MALW_TinyShell_Backdoor_gen.yar
3.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
/* Description:
Detects ELF or MachO tinyshell backdoor on static, dynamic binary form.
It is commonly used as backdoor in Linux, FreeBSD or MacOSX operating systems.
This rule by default is NOT designed to scan the CNC client side.
Category: ELF or MachO, backdoor, hacktool, RAT, shell
License:
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html)
Version 1-20180211, author:unixfreaxjp
*/
private rule is__osx
{
meta:
date = "2018-02-12"
author = "@unixfreaxjp"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcafebabe
or uint32(0) == 0xbebafeca or uint32(0) == 0xcefaedfe
or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe
}
private rule priv01 {
meta:
date = "2018-02-11"
author = "@unixfreaxjp"
strings:
$vara01 = { 73 3A 70 3A 00 }
$vara02 = "Usage: %s" fullword nocase wide ascii
$vara03 = "[ -s secret ]" fullword nocase wide ascii
$vara04 = "[ -p port ]" fullword nocase wide ascii
condition:
all of them
}
private rule priv03 {
meta:
date = "2018-02-10"
author = "@unixfreaxjp"
strings:
$varb01 = { 41 57 41 56 41 55 41 54 55 53 0F B6 06 }
$varb02 = { 48 C7 07 00 00 00 00 48 C7 47 08 00 00 }
$vard01 = { 55 48 89 E5 41 57 41 56 41 55 41 54 53 }
$vard02 = { 55 48 89 E5 48 C7 47 08 00 00 00 00 48 }
// can be added
condition:
(2 of ($varb*)) or (2 of ($vard*))
}
private rule priv04 {
meta:
date = "2018-02-11"
author = "@unixfreaxjp"
strings:
$varb03 = { 89 DF E8 FB A4 FF FF 83 C3 01 81 FB 00 04 }
$vard03 = { 66 89 05 7D 5E 00 00 }
// can be added
condition:
1 of them
}
private rule priv02 {
meta:
date = "2018-02-10"
author = "@unixfreaxjp"
strings:
$vare01 = "socket" fullword nocase wide ascii
$vare02 = "connect" fullword nocase wide ascii
$vare03 = "alarm" fullword nocase wide ascii
$vare04 = "dup2" fullword nocase wide ascii
$vare05 = "execl" fullword nocase wide ascii
$vare06 = "openpty" fullword nocase wide ascii
$vare07 = "putenv" fullword nocase wide ascii
$vare08 = "setsid" fullword nocase wide ascii
$vare09 = "ttyname" fullword nocase wide ascii
$vare00 = "waitpid" fullword nocase wide ascii
$varc01 = "HISTFIL" fullword nocase wide ascii
$varc02 = "TERML" fullword nocase wide ascii
$varc03 = "/bin/sh" fullword nocase wide ascii
condition:
(5 of ($vare*)
or (2 of ($varc*)))
}
rule MALW_TinyShell_backconnect_OSX {
meta:
date = "2018-02-10"
author = "@unixfreaxjp"
condition:
is__osx
and priv01
and priv02
and priv03
and priv04
and filesize < 100KB
}
rule MALW_TinyShell_backconnect_ELF {
meta:
date = "2018-02-10"
author = "@unixfreaxjp"
condition:
is__elf
and priv01
and ((priv02)
or ((priv03)
or (priv04)))
and filesize < 100KB
}
rule MALW_TinyShell_backconnect_Gen {
meta:
date = "2018-02-11"
author = "@unixfreaxjp"
condition:
((is__elf) or (is__osx))
and priv01
and priv02
and filesize < 100KB
}
rule MALW_TinyShell_backdoor_Gen {
meta:
date = "2018-02-11"
author = "@unixfreaxjp"
condition:
((is__elf) or (is__osx))
and priv01
and filesize > 20KB
}