1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Win32OPCHavex
{
meta:
Author = "BAE Systems"
Date = "2014/06/23"
Description = "Rule for identifying OPC version of HAVEX"
Reference = "www.f-secure.com/weblog/archives/00002718.html"
strings:
$mzhdr = "MZ"
$dll = "7CFC52CD3F87.dll"
$a1 = "Start finging of LAN hosts..." wide
$a2 = "Finding was fault. Unexpective error" wide
$a3 = "Was found %i hosts in LAN:" wide
$a4 = "Hosts was't found." wide
$a5 = "Start finging of OPC Servers..." wide
$a6 = "Was found %i OPC Servers." wide
$a7 = "OPC Servers not found. Programm finished" wide
$a8 = "%s[%s]!!!EXEPTION %i!!!" wide
$a9 = "Start finging of OPC Tags..." wide
condition:
$mzhdr at 0 and ($dll or (any of ($a*)))
}
rule Win32FertgerHavex
{
meta:
Author = "BAE Systems"
Date = "2014/06/23"
Description = "Rule for identifying Fertger version of HAVEX"
Reference = "www.f-secure.com/weblog/archives/00002718.html"
strings:
$mz = "MZ"
$a1="\\\\.\\pipe\\mypipe-f" wide
$a2="\\\\.\\pipe\\mypipe-h" wide
$a3="\\qln.dbx" wide
$a4="*.yls" wide
$a5="\\*.xmd" wide
$a6="fertger" wide
$a7="havex"
condition:
$mz at 0 and 3 of ($a*)
}
rule Havex_Trojan_PHP_Server
{
meta:
Author = "Florian Roth"
Date = "2014/06/24"
Description = "Detects the PHP server component of the Havex RAT"
Reference = "www.f-secure.com/weblog/archives/00002718.html"
strings:
$s1 = "havex--></body></head>"
$s2 = "ANSWERTAG_START"
$s3 = "PATH_BLOCKFILE"
condition:
all of them
}