Added @benkow_ rules

b9655dd7 · Yara Rules · 12e39647 · b9655dd7
Commit b9655dd7 authored Apr 13, 2015 by Yara Rules
Show whitespace changes
Inline Side-by-side

Showing with 89 additions and 15 deletions

malware.yar malware.yar +89 -15

No files found.
--- a/malware.yar
+++ b/malware.yar
@@ -157,8 +157,6 @@ rule HTMLVariant : FakeM Family HTML Variant
 }
 rule EzcobStrings : Ezcob Family
 {
    meta:
@@ -19366,38 +19364,42 @@ condition:
 any of ($key*)
 }
 rule apt_regin_vfs {
 meta:
-copyright = "Kaspersky Lab"
+	copyright = "Kaspersky Lab"
+	author = "Kaspersky Lab"
 	description = "Rule to detect Regin VFSes"
 	version = "1.0"
 	last_modified = "2014-11-18"
 strings:
-$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
+	$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
-$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
+	$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
-$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
+	$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
-$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
+	$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
 condition:
-($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
+	($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
 }
 rule apt_regin_dispatcher_disp_dll {
 meta:
-copyright = "Kaspersky Lab"
+	copyright = "Kaspersky Lab"
+	author = "Kaspersky Lab"
 	description = "Rule to detect Regin disp.dll dispatcher"
 	version = "1.0"
 	last_modified = "2014-11-18"
 strings:
-$mz="MZ"
+	$mz="MZ"
 	$string1="shit"
 	$string2="disp.dll"
 	$string3="255.255.255.255"
 	$string4="StackWalk64"
 	$string5="imagehlp.dll"
 condition:
-($mz at 0) and (all of ($string*))
+	($mz at 0) and (all of ($string*))
 }
 rule apt_regin_2013_64bit_stage1 {
 meta:
 copyright = "Kaspersky Lab"
@@ -19453,9 +19455,11 @@ rule TerminatorRat : rat
 	condition:
 		all of them
-}rule TROJAN_Notepad_shell_crew {
+}
+rule TROJAN_Notepad_shell_crew {
        meta:
-                Author = "RSA_IR"
+                author = "RSA_IR"
                Date     = "4Jun13"
                File     = "notepad.exe v 1.1"
                MD5      = "106E63DBDA3A76BEEB53A8BBD8F98927"
@@ -19477,3 +19481,73 @@ strings:
 condition:
 	any of them
 }
+rule LinuxAESDDoS
+{
+    meta:
+	author = "@benkow_"
+        description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+    strings:
+        $a = "3AES"
+        $b = "Hacker"
+        $c = "VERSONEX"
+    condition:
+        2 of ($a,$b,$c)
+}
+rule LinuxBillGates 
+{
+    meta:
+	author = "@benkow_"
+        description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"
+    strings:
+        $a= "12CUpdateGates"
+        $b= "11CUpdateBill"
+    condition:
+        $a and $b
+}
+rule LinuxElknot
+{
+    meta:
+	author = "@benkow_"
+        description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
+    strings:
+        $a = "ZN8CUtility7DeCryptEPciPKci"
+	$b = "ZN13CThreadAttack5StartEP11CCmdMessage"
+    condition:
+        $a and $b
+}
+rule LinuxMrBlack
+{
+    meta:
+	author = "@benkow_"
+        description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+    strings:
+        $a = "Mr.Black"
+	$b = "VERS0NEX:%s|%d|%d|%s"
+    condition:
+        $a and $b
+}
+rule LinuxTsunami
+{
+    meta:
+	author = "@benkow_"
+        description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+    strings:
+        $a = "PRIVMSG %s :[STD]Hitting %s"
+        $b = "NOTICE %s :TSUNAMI <target> <secs>"
+        $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
+    condition:
+        $a or $b or $c
+}