 02 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? eb ?? 68 64 41 40 00 68 28 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 eb ?? 8d ?? ?? ?? ?? ?? 50 68 0c 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 eb ?? 68 f0 41 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c eb ?? 68 c4 41 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 6a 06 ff ?? ?? e8 ?? ?? ?? ?? 83 c4 10 68 00 02 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 83 ?? ?? ?? ?? ?? ?? 75 ?? ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 59 6a 00 ff ?? ?? ?? ?? ??}
|
|
$hex1 = { 55 8b ec 81 ec 14 03 00 00 57 80 ?? ?? ?? ?? ?? ?? 6a 40 59 33 c0 8d ?? ?? ?? ?? ?? f3 ?? 66 ?? aa 80 ?? ?? ?? ?? ?? ?? 6a 40 59 33 c0 8d ?? ?? ?? ?? ?? f3 ?? 66 ?? aa 6a 03 8d ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 80 ?? ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 f8 02 75 ?? 6a 05 6a 00 8d ?? ?? ?? ?? ?? 50 68 48 41 40 00 68 40 41 40 00 6a 00 ff ?? ?? ?? ?? ?? 68 54 40 40 00 e8 ?? ?? ?? ?? 59 50 68 54 40 40 00 e8 ?? ?? ?? ?? 59 59 68 90 01 00 00 ff ?? ?? ?? ?? ?? 68 6c 40 40 00 6a 00 6a 00 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 3d b7 00 00 00 75 ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 89 ?? ?? 68 34 41 40 00 ff ?? ?? e8 ?? ?? ?? ?? 59 59 85 c0 74 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? a0 ?? ?? ?? ?? 88 ?? ?? 8d ?? ?? 50 e8 ?? ?? ?? ??}
|
|
$hex2 = { 55 8b ec 81 ec 10 03 00 00 83 ?? ?? ?? ?? ?? ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 68 78 40 40 00 ff ?? ?? ?? ?? ?? 68 84 40 40 00 8d ?? ?? ?? ?? ?? 50 68 74 42 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 68 84 40 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 85 c0 0f ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 c0 42 40 00 68 01 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 c0 42 40 00 68 02 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 7c 42 40 00 68 02 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 68 34 41 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 0f b6 c0 85 c0 74 ?? 68 c8 00 00 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? c9 c3}
|
|
|
|
condition:
|
|
(3 of them) or (any of ($hex*))
|
|
}rule WormSkypeMsgSpamerSample
|
|
{
|
|
meta:
|
|
Description = "Worm.SkypeSpamer.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$code = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC ?? ?? ?? ?? 53 55 56 57 33 DB 68 ?? ?? ?? ?? 88 5C 24 17 E8 ?? ?? ?? ?? 83 C4 04 85 C0 75 34 68 96 00 00 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 83 F8 01 75 10 E8 ?? ?? ?? ?? 3C 01 75 23 53 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }
|
|
$a = "Skype.exe" ascii wide
|
|
$b = "msnmsgr.exe" ascii wide
|
|
condition:
|
|
2 of them
|
|
} |