Merge pull request #288 from unixfreaxjp/master

Pullreq on MALW_Httpsd_ELF.yar, MALW_Mirai_Okiru_ELF.yar and MALW_Mirai_Satori_ELF.yar

malware/MALW_Httpsd_ELF.yar

+/* Yara rule to detect Linux/Httpsd generic
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+    and  open to any user or organization, as long as you use it under this license.
+*/
+
+private rule is__LinuxHttpsdStrings {
+
+    meta:
+	description = "Strings of ELF Linux/Httpsd (backdoor, downloader, remote command execution)"
+	ref1 = "https://imgur.com/a/8mFGk"
+	ref2 = "https://otx.alienvault.com/pulse/5a49115f93199b171b90a212"
+	ref3 = "https://misppriv.circl.lu/events/view/9952"
+	author = "unixfreaxjp"
+	org = "MalwareMustDie"
+	date = "2018-01-02"
+	sha256 = "dd1266561fe7fcd54d1eb17efbbb6babaa9c1f44b36cef6e06052e22ce275ccd"
+	sha256 = "1b3718698fae20b63fbe6ab32411a02b0b08625f95014e03301b49afaee9d559"
+		
+	strings:
+		$st01 = "k.conectionapis.com" fullword nocase wide ascii
+		$st02 = "key=%s&host_name=%s&cpu_count=%d&os_type=%s&core_count=%s" fullword nocase wide ascii
+		$st03 = "id=%d&result=%s" fullword nocase wide ascii
+		$st04 = "rtime" fullword nocase wide ascii
+		$st05 = "down" fullword nocase wide ascii
+		$st06 = "cmd" fullword nocase wide ascii
+		$st07 = "0 */6 * * * root" fullword nocase wide ascii
+		$st08 = "/etc/cron.d/httpsd" fullword nocase wide ascii
+		$st09 = "cat /proc/cpuinfo |grep processor|wc -l" fullword nocase wide ascii
+		$st10 = "k.conectionapis.com" fullword nocase wide ascii
+		$st11 = "/api" fullword nocase wide ascii
+		$st12 = "/tmp/.httpslog" fullword nocase wide ascii
+		$st13 = "/bin/.httpsd" fullword nocase wide ascii
+		$st14 = "/tmp/.httpsd" fullword nocase wide ascii
+		$st15 = "/tmp/.httpspid" fullword nocase wide ascii
+		$st16 = "/tmp/.httpskey" fullword nocase wide ascii
+
+	condition:
+		all of them
+}
+
+
+private rule is__elf {
+
+	meta:
+		author = "@mmorenog,@yararules"
+		
+	strings:
+		$header = { 7F 45 4C 46 }
+
+	condition:
+		$header at 0
+}
+
+rule Linux_Httpsd_malware_ARM {
+  
+	meta:
+		description = "Detects Linux/Httpsd ARMv5"
+		date = "2017-12-31"
+
+	strings:
+		$hexsts01 = { f0 4f 2d e9 1e db 4d e2 ec d0 4d e2 01 40 a0 e1 } // main
+		$hexsts02 = { f0 45 2d e9 0b db 4d e2 04 d0 4d e2 3c 01 9f e5 } // self-rclocal
+		$hexsts03 = { f0 45 2d e9 01 db 4d e2 04 d0 4d e2 bc 01 9f e5 } // copy-self
+
+	condition:
+		all of them
+        	and is__elf
+		and is__LinuxHttpsdStrings
+		and filesize < 200KB 
+}
+
+rule Linux_Httpsd_malware_i686 {
+
+	meta:
+		description = "Detects ELF Linux/Httpsd i686"
+		date = "2018-01-02"
+
+	
+	strings:
+		$hexsts01 = { 8d 4c 24 04 83 e4 f0 ff 71 fc 55 89 e5 57 56 53 } // main
+		$hexsts02 = { 55 89 e5 57 56 53 81 ec 14 2c 00 00 68 7a 83 05 } // self-rclocal
+		$hexsts03 = { 55 89 e5 57 56 53 81 ec 10 04 00 00 68 00 04 00 } // copy-self
+
+	condition:
+		all of them
+        	and is__elf
+		and is__LinuxHttpsdStrings
+		and filesize < 200KB 
+}

malware/MALW_IcedID.yar

+/* Yara rule to detect IcedID banking trojan generic 
+   This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+   and  open to any user or organization, as long as you use it under this license.
+*/
+
+import "pe"
+
+rule IceID_bank_trojan {
+
+	meta:
+		description = "Detects IcedID..adjusted several times"
+		author = "unixfreaxjp"
+		org = "MalwareMustDie"
+		date = "2018-01-14"
+    
+	strings:
+		$header = { 4D 5A }
+		$magic1 = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? }
+		$st01 = "CCmdTarget" fullword nocase wide ascii
+		$st02 = "CUserException" fullword nocase wide ascii
+		$st03 = "FileType" fullword nocase wide ascii
+		$st04 = "FlsGetValue" fullword nocase wide ascii
+		$st05 = "AVCShellWrapper@@" fullword nocase wide ascii
+		$st06 = "AVCCmdTarget@@" fullword nocase wide ascii
+		$st07 = "AUCThreadData@@" fullword nocase wide ascii
+		$st08 = "AVCUserException@@" fullword nocase wide ascii
+
+	condition:
+		header at 0 and all of ($magic*) and 6 of ($st0*)
+		and pe.sections[0].name contains ".text"
+		and pe.sections[1].name contains ".rdata"
+		and pe.sections[2].name contains ".data"
+		and pe.sections[3].name contains ".rsrc"
+		and pe.characteristics & pe.EXECUTABLE_IMAGE
+		and pe.characteristics & pe.RELOCS_STRIPPED
+}

malware/MALW_Mirai_Okiru_ELF.yar

+/* Yara rule to detect Mirai Okiru generic 
+   This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+   and  open to any user or organization, as long as you use it under this license.
+*/
+
+private rule is__Mirai_gen7 {
+	meta:
+		description = "Generic detection for MiraiX version 7"
+		reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
+		author = "unixfreaxjp"
+		org = "MalwareMustDie"
+		date = "2018-01-05"
+
+	strings:
+        	$st01 = "/bin/busybox rm" fullword nocase wide ascii
+        	$st02 = "/bin/busybox echo" fullword nocase wide ascii
+        	$st03 = "/bin/busybox wget" fullword nocase wide ascii
+        	$st04 = "/bin/busybox tftp" fullword nocase wide ascii
+        	$st05 = "/bin/busybox cp" fullword nocase wide ascii
+        	$st06 = "/bin/busybox chmod" fullword nocase wide ascii
+		$st07 = "/bin/busybox cat" fullword nocase wide ascii
+
+	condition:
+        	5 of them
+}
+
+private rule is__elf {
+
+	meta:
+		author = "@mmorenog,@yararules"
+		
+	strings:
+		$header = { 7F 45 4C 46 }
+
+	condition:
+		$header at 0
+}
+
+rule Mirai_Okiru {
+	meta:
+		description = "Detects Mirai Okiru MALW"
+		reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/"
+		date = "2018-01-05"
+
+	strings:
+		$hexsts01 = { 68 7f 27 70 60 62 73 3c 27 28 65 6e 69 28 65 72 }
+		$hexsts02 = { 74 7e 65 68 7f 27 73 61 73 77 3c 27 28 65 6e 69 }
+		// noted some Okiru variant doesnt have below function, uncomment to seek specific x86 bins
+    // $st07 = "iptables -F\n" fullword nocase wide ascii
+    
+	condition:
+    		all of them
+		and is__elf
+		and is__Mirai_gen7
+		and filesize < 100KB 
+}

malware/MALW_Mirai_Satori_ELF.yar

+/* Yara rule to detect Mirai Satori generic 
+   This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
+   and  open to any user or organization, as long as you use it under this license.
+*/
+
+private rule is__Mirai_gen7 {
+	meta:
+		description = "Generic detection for MiraiX version 7"
+		reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
+		author = "unixfreaxjp"
+		org = "MalwareMustDie"
+		date = "2018-01-05"
+
+	strings:
+        	$st01 = "/bin/busybox rm" fullword nocase wide ascii
+        	$st02 = "/bin/busybox echo" fullword nocase wide ascii
+        	$st03 = "/bin/busybox wget" fullword nocase wide ascii
+        	$st04 = "/bin/busybox tftp" fullword nocase wide ascii
+        	$st05 = "/bin/busybox cp" fullword nocase wide ascii
+        	$st06 = "/bin/busybox chmod" fullword nocase wide ascii
+        	$st07 = "/bin/busybox cat" fullword nocase wide ascii
+
+	condition:
+        	5 of them
+}
+
+private rule is__elf {
+
+	meta:
+		author = "@mmorenog,@yararules"
+		
+	strings:
+		$header = { 7F 45 4C 46 }
+
+	condition:
+		$header at 0
+}
+
+private rule is__Mirai_Satori_gen {
+	meta:
+		description = "Detects Mirai Satori_gen"
+		reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/"
+		date = "2018-01-05"
+
+	strings:
+		$st08 = "tftp -r satori" fullword nocase wide ascii
+		$st09 = "/bins/satori" fullword nocase wide ascii
+		$st10 = "satori" fullword nocase wide ascii
+		$st11 = "SATORI" fullword nocase wide ascii
+
+	condition:
+		2 of them
+}
+
+rule Mirai_Satori {
+	meta:
+		description = "Detects Mirai Satori MALW"
+		date = "2018-01-09"
+
+	strings:
+		$hexsts01 = { 63 71 75 ?? 62 6B 77 62 75 }
+		$hexsts02 = { 53 54 68 72 75 64 62 }
+		$hexsts03 = { 28 63 62 71 28 70 66 73 64 6F 63 68 60 } 
+
+	condition:
+		all of them
+		and is__elf
+		and is__Mirai_gen7
+		and is__Mirai_Satori_gen
+		and filesize < 100KB 
+}