Update 000_common_rules.yar

72fa6aee · jovimon · GitHub · 6980a314 · 72fa6aee
Unverified Commit 72fa6aee authored Jun 02, 2018 by jovimon Committed by GitHub Jun 02, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

000_common_rules.yar malware/000_common_rules.yar +22 -0

No files found.
--- a/malware/000_common_rules.yar
+++ b/malware/000_common_rules.yar
@@ -15,3 +15,25 @@ rule is__elf {
 	condition:
 		$header at 0
 }
+private rule is__Mirai_gen7 {
+        meta:
+                description = "Generic detection for MiraiX version 7"
+                reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
+                author = "unixfreaxjp"
+                org = "MalwareMustDie"
+                date = "2018-01-05"
+        strings:
+                $st01 = "/bin/busybox rm" fullword nocase wide ascii
+                $st02 = "/bin/busybox echo" fullword nocase wide ascii
+                $st03 = "/bin/busybox wget" fullword nocase wide ascii
+                $st04 = "/bin/busybox tftp" fullword nocase wide ascii
+                $st05 = "/bin/busybox cp" fullword nocase wide ascii
+                $st06 = "/bin/busybox chmod" fullword nocase wide ascii
+                $st07 = "/bin/busybox cat" fullword nocase wide ascii
+        condition:
+                5 of them
+}