rule apt_nix_elf_derusbi { strings: $ = "LxMain" $ = "execve" $ = "kill" $ = "cp -a %s %s" $ = "%s &" $ = "dbus-daemon" $ = "--noprofile" $ = "--norc" $ = "TERM=vt100" $ = "/proc/%u/cmdline" $ = "loadso" $ = "/proc/self/exe" $ = "Proxy-Connection: Keep-Alive" $ = "Connection: Keep-Alive" $ = "CONNECT %s" $ = "HOST: %s:%d" $ = "User-Agent: Mozilla/4.0" $ = "Proxy-Authorization: Basic %s" $ = "Server: Apache" $ = "Proxy-Authenticate" $ = "gettimeofday" $ = "pthread_create" $ = "pthread_join" $ = "pthread_mutex_init" $ = "pthread_mutex_destroy" $ = "pthread_mutex_lock" $ = "getsockopt" $ = "socket" $ = "setsockopt" $ = "select" $ = "bind" $ = "shutdown" $ = "listen" $ = "opendir" $ = "readdir" $ = "closedir" $ = "rename" condition: (uint32(0) == 0x4464c457f) and (all of them) } rule apt_nix_elf_derusbi_kernelModule { strings: $ = "__this_module" $ = "init_module" $ = "unhide_pid" $ = "is_hidden_pid" $ = "clear_hidden_pid" $ = "hide_pid" $ = "license" $ = "description" $ = "srcversion=" $ = "depends=" $ = "vermagic=" $ = "current_task" $ = "sock_release" $ = "module_layout" $ = "init_uts_ns" $ = "init_net" $ = "init_task" $ = "filp_open" $ = "__netlink_kernel_create" $ = "kfree_skb" condition: (uint32(0) == 0x4464c457f) and (all of them) } rule apt_nix_elf_Derusbi_Linux_SharedMemCreation { strings: $byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 } condition: (uint32(0) == 0x464C457F) and (any of them) } rule apt_nix_elf_Derusbi_Linux_Strings { strings: $a1 = "loadso" wide ascii fullword $a2 = "\nuname -a\n\n" wide ascii $a3 = "/dev/shm/.x11.id" wide ascii $a4 = "LxMain64" wide ascii nocase $a5 = "# \\u@\\h:\\w \\$ " wide ascii $b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide $b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide $b3 = "ret %d" wide fullword $b4 = "uname -a\n\n" wide ascii $b5 = "/proc/%u/cmdline" wide ascii $b6 = "/proc/self/exe" wide ascii $b7 = "cp -a %s %s" wide ascii $c1 = "/dev/pts/4" wide ascii fullword $c2 = "/tmp/1408.log" wide ascii fullword condition: uint32(0) == 0x464C457F and ((1 of ($a*) and 4 of ($b*)) or (1 of ($a*) and 1 of ($c*)) or 2 of ($a*) or all of ($b*)) } rule apt_win_exe_trojan_derusbi { strings: $sa_1 = "USB" wide ascii $sa_2 = "RAM" wide ascii $sa_3 = "SHARE" wide ascii $sa_4 = "HOST: %s:%d" $sa_5 = "POST" $sa_6 = "User-Agent: Mozilla" $sa_7 = "Proxy-Connection: Keep-Alive" $sa_8 = "Connection: Keep-Alive" $sa_9 = "Server: Apache" $sa_10 = "HTTP/1.1" $sa_11 = "ImagePath" $sa_12 = "ZwUnloadDriver" $sa_13 = "ZwLoadDriver" $sa_14 = "ServiceMain" $sa_15 = "regsvr32.exe" $sa_16 = "/s /u" wide ascii $sa_17 = "rand" $sa_18 = "_time64" $sa_19 = "DllRegisterServer" $sa_20 = "DllUnregisterServer" $sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver $sb_1 = "PCC_CMD_PACKET" $sb_2 = "PCC_CMD" $sb_3 = "PCC_BASEMOD" $sb_4 = "PCC_PROXY" $sb_5 = "PCC_SYS" $sb_6 = "PCC_PROCESS" $sb_7 = "PCC_FILE" $sb_8 = "PCC_SOCK" $sc_1 = "bcdedit -set testsigning" wide ascii $sc_2 = "update.microsoft.com" wide ascii $sc_3 = "_crt_debugger_hook" wide ascii $sc_4 = "ue8G5" wide ascii $sd_1 = "NET" wide ascii $sd_2 = "\\\\.\\pipe\\%s" wide ascii $sd_3 = ".dat" wide ascii $sd_4 = "CONNECT %s:%d" wide ascii $sd_5 = "\\Device\\" wide ascii $se_1 = "-%s-%04d" wide ascii $se_2 = "-%04d" wide ascii $se_3 = "FAL" wide ascii $se_4 = "OK" wide ascii $se_5 = "2.03" wide ascii $se_6 = "XXXXXXXXXXXXXXX" wide ascii condition: (uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or ( (13 of ($sa_*)) and ( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or ( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) ) }