Skip to content

R
rules
Commit b03218bf by Marc Rivero López Committed by GitHub
Options

Update MALW_Athena.yar

parent 74844809
Showing with 14 additions and 2 deletions
malware/MALW_Athena.yar
...@@ -2,13 +2,16 @@ ...@@ -2,13 +2,16 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license. long as you use it under this license.
*/ */
rule AthenaHTTP rule AthenaHTTP
{ {
meta: meta:
author = "Brian Wallace @botnet_hunter" author = "Brian Wallace @botnet_hunter"
author_email = "bwall@ballastsecurity.net" author_email = "bwall@ballastsecurity.net"
date = "2014-08-09" date = "2014-08-09"
description = "Identify Athena HTTP" description = "Identify Athena HTTP"
strings: strings:
$s1 = "%s(%s)" $s1 = "%s(%s)"
$s2 = "type:on_exec" $s2 = "type:on_exec"
...@@ -19,16 +22,20 @@ rule AthenaHTTP ...@@ -19,16 +22,20 @@ rule AthenaHTTP
$s7 = "cores:%i" $s7 = "cores:%i"
$s8 = "ver:%s" $s8 = "ver:%s"
$s9 = "net:%s" $s9 = "net:%s"
condition: condition:
all of them all of them
} }
rule AthenaHTTP_v2 { rule AthenaHTTP_v2
{
meta: meta:
author = "Jason Jones <jasonjones@arbor.net>" author = "Jason Jones <jasonjones@arbor.net>"
description = "Athena HTTP identification" description = "Athena HTTP identification"
source = "https://github.com/arbor/yara/blob/master/athena.yara" source = "https://github.com/arbor/yara/blob/master/athena.yara"
strings: strings:
$fmt_str1="|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|" $fmt_str1="|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|"
$fmt_str2="|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|" $fmt_str2="|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|"
...@@ -37,15 +44,19 @@ rule AthenaHTTP_v2 { ...@@ -37,15 +44,19 @@ rule AthenaHTTP_v2 {
$cmd3 = "layer4." $cmd3 = "layer4."
$cmd4 = "slowloris" $cmd4 = "slowloris"
$cmd5 = "rudy" $cmd5 = "rudy"
condition: condition:
all of ($fmt_str*) and 3 of ($cmd*) all of ($fmt_str*) and 3 of ($cmd*)
} }
rule AthenaIRC { rule AthenaIRC
{
meta: meta:
author = "Jason Jones <jasonjones@arbor.net>" author = "Jason Jones <jasonjones@arbor.net>"
description = "Athena IRC v1.8.x, 2.x identification" description = "Athena IRC v1.8.x, 2.x identification"
source = "https://github.com/arbor/yara/blob/master/athena.yara" source = "https://github.com/arbor/yara/blob/master/athena.yara"
strings: strings:
$cmd1 = "ddos." fullword $cmd1 = "ddos." fullword
$cmd2 = "layer4." fullword $cmd2 = "layer4." fullword
...@@ -79,6 +90,7 @@ rule AthenaIRC { ...@@ -79,6 +90,7 @@ rule AthenaIRC {
$acmd5 = ":!urlblock" $acmd5 = ":!urlblock"
$acmd6 = ":!udp" $acmd6 = ":!udp"
$acmd7 = ":!btcwallet" $acmd7 = ":!btcwallet"
condition: condition:
(all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*)) (all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*))
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment