Skip to content

R
rules
Commit d767fcc5 by Marc Rivero López Committed by GitHub
Options

Update MALW_DirtJumper.yar

parent d999990a
Showing with 9 additions and 0 deletions
malware/MALW_DirtJumper.yar
...@@ -5,11 +5,13 @@ ...@@ -5,11 +5,13 @@
rule DirtJumper_drive rule DirtJumper_drive
{ {
meta: meta:
author = "Jason Jones <jasonjones@arbor.net>" author = "Jason Jones <jasonjones@arbor.net>"
date = "2013-08-26" date = "2013-08-26"
description = "Identify first version of drive DDoS malware" description = "Identify first version of drive DDoS malware"
source = "https://github.com/arbor/yara/blob/master/drive.yara" source = "https://github.com/arbor/yara/blob/master/drive.yara"
strings: strings:
$cmd1 = "-get" fullword $cmd1 = "-get" fullword
$cmd2 = "-ip" fullword $cmd2 = "-ip" fullword
...@@ -24,6 +26,7 @@ rule DirtJumper_drive ...@@ -24,6 +26,7 @@ rule DirtJumper_drive
$str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT" $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
$newver1 = "-icmp" $newver1 = "-icmp"
$newver2 = "<xmp>" $newver2 = "<xmp>"
condition: condition:
4 of ($cmd*) and all of ($str*) and not any of ($newver*) 4 of ($cmd*) and all of ($str*) and not any of ($newver*)
} }
...@@ -31,11 +34,13 @@ rule DirtJumper_drive ...@@ -31,11 +34,13 @@ rule DirtJumper_drive
rule DirtJumper_drive2 rule DirtJumper_drive2
{ {
meta: meta:
author = "Jason Jones <jasonjones@arbor.net>" author = "Jason Jones <jasonjones@arbor.net>"
date = "2013-08-26" date = "2013-08-26"
description = "Identify newer version of drive DDoS malware" description = "Identify newer version of drive DDoS malware"
source = "https://github.com/arbor/yara/blob/master/drive2.yara" source = "https://github.com/arbor/yara/blob/master/drive2.yara"
strings: strings:
$cmd1 = "-get" fullword $cmd1 = "-get" fullword
$cmd2 = "-ip" fullword $cmd2 = "-ip" fullword
...@@ -52,6 +57,7 @@ rule DirtJumper_drive2 ...@@ -52,6 +57,7 @@ rule DirtJumper_drive2
$newver2 = "-byte" $newver2 = "-byte"
$newver3 = "-long" $newver3 = "-long"
$newver4 = "<xmp>" $newver4 = "<xmp>"
condition: condition:
4 of ($cmd*) and all of ($str*) and all of ($newver*) 4 of ($cmd*) and all of ($str*) and all of ($newver*)
} }
...@@ -59,11 +65,13 @@ rule DirtJumper_drive2 ...@@ -59,11 +65,13 @@ rule DirtJumper_drive2
rule DirtJumper_drive3 rule DirtJumper_drive3
{ {
meta: meta:
author = "Jason Jones <jasonjones@arbor.net>" author = "Jason Jones <jasonjones@arbor.net>"
date = "2014-03-17" date = "2014-03-17"
description = "Identify version of Drive DDoS malware using compromised sites" description = "Identify version of Drive DDoS malware using compromised sites"
source = "https://github.com/arbor/yara/blob/master/drive3.yara" source = "https://github.com/arbor/yara/blob/master/drive3.yara"
strings: strings:
$cmd1 = "-get" fullword $cmd1 = "-get" fullword
$cmd2 = "-ip" fullword $cmd2 = "-ip" fullword
...@@ -80,6 +88,7 @@ rule DirtJumper_drive3 ...@@ -80,6 +88,7 @@ rule DirtJumper_drive3
$newver2 = "-byte" $newver2 = "-byte"
$newver3 = "-long" $newver3 = "-long"
$drive3 = "99=1" $drive3 = "99=1"
condition: condition:
4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3 4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment