Adding new rules from pr/52

1275165d · jovimon · a9ace175 · 1275165d · 1275165d
Commit 1275165d authored Sep 09, 2015 by jovimon
Show whitespace changes
Inline Side-by-side

Showing with 52 additions and 0 deletions

dubrute.yar malware/dubrute.yar +26 -0

wineggdrop.yar malware/wineggdrop.yar +26 -0

No files found.
--- a/malware/dubrute.yar
+++ b/malware/dubrute.yar
+rule dubrute : bruteforcer
+{
+    meta:
+        author = "Christian Rebischke (@sh1bumi)"
+        date = "2015-09-05"
+        description = "Rules for DuBrute Bruteforcer"
+        in_the_wild = true
+        family = "Hackingtool/Bruteforcer"
+    
+    strings:
+        $a = "WBrute"
+        $b = "error.txt"
+        $c = "good.txt"
+        $d = "source.txt"
+        $e = "bad.txt"
+        $f = "Generator IP@Login;Password"
+
+    condition:
+        //check for MZ Signature at offset 0
+        uint16(0) == 0x5A4D 
+
+        and 
+
+        //check for dubrute specific strings
+        $a and $b and $c and $d and $e and $f 
+}
--- a/malware/wineggdrop.yar
+++ b/malware/wineggdrop.yar
+rule wineggdrop : portscanner
+{
+    meta:
+        author = "Christian Rebischke (@sh1bumi)"
+        date = "2015-09-05"
+        description = "Rules for TCP Portscanner VX.X by WinEggDrop"
+        in_the_wild = true
+        family = "Hackingtool/Portscanner"
+
+    strings:
+        $a = { 54 43 50 20 50 6f 72 74 20 53 63 61 6e 6e 65 72 
+               20 56 3? 2e 3? 20 42 79 20 57 69 6e 45 67 67 44 
+               72 6f 70 0a } 
+        $b = "Result.txt"
+        $c = "Usage:   %s TCP/SYN StartIP [EndIP] Ports [Threads] [/T(N)] [/(H)Banner] [/Save]\n"
+
+    condition:
+        //check for MZ Signature at offset 0
+        uint16(0) == 0x5A4D
+
+        and
+
+        //check for wineggdrop specific strings
+        $a and $b and $c 
+}
+