Update APT_Sofacy_Fysbis.yar

1913ff66 · Marc Rivero López · GitHub · a6f78737 · 1913ff66
Commit 1913ff66 authored Jan 23, 2017 by Marc Rivero López Committed by GitHub Jan 23, 2017
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 5 deletions

APT_Sofacy_Fysbis.yar malware/APT_Sofacy_Fysbis.yar +12 -5

No files found.
--- a/malware/APT_Sofacy_Fysbis.yar
+++ b/malware/APT_Sofacy_Fysbis.yar
@@ -9,7 +9,9 @@
 	Identifier: Sofacy Fysbis
 */
-rule Sofacy_Fybis_ELF_Backdoor_Gen1 : Sofacy Linux Backdoor APT APT28 {
+rule Sofacy_Fybis_ELF_Backdoor_Gen1
+{
    meta:
        description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
        author = "Florian Roth"
@@ -18,23 +20,25 @@ rule Sofacy_Fybis_ELF_Backdoor_Gen1 : Sofacy Linux Backdoor APT APT28 {
        score = 80
        hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
        hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
    strings:
        $x1 = "Your command not writed to pipe" fullword ascii
        $x2 = "Terminal don`t started for executing command" fullword ascii
        $x3 = "Command will have end with \\n" fullword ascii
        $s1 = "WantedBy=multi-user.target' >> /usr/lib/systemd/system/" fullword ascii
        $s2 = "Success execute command or long for waiting executing your command" fullword ascii
        $s3 = "ls /etc | egrep -e\"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release\"" fullword ascii
        $s4 = "rm -f /usr/lib/systemd/system/" fullword ascii
        $s5 = "ExecStart=" fullword ascii
        $s6 = "<table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>" fullword ascii
    condition:
-		( uint16(0) == 0x457f and filesize < 500KB and 1 of ($x*) ) or
+        ( uint16(0) == 0x457f and filesize < 500KB and 1 of ($x*) ) or ( 1 of ($x*) and 3 of ($s*) )
-		( 1 of ($x*) and 3 of ($s*) )
 }
-rule Sofacy_Fysbis_ELF_Backdoor_Gen2  : Sofacy Linux Backdoor APT APT28 {
+rule Sofacy_Fysbis_ELF_Backdoor_Gen2 
+{
    meta:
        description = "Detects Sofacy Fysbis Linux Backdoor"
        author = "Florian Roth"
@@ -44,10 +48,13 @@ rule Sofacy_Fysbis_ELF_Backdoor_Gen2  : Sofacy Linux Backdoor APT APT28 {
        hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
        hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
        hash3 = "fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61"
    strings:
        $s1 = "RemoteShell" ascii
        $s2 = "basic_string::_M_replace_dispatch" fullword ascii
        $s3 = "HttpChannel" ascii
    condition:
        uint16(0) == 0x457f and filesize < 500KB and all of them
 }