Skip to content

R
rules
Commit 698a04dc by Marc Rivero López Committed by GitHub
Options

Update MALW_DDoSTf.yar

parent 49c93f3a
Showing with 7 additions and 4 deletions
malware/MALW_DDoSTf.yar
...@@ -2,19 +2,22 @@ ...@@ -2,19 +2,22 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/ */
rule DDosTf : DDoS ELF
rule DDosTf
{ {
meta:
meta:
author = "benkow_ - MalwareMustDie" author = "benkow_ - MalwareMustDie"
reference = "http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html" reference = "http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html"
description = "Rule to detect ELF.DDosTf infection" description = "Rule to detect ELF.DDosTf infection"
strings:
strings:
$st0 = "ddos.tf" $st0 = "ddos.tf"
$st1 = {E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 49 4E 54 56 4C E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPINTVL*/ $st1 = {E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 49 4E 54 56 4C E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPINTVL*/
$st2 = {E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 43 4E 54 E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPCNT*/ $st2 = {E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 43 4E 54 E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPCNT*/
$st3 = "Accept-Language: zh" $st3 = "Accept-Language: zh"
$st4 = "%d Kb/bps|%d%%" $st4 = "%d Kb/bps|%d%%"
condition: condition:
all of them all of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment