Update Ramsonware.yar

Add rule to detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)

Update Ramsonware.yar
Add rule to detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)
b310ec8f · mmorenog · fc0544da · b310ec8f
Commit b310ec8f authored May 25, 2015 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 0 deletions

Ramsonware.yar malware/Ramsonware.yar +19 -0

No files found.
--- a/malware/Ramsonware.yar
+++ b/malware/Ramsonware.yar
@@ -63,3 +63,22 @@ condition:
 	8 of ($string*)
 }
+rule SVG_LoadURL {
+	meta:
+		description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"
+		author = "Florian Roth"
+		reference = "http://goo.gl/psjCCc"
+		date = "2015-05-24"
+		hash1 = "ac8ef9df208f624be9c7e7804de55318"
+		hash2 = "3b9e67a38569ebe8202ac90ad60c52e0"
+		hash3 = "7e2be5cc785ef7711282cea8980b9fee"
+		hash4 = "4e2c6f6b3907ec882596024e55c2b58b"
+		score = 50
+	strings:
+		$s1 = "</svg>" nocase
+		$s2 = "<script>" nocase
+		$s3 = "location.href='http" nocase
+	condition:
+		all of ($s*) and filesize < 600
+}