Merge pull request #113 from plutec/master

Added some rulesets from https://github.com/arbor/yara

malware/Athena.yar

@@ -22,3 +22,63 @@ rule AthenaHTTP
     condition:
         all of them
 }
+
+
+rule AthenaHTTP_v2 {
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        description = "Athena HTTP identification"
+        source = "https://github.com/arbor/yara/blob/master/athena.yara"
+    strings:
+        $fmt_str1="|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|"
+        $fmt_str2="|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|"
+        $cmd1 = "filesearch.stop"
+        $cmd2 = "rapidget"
+        $cmd3 = "layer4."
+        $cmd4 = "slowloris"
+        $cmd5 = "rudy"
+    condition:
+        all of ($fmt_str*) and 3 of ($cmd*)
+}
+
+rule AthenaIRC {
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        description = "Athena IRC v1.8.x, 2.x identification"
+        source = "https://github.com/arbor/yara/blob/master/athena.yara"
+    strings:
+        $cmd1 = "ddos." fullword
+        $cmd2 = "layer4." fullword
+        $cmd3 = "war." fullword
+        $cmd4 = "smartview" fullword
+        $cmd5 = "ftp.upload" fullword
+        $msg1 = "%s %s :%s LAYER4 Combo Flood: Stopped"
+        $msg2 = "%s %s :%s IRC War: Flood started [Type: %s | Target: %s]"
+        $msg3 = "%s %s :%s FTP Upload: Failed"
+        $msg4 = "Athena v2"
+        $msg5 = "%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]"
+        // v1 strs
+        $amsg1 = "ARME flood on %s/%s:%i for %i seconds [Host confirmed vulnerable"
+        $amsg2 = " Rapid HTTP Combo flood on %s:%i for %i seconds"
+        $amsg3 = "Began flood: %i connections every %i ms to %s:%i"
+        $amsg4 = "IPKiller>Athena"
+        $amsg5 = "Athena=Shit!"
+        $amsg6 = "Athena-v1"
+        $amsg7 = "BTC wallet.dat file found"
+        $amsg8 = "MineCraft lastlogin file found"
+        $amsg9 = "Process '%s' was found and scheduled for deletion upon next reboot"
+        $amsg10 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
+        // Athena-v1.8.3
+        $amsg11 = "Rapid Connect/Disconnect"
+        $amsg12 = "BTC wallet.dat found,"
+        // v1 cmds
+        $acmd1 = ":!arme"
+        $acmd2 = ":!openurl"
+        $acmd3 = ":!condis"
+        $acmd4 = ":!httpcombo"
+        $acmd5 = ":!urlblock"
+        $acmd6 = ":!udp"
+        $acmd7 = ":!btcwallet"
+    condition:
+        (all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*))
+}
\ No newline at end of file

malware/BlackRev.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+
+*/
+
+rule BlackRev
+{
+   meta:
+      author = "Dennis Schwarz"
+      date = "2013-05-21"
+      description = "Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/"
+      origin = "https://github.com/arbor/yara/blob/master/blackrev.yara"
+
+   strings: 
+      $base1 = "http"
+      $base2 = "simple"
+      $base3 = "loginpost"
+      $base4 = "datapost"
+
+      $opt1 = "blackrev"
+      $opt2 = "stop"
+      $opt3 = "die"
+      $opt4 = "sleep"
+      $opt5 = "syn"
+      $opt6 = "udp"
+      $opt7 = "udpdata"
+      $opt8 = "icmp"
+      $opt9 = "antiddos"
+      $opt10 = "range"
+      $opt11 = "fastddos"
+      $opt12 = "slowhttp"
+      $opt13 = "allhttp"
+      $opt14 = "tcpdata"
+      $opt15 = "dataget"
+
+   condition:
+      all of ($base*) and 5 of ($opt*)
+}
\ No newline at end of file

malware/Chicken.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule ChickenDOS{
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        description = "Win32-variant of Chicken ident for both dropper and dropped file"
+        source = "https://github.com/arbor/yara/blob/master/chicken.yara"
+    strings:
+        $pdb1 = "\\Chicken\\Release\\svchost.pdb"
+        $pdb2 = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb"
+        $str2 = "fake.cf"
+        $str3 = "8.8.8.8"
+        $str4 = "Processor(%d)\\"
+        $str5 = "DbProtectSupport"
+        $str1 = "dm1712/`jvpnpkte/bpl"
+        $str6 = "InstallService NPF %d"
+        $str7 = "68961"
+        $str8 = "InstallService DbProtectSupport %d"
+        $str9 = "C:\\Program Files\\DbProtectSupport\\npf.sys"
+    condition:
+        ($pdb1 or $pdb2) and 5 of ($str*)
+}
+
+rule ChickenDOS_Linux {
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        description = "Linux-variant of Chicken ident for both dropper and dropped file"
+        source = "https://github.com/arbor/yara/blob/master/chicken.yara"
+    strings:
+        $cfg = "fake.cfg"
+        $file1 = "ThreadAttack.cpp"
+        $file2 = "Fake.cpp"
+        $str1 = "dns_array"
+        $str2 = "DomainRandEx"
+        $str3 = "cpu %llu %llu %llu %llu"
+        $str4 = "[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s" ascii
+    condition:
+        $cfg and all of ($file*) and 3 of ($str*)
+}

malware/DirtJumper.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule DirtJumper_drive
+{
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        date = "2013-08-26"
+        description = "Identify first version of drive DDoS malware"
+        source = "https://github.com/arbor/yara/blob/master/drive.yara"
+    strings:
+        $cmd1 = "-get" fullword
+        $cmd2 = "-ip" fullword
+        $cmd3 = "-ip2" fullword
+        $cmd4 = "-post1" fullword
+        $cmd5 = "-post2" fullword
+        $cmd6 = "-udp" fullword
+        $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
+        $str2 = "-timeout" fullword
+        $str3 = "-thread" fullword
+        $str4 = " Local; ru) Presto/2.10.289 Version/"
+        $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
+        $newver1 = "-icmp"
+        $newver2 = "<xmp>"
+    condition:
+        4 of ($cmd*) and all of ($str*) and not any of ($newver*)
+}
+
+
+rule DirtJumper_drive2
+{
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        date = "2013-08-26"
+        description = "Identify newer version of drive DDoS malware"
+        source = "https://github.com/arbor/yara/blob/master/drive2.yara"
+    strings:
+        $cmd1 = "-get" fullword
+        $cmd2 = "-ip" fullword
+        $cmd3 = "-ip2" fullword
+        $cmd4 = "-post1" fullword
+        $cmd5 = "-post2" fullword
+        $cmd6 = "-udp" fullword
+        $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
+        $str2 = "-timeout" fullword
+        $str3 = "-thread" fullword
+        $str4 = " Local; ru) Presto/2.10.289 Version/"
+        $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
+        $newver1 = "-icmp"
+        $newver2 = "-byte"
+        $newver3 = "-long"
+        $newver4 = "<xmp>"
+    condition:
+        4 of ($cmd*) and all of ($str*) and all of ($newver*)
+}
+
+
+rule DirtJumper_drive3
+{
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        date = "2014-03-17"
+        description = "Identify version of Drive DDoS malware using compromised sites"
+        source = "https://github.com/arbor/yara/blob/master/drive3.yara"
+    strings:
+        $cmd1 = "-get" fullword
+        $cmd2 = "-ip" fullword
+        $cmd3 = "-ip2" fullword
+        $cmd4 = "-post1" fullword
+        $cmd5 = "-post2" fullword
+        $cmd6 = "-udp" fullword
+        $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
+        $str2 = "-timeout" fullword
+        $str3 = "-thread" fullword
+        $str4 = " Local; ru) Presto/2.10.289 Version/"
+        $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
+        $newver1 = "-icmp"
+        $newver2 = "-byte"
+        $newver3 = "-long"
+        $drive3 = "99=1"
+    condition:
+        4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3
+}
\ No newline at end of file

malware/Madness.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+
+rule Madness {
+    meta:
+        author = "Jason Jones <jasonjones@arbor.net>"
+        date = "2014-01-15"
+        description = "Identify Madness Pro DDoS Malware"
+        source = "https://github.com/arbor/yara/blob/master/madness.yara"
+    strings:
+        $ua1 = "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
+        $ua2 = "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
+        $str1= "document.cookie=" fullword
+        $str2 = "[\"cookie\",\"" fullword
+        $str3 = "\"realauth=" fullword
+        $str4 = "\"location\"];" fullword
+        $str5 = "d3Rm" fullword
+        $str6 = "ZXhl" fullword
+    condition:
+        all of them
+}
\ No newline at end of file