1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RooterCode : Rooter Family
{
meta:
description = "Rooter code features"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
// xor 0x30 decryption
$ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 }
condition:
any of them
}
rule RooterStrings : Rooter Family
{
meta:
description = "Rooter Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
$group1 = "seed\x00"
$group2 = "prot\x00"
$group3 = "ownin\x00"
$group4 = "feed0\x00"
$group5 = "nown\x00"
condition:
3 of ($group*)
}
rule Rooter : Family
{
meta:
description = "Rooter"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
RooterCode or RooterStrings
}
rule RookieStrings : Rookie Family
{
meta:
description = "Rookie Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "RookIE/1.0"
condition:
any of them
}
rule RookieCode : Rookie Family
{
meta:
description = "Rookie code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// hidden AutoConfigURL
$ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 }
// hidden ProxyEnable
$ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 }
// xor on rand value?
$ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 }
condition:
any of them
}
rule Rookie : Family
{
meta:
description = "Rookie"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
RookieCode or RookieStrings
}