1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule KINS_dropper {
meta:
author = "AlienVault Labs aortega@alienvault.com"
description = "Match protocol, process injects and windows exploit present in KINS dropper"
reference = "http://goo.gl/arPhm3"
strings:
// Network protocol
$n1 = "tid=%d&ta=%s-%x" fullword
$n2 = "fid=%d" fullword
$n3 = "%[^.].%[^(](%[^)])" fullword
// Injects
$i0 = "%s [%s %d] 77 %s"
$i01 = "Global\\%s%x"
$i1 = "Inject::InjectProcessByName()"
$i2 = "Inject::CopyImageToProcess()"
$i3 = "Inject::InjectProcess()"
$i4 = "Inject::InjectImageToProcess()"
$i5 = "Drop::InjectStartThread()"
// UAC bypass
$uac1 = "ExploitMS10_092"
$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
condition:
2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
}
rule KINS_DLL_zeus {
meta:
author = "AlienVault Labs aortega@alienvault.com"
description = "Match default bot in KINS leaked dropper, Zeus"
reference = "http://goo.gl/arPhm3"
strings:
// Network protocol
$n1 = "%BOTID%" fullword
$n2 = "%opensocks%" fullword
$n3 = "%openvnc%" fullword
$n4 = /Global\\(s|v)_ev/ fullword
// Crypted strings
$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
condition:
all of ($n*) and 1 of ($s*)
}