1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LinuxAESDDoS
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "3AES"
$b = "Hacker"
$c = "VERSONEX"
condition:
2 of ($a,$b,$c)
}
rule LinuxBillGates
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"
strings:
$a= "12CUpdateGates"
$b= "11CUpdateBill"
condition:
$a and $b
}
rule LinuxElknot
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
strings:
$a = "ZN8CUtility7DeCryptEPciPKci"
$b = "ZN13CThreadAttack5StartEP11CCmdMessage"
condition:
$a and $b
}
rule LinuxMrBlack
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "Mr.Black"
$b = "VERS0NEX:%s|%d|%d|%s"
condition:
$a and $b
}
rule LinuxTsunami
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "PRIVMSG %s :[STD]Hitting %s"
$b = "NOTICE %s :TSUNAMI <target> <secs>"
$c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
condition:
$a or $b or $c
}