We rules with external vars

We rules with external vars

malware/MalumPOS.yar

@@ -20,22 +20,4 @@ rule PoS_Malware_MalumPOS
         $string5 = /Y:\\PROGRAMS\\.{20,300}\.pas/ 
     condition:
         all of ($string*)
-}        
-
-rule PoS_Malware_MalumPOS_Config
-{
-    meta:
-        author = "Florian Roth"
-        date = "2015-06-25"
-        description = "MalumPOS Config File"
-        reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/"
-    strings:
-        $s1 = "[PARAMS]"
-        $s2 = "Name="
-        $s3 = "InterfacesIP="
-        $s4 = "Port="
-    condition:
-        /* all of ($s*) and filename == "log.ini" and filesize < 20KB*/
-        all of ($s*) and filesize < 20KB
-}
-
+}        
\ No newline at end of file

malware/gen_faked_versions.yar

 /*
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
-*/
-
-rule Fake_AdobeReader_EXE
-    {
-    meta:
-        description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file"
-        date = "2014-09-11"
-        author = "Florian Roth"
-        score = 50
-    strings:
-        $s1 = "Adobe Systems" ascii
-    condition:
-        uint16(0) == 0x5a4d and 
-        filename matches /AcroRd32.exe/i and 
-        not $s1 in (filesize-2500..filesize) 
-}
-
-rule Fake_FlashPlayerUpdaterService_EXE
-    {
-    meta:
-        description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file"
-        date = "2014-09-11"
-        author = "Florian Roth"
-        score = 50
-    strings:
-        $s1 = "Adobe Systems Incorporated" ascii
-    condition:
-        uint16(0) == 0x5a4d and 
-        filename matches /FlashPlayerUpdateService.exe/i and 
-        not $s1 in (filesize-2500..filesize) 
-}
+*/
\ No newline at end of file

malware/general_cloaking.yar

@@ -3,50 +3,6 @@
 
 */
 
-rule EXE_cloaked_as_TXT {
-	meta:
-		description = "Executable with TXT extension"
-		author = "Florian Roth"
-	condition:
-		uint16(0) == 0x5a4d 					// Executable
-		and filename matches /\.txt$/is   // TXT extension (case insensitive)
-}
-
-rule EXE_extension_cloaking {
-	meta:
-		description = "Executable showing different extension (Windows default 'hide known extension')"
-		author = "Florian Roth"
-	condition:
-		filename matches /\.txt\.exe$/is or	// Special file extensions
-		filename matches /\.pdf\.exe$/is		// Special file extensions
-}
-
-rule Cloaked_RAR_File {
-	meta:
-		description = "RAR file cloaked by a different extension"
-		author = "Florian Roth"
-	condition:
-		uint32be(0) == 0x52617221							// RAR File Magic Header
-		and not filename matches /(rarnew.dat|\.rar)$/is	// not the .RAR extension
-		and not filepath contains "Recycle" 				// not a deleted RAR file in recycler
-}
-
-rule Base64_encoded_Executable {
-	meta:
-		description = "Detects an base64 encoded executable (often embedded)"
-		author = "Florian Roth"
-		date = "2015-05-28"
-		score = 40
-	strings:
-		$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive
-		$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive
-		$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive
-		$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive
-		$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive
-	condition:
-		1 of them and not filepath contains "Thunderbird"
-}
-
 rule Binary_Drop_Certutil {
 	meta:
 		description = "Drop binary as base64 encoded cert trick"