Update APT_Derusbi.yar

090955f4 · mmorenog · GitHub · 7d0e0a15 · 090955f4
Commit 090955f4 authored Jul 20, 2016 by mmorenog Committed by GitHub Jul 20, 2016
Show whitespace changes
Inline Side-by-side

Showing with 13 additions and 13 deletions

APT_Derusbi.yar malware/APT_Derusbi.yar +13 -13

No files found.
--- a/malware/APT_Derusbi.yar
+++ b/malware/APT_Derusbi.yar
@@ -5,7 +5,7 @@

 import "pe"

-rule apt_nix_elf_derusbi
+rule apt_nix_elf_derusbi : APT Derusbi ELF
 {
        meta:
        Author = "@seifreed"
@@ -51,7 +51,7 @@ rule apt_nix_elf_derusbi
 	condition:
 		(uint32(0) == 0x4464c457f) and (all of them)
 }
-rule apt_nix_elf_derusbi_kernelModule
+rule apt_nix_elf_derusbi_kernelModule : APT Derusbi ELF
 {
 	meta:
        Author = "@seifreed"
@@ -80,7 +80,7 @@ rule apt_nix_elf_derusbi_kernelModule
 	condition:
 		(uint32(0) == 0x4464c457f) and (all of them)
 }
-rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
+rule apt_nix_elf_Derusbi_Linux_SharedMemCreation : APT Derusbi ELF
 {
 	meta:
        Author = "@seifreed"
@@ -90,7 +90,7 @@ rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
 		(uint32(0) == 0x464C457F) and (any of them)
 }

-rule apt_nix_elf_Derusbi_Linux_Strings
+rule apt_nix_elf_Derusbi_Linux_Strings : APT Derusbi ELF
 {
 	meta:
        Author = "@seifreed"
@@ -117,7 +117,7 @@ rule apt_nix_elf_Derusbi_Linux_Strings
 		all of ($b*))
 }

-rule apt_win_exe_trojan_derusbi
+rule apt_win_exe_trojan_derusbi : APT Derusbi 
 {
   meta:
          Author = "@seifreed"
@@ -179,7 +179,7 @@ rule apt_win_exe_trojan_derusbi
 }


-rule Trojan_Derusbi {
+rule Trojan_Derusbi : APT Derusbi  {
    meta:
        Author = "RSA_IR"
        Date     = "4Sept13"
@@ -200,7 +200,7 @@ rule Trojan_Derusbi {
        2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
 }

-rule APT_Derusbi_DeepPanda
+rule APT_Derusbi_DeepPanda : APT Derusbi ELF DeepPanda
 {
 meta:
 	author = "ThreatConnect Intelligence Research Team"
@@ -212,7 +212,7 @@ condition:
 }


-rule APT_Derusbi_Gen
+rule APT_Derusbi_Gen : APT Derusbi 
 {
 meta:
 	author = "ThreatConnect Intelligence Research Team"
@@ -240,7 +240,7 @@ condition:
 	Identifier: Derusbi Dez 2015
 */

-rule derusbi_kernel
+rule derusbi_kernel : APT Derusbi 
 {
    meta:
        description = "Derusbi Driver version"
@@ -256,7 +256,7 @@ rule derusbi_kernel
        $MZ at 0 and $token1 and $token2 and $cfg and $class
 }

-rule derusbi_linux
+rule derusbi_linux  : APT Derusbi ELF
 {
    meta:
        description = "Derusbi Server Linux version"
@@ -279,7 +279,7 @@ rule derusbi_linux
 	Identifier: Derusbi Dez 2015
 */

-rule Derusbi_Kernel_Driver_WD_UDFS {
+rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi  {
 	meta:
 		description = "Detects Derusbi Kernel Driver"
 		author = "Florian Roth"
@@ -310,7 +310,7 @@ rule Derusbi_Kernel_Driver_WD_UDFS {
      )
 }

-rule Derusbi_Code_Signing_Cert {
+rule Derusbi_Code_Signing_Cert : APT Derusbi  {
 	meta:
 		description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
 		author = "Florian Roth"
@@ -325,7 +325,7 @@ rule Derusbi_Code_Signing_Cert {
      uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
 }

-rule XOR_4byte_Key {
+rule XOR_4byte_Key : APT Derusbi  {
 	meta:
 		description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
 		author = "Florian Roth"