Create MALW_TinyShell_Backdoor_gen.yar

37b8ad95 · unixfreaxjp · GitHub · 9cb2a055 · 37b8ad95
Unverified Commit 37b8ad95 authored Feb 11, 2018 by unixfreaxjp Committed by GitHub Feb 11, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 138 additions and 0 deletions

MALW_TinyShell_Backdoor_gen.yar malware/MALW_TinyShell_Backdoor_gen.yar +138 -0

No files found.
--- a/malware/MALW_TinyShell_Backdoor_gen.yar
+++ b/malware/MALW_TinyShell_Backdoor_gen.yar
+/* Description:
+    Detects ELF or MachO tinyshell backdoor on static, dynamic binary form.
+    It is commonly used as backdoor in Linux, FreeBSD or MacOSX operating systems.
+    This rule by default is NOT designed to scan the CNC client side.
+    Category: ELF or MachO, backdoor, hacktool, RAT, shell
+   License:
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html)
+    Version 1-20180211, author:unixfreaxjp
+*/
+
+private rule is__osx
+{
+ meta:
+    date = "2018-02-12"
+    author = "@unixfreaxjp"
+ condition:
+    uint32(0) == 0xfeedface     or uint32(0) == 0xcafebabe
+    or uint32(0) == 0xbebafeca  or uint32(0) == 0xcefaedfe
+    or uint32(0) == 0xfeedfacf  or uint32(0) == 0xcffaedfe
+}
+
+private rule is__elf {
+ meta:
+    author = "@mmorenog,@yararules"
+ strings:
+    $header = { 7F 45 4C 46 }
+ condition:
+    $header at 0
+}
+
+private rule priv01 {
+ meta:
+    date = "2018-02-11"
+    author = "@unixfreaxjp"
+ strings:
+    $vara01 = { 73 3A 70 3A 00 }
+    $vara02 = "Usage: %s" fullword nocase wide ascii
+    $vara03 = "[ -s secret ]" fullword nocase wide ascii
+    $vara04 = "[ -p port ]" fullword nocase wide ascii
+ condition:
+    all of them
+}
+
+private rule priv03 {
+ meta:
+    date = "2018-02-10"
+    author = "@unixfreaxjp"
+ strings:
+    $varb01 = { 41 57 41 56 41 55 41 54 55 53 0F B6 06 }
+    $varb02 = { 48 C7 07 00 00 00 00 48 C7 47 08 00 00 }
+    $vard01 = { 55 48 89 E5 41 57 41 56 41 55 41 54 53 }
+    $vard02 = { 55 48 89 E5 48 C7 47 08 00 00 00 00 48 }
+    // can be added
+ condition:
+    (2 of ($varb*)) or (2 of ($vard*))
+}
+
+private rule priv04 {
+ meta:
+    date = "2018-02-11"
+    author = "@unixfreaxjp"
+ strings:
+    $varb03 = { 89 DF E8 FB A4 FF FF 83 C3 01 81 FB 00 04 }
+    $vard03 = { 66 89 05 7D 5E 00 00 }
+    // can be added
+ condition:
+    1 of them
+}
+
+private rule priv02 {
+ meta:
+    date = "2018-02-10"
+    author = "@unixfreaxjp"
+ strings:
+    $vare01 = "socket" fullword nocase wide ascii
+    $vare02 = "connect" fullword nocase wide ascii
+    $vare03 = "alarm" fullword nocase wide ascii
+    $vare04 = "dup2" fullword nocase wide ascii
+    $vare05 = "execl" fullword nocase wide ascii
+    $vare06 = "openpty" fullword nocase wide ascii
+    $vare07 = "putenv" fullword nocase wide ascii
+    $vare08 = "setsid" fullword nocase wide ascii
+    $vare09 = "ttyname" fullword nocase wide ascii
+    $vare00 = "waitpid" fullword nocase wide ascii
+    $varc01 = "HISTFIL" fullword nocase wide ascii
+    $varc02 = "TERML" fullword nocase wide ascii
+    $varc03 = "/bin/sh" fullword nocase wide ascii
+ condition:
+    (5 of ($vare*)
+    or (2 of ($varc*)))
+}
+
+rule MALW_TinyShell_backconnect_OSX {
+ meta:
+    date = "2018-02-10"
+    author = "@unixfreaxjp"
+ condition:
+    is__osx
+    and priv01
+    and priv02
+    and priv03
+    and priv04
+    and filesize < 100KB
+}
+
+rule MALW_TinyShell_backconnect_ELF {
+ meta:
+    date = "2018-02-10"
+    author = "@unixfreaxjp"
+ condition:
+    is__elf
+    and priv01
+    and ((priv02)
+      or ((priv03)
+        or (priv04)))
+    and filesize < 100KB
+}
+
+rule MALW_TinyShell_backconnect_Gen {
+ meta:
+    date = "2018-02-11"
+    author = "@unixfreaxjp"
+ condition:
+    ((is__elf) or  (is__osx))
+    and priv01
+    and priv02
+    and filesize < 100KB
+}
+
+rule MALW_TinyShell_backdoor_Gen {
+ meta:
+    date = "2018-02-11"
+    author = "@unixfreaxjp"
+ condition:
+    ((is__elf) or  (is__osx))
+    and priv01
+    and filesize > 20KB
+}