Update Naikon.yar

Add new rule

Update Naikon.yar
Add new rule
c2abf8e2 · mmorenog · 959821a2 · c2abf8e2
Commit c2abf8e2 authored May 20, 2015 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 33 additions and 0 deletions

Naikon.yar malware/Naikon.yar +33 -0

No files found.
--- a/malware/Naikon.yar
+++ b/malware/Naikon.yar
@@ -50,4 +50,37 @@ rule Naikon : Family
    condition:
        NaikonCode or NaikonStrings
 }
+rule Backdoor_Naikon_APT_Sample1 {
+	meta:
+		description = "Detects backdoors related to the Naikon APT"
+		author = "Florian Roth"
+		reference = "https://goo.gl/7vHyvh"
+		date = "2015-05-14"
+		hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
+		hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
+	strings:
+		$x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
+		$x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
+		$x2 = "greensky27.vicp.net" fullword ascii
+		$x3 = "\\tempvxd.vxd.dll" fullword wide
+		$x4 = "otna.vicp.net" fullword ascii
+		$x5 = "smithking19.gicp.net" fullword ascii
+		$s1 = "User-Agent: webclient" fullword ascii
+		$s2 = "\\User.ini" fullword ascii
+		$s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
+		$s4 = "\\UserProfile.dll" fullword wide
+		$s5 = "Connection:Keep-Alive: %d" fullword ascii
+		$s6 = "Referer: http://%s:%d/" fullword ascii
+		$s7 = "%s %s %s %d %d %d " fullword ascii
+		$s8 = "%s--%s" fullword wide
+		$s9 = "Run File Success!" fullword wide
+		$s10 = "DRIVE_REMOTE" fullword wide
+		$s11 = "ProxyEnable" fullword wide
+		$s12 = "\\cmd.exe" fullword wide
+	condition:
+		uint16(0) == 0x5a4d and filesize < 1000KB and
+		(
+			1 of ($x*) or 7 of ($s*)
+		)
+}