Skip to content

R
rules
Commit 19fb6450 by mmorenog
Options

Update Miscelanea_Linux.yar

parent d902582f
Showing with 121 additions and 0 deletions
malware/Miscelanea_Linux.yar
......@@ -75,3 +75,124 @@ rule LinuxTsunami
condition:
$a or $b or $c
}
rule rootkit
{
meta:
author="xorseed"
reference= "https://stuff.rop.io/"
strings:
$sys1 = "sys_write" nocase ascii wide
$sys2 = "sys_getdents" nocase ascii wide
$sys3 = "sys_getdents64" nocase ascii wide
$sys4 = "sys_getpgid" nocase ascii wide
$sys5 = "sys_getsid" nocase ascii wide
$sys6 = "sys_setpgid" nocase ascii wide
$sys7 = "sys_kill" nocase ascii wide
$sys8 = "sys_tgkill" nocase ascii wide
$sys9 = "sys_tkill" nocase ascii wide
$sys10 = "sys_sched_setscheduler" nocase ascii wide
$sys11 = "sys_sched_setparam" nocase ascii wide
$sys12 = "sys_sched_getscheduler" nocase ascii wide
$sys13 = "sys_sched_getparam" nocase ascii wide
$sys14 = "sys_sched_setaffinity" nocase ascii wide
$sys15 = "sys_sched_getaffinity" nocase ascii wide
$sys16 = "sys_sched_rr_get_interval" nocase ascii wide
$sys17 = "sys_wait4" nocase ascii wide
$sys18 = "sys_waitid" nocase ascii wide
$sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide
$sys20 = "sys_rt_sigqueueinfo" nocase ascii wide
$sys21 = "sys_prlimit64" nocase ascii wide
$sys22 = "sys_ptrace" nocase ascii wide
$sys23 = "sys_migrate_pages" nocase ascii wide
$sys24 = "sys_move_pages" nocase ascii wide
$sys25 = "sys_get_robust_list" nocase ascii wide
$sys26 = "sys_perf_event_open" nocase ascii wide
$sys27 = "sys_uname" nocase ascii wide
$sys28 = "sys_unlink" nocase ascii wide
$sys29 = "sys_unlikat" nocase ascii wide
$sys30 = "sys_rename" nocase ascii wide
$sys31 = "sys_read" nocase ascii wide
$sys32 = "kobject_del" nocase ascii wide
$sys33 = "list_del_init" nocase ascii wide
$sys34 = "inet_ioctl" nocase ascii wide
condition:
9 of them
}
rule exploit
{
meta:
author="xorseed"
reference= "https://stuff.rop.io/"
strings:
$xpl1 = "set_fs_root" nocase ascii wide
$xpl2 = "set_fs_pwd" nocase ascii wide
$xpl3 = "__virt_addr_valid" nocase ascii wide
$xpl4 = "init_task" nocase ascii wide
$xpl5 = "init_fs" nocase ascii wide
$xpl6 = "bad_file_ops" nocase ascii wide
$xpl7 = "bad_file_aio_read" nocase ascii wide
$xpl8 = "security_ops" nocase ascii wide
$xpl9 = "default_security_ops" nocase ascii wide
$xpl10 = "audit_enabled" nocase ascii wide
$xpl11 = "commit_creds" nocase ascii wide
$xpl12 = "prepare_kernel_cred" nocase ascii wide
$xpl13 = "ptmx_fops" nocase ascii wide
$xpl14 = "node_states" nocase ascii wide
condition:
7 of them
}
rule ldpreload
{
meta:
author="xorseed"
reference= "https://stuff.rop.io/"
strings:
$a = "dlopen" nocase ascii wide
$b = "dlsym" nocase ascii wide
$c = "fopen" nocase ascii wide
$d = "fopen64" nocase ascii wide
$e = "__fxstat" nocase ascii wide
$f = "__fxstat64" nocase ascii wide
$g = "accept" nocase ascii wide
$h = "__lxstat" nocase ascii wide
$i = "__lxstat64" nocase ascii wide
$j = "open" nocase ascii wide
$k = "rmdir" nocase ascii wide
$l = "__xstat" nocase ascii wide
$m = "__xstat64" nocase ascii wide
$n = "unlink" nocase ascii wide
$o = "unlikat" nocase ascii wide
$p = "fdopendir" nocase ascii wide
$q = "opendir" nocase ascii wide
$r = "readdir" nocase ascii wide
$s = "readdir64" nocase ascii wide
condition:
($a or $b) and 5 of them
}
rule keylogger
{
meta:
author="xorseed"
reference="https://stuff.rop.io/"
strings:
$a = "XListInputDevices" ascii wide
$b = "XOpenDevice" ascii wide
$c = "XOpenIM" ascii wide
$d = "XGetIMValues" ascii wide
$e = "XmbLookupString" ascii wide
$f = "XFree" ascii wide
$g = "XCreateIC" ascii wide
$h = "XOpenDisplay" ascii wide
$i = "XNextEvent" ascii wide
$j = "XInternAtom" ascii wide
$k = "XSelectExtensionEvent" ascii wide
$l = "XFreeDeviceList" ascii wide
$m = "XGetWindowProperty" ascii wide
$n = "XkbKeycodeToKeysym" ascii wide
condition:
all of them
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment