/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_nix_elf_derusbi
{
meta:
Author = "@seifreed"
strings:
$ = "LxMain"
$ = "execve"
$ = "kill"
$ = "cp -a %s %s"
$ = "%s &"
$ = "dbus-daemon"
$ = "--noprofile"
$ = "--norc"
$ = "TERM=vt100"
$ = "/proc/%u/cmdline"
$ = "loadso"
$ = "/proc/self/exe"
$ = "Proxy-Connection: Keep-Alive"
$ = "Connection: Keep-Alive"
$ = "CONNECT %s"
$ = "HOST: %s:%d"
$ = "User-Agent: Mozilla/4.0"
$ = "Proxy-Authorization: Basic %s"
$ = "Server: Apache"
$ = "Proxy-Authenticate"
$ = "gettimeofday"
$ = "pthread_create"
$ = "pthread_join"
$ = "pthread_mutex_init"
$ = "pthread_mutex_destroy"
$ = "pthread_mutex_lock"
$ = "getsockopt"
$ = "socket"
$ = "setsockopt"
$ = "select"
$ = "bind"
$ = "shutdown"
$ = "listen"
$ = "opendir"
$ = "readdir"
$ = "closedir"
$ = "rename"
condition:
(uint32(0) == 0x4464c457f) and (all of them)
}
rule apt_nix_elf_derusbi_kernelModule
{
meta:
Author = "@seifreed"
strings:
$ = "__this_module"
$ = "init_module"
$ = "unhide_pid"
$ = "is_hidden_pid"
$ = "clear_hidden_pid"
$ = "hide_pid"
$ = "license"
$ = "description"
$ = "srcversion="
$ = "depends="
$ = "vermagic="
$ = "current_task"
$ = "sock_release"
$ = "module_layout"
$ = "init_uts_ns"
$ = "init_net"
$ = "init_task"
$ = "filp_open"
$ = "__netlink_kernel_create"
$ = "kfree_skb"
condition:
(uint32(0) == 0x4464c457f) and (all of them)
}
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
{
meta:
Author = "@seifreed"
strings:
$byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
condition:
(uint32(0) == 0x464C457F) and (any of them)
}
rule apt_nix_elf_Derusbi_Linux_Strings
{
meta:
Author = "@seifreed"
strings:
$a1 = "loadso" wide ascii fullword
$a2 = "\nuname -a\n\n" wide ascii
$a3 = "/dev/shm/.x11.id" wide ascii
$a4 = "LxMain64" wide ascii nocase
$a5 = "# \\u@\\h:\\w \\$ " wide ascii
$b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
$b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
$b3 = "ret %d" wide fullword
$b4 = "uname -a\n\n" wide ascii
$b5 = "/proc/%u/cmdline" wide ascii
$b6 = "/proc/self/exe" wide ascii
$b7 = "cp -a %s %s" wide ascii
$c1 = "/dev/pts/4" wide ascii fullword
$c2 = "/tmp/1408.log" wide ascii fullword
condition:
uint32(0) == 0x464C457F and ((1 of ($a*) and 4 of ($b*)) or (1 of ($a*) and 1 of ($c*)) or 2 of ($a*) or all of ($b*))
}
rule apt_win_exe_trojan_derusbi
{
meta:
Author = "@seifreed"
strings:
$sa_1 = "USB" wide ascii
$sa_2 = "RAM" wide ascii
$sa_3 = "SHARE" wide ascii
$sa_4 = "HOST: %s:%d"
$sa_5 = "POST"
$sa_6 = "User-Agent: Mozilla"
$sa_7 = "Proxy-Connection: Keep-Alive"
$sa_8 = "Connection: Keep-Alive"
$sa_9 = "Server: Apache"
$sa_10 = "HTTP/1.1"
$sa_11 = "ImagePath"
$sa_12 = "ZwUnloadDriver"
$sa_13 = "ZwLoadDriver"
$sa_14 = "ServiceMain"
$sa_15 = "regsvr32.exe"
$sa_16 = "/s /u" wide ascii
$sa_17 = "rand"
$sa_18 = "_time64"
$sa_19 = "DllRegisterServer"
$sa_20 = "DllUnregisterServer"
$sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver
$sb_1 = "PCC_CMD_PACKET"
$sb_2 = "PCC_CMD"
$sb_3 = "PCC_BASEMOD"
$sb_4 = "PCC_PROXY"
$sb_5 = "PCC_SYS"
$sb_6 = "PCC_PROCESS"
$sb_7 = "PCC_FILE"
$sb_8 = "PCC_SOCK"
$sc_1 = "bcdedit -set testsigning" wide ascii
$sc_2 = "update.microsoft.com" wide ascii
$sc_3 = "_crt_debugger_hook" wide ascii
$sc_4 = "ue8G5" wide ascii
$sd_1 = "NET" wide ascii
$sd_2 = "\\\\.\\pipe\\%s" wide ascii
$sd_3 = ".dat" wide ascii
$sd_4 = "CONNECT %s:%d" wide ascii
$sd_5 = "\\Device\\" wide ascii
$se_1 = "-%s-%04d" wide ascii
$se_2 = "-%04d" wide ascii
$se_3 = "FAL" wide ascii
$se_4 = "OK" wide ascii
$se_5 = "2.03" wide ascii
$se_6 = "XXXXXXXXXXXXXXX" wide ascii
condition:
(uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or ((13 of ($sa_*)) and ( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or ( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) )
}
rule Trojan_Derusbi
{
meta:
Author = "RSA_IR"
Date = "4Sept13"
File = "derusbi_variants v 1.3"
MD5 = " c0d4c5b669cc5b51862db37e972d31ec "
strings:
$b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??}
$b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E}
$b3 = {4E E6 40 BB}
$b4 = {B1 19 BF 44}
$b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D}
$b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E}
$b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3}
$b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F}
condition:
2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
}
rule APT_Derusbi_DeepPanda
{
meta:
author = "ThreatConnect Intelligence Research Team"
reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
strings:
$D = "Dom4!nUserP4ss" wide ascii
condition:
$D
}
rule APT_Derusbi_Gen
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$2 = "273ce6-b29f-90d618c0" wide ascii
$A = "Ace123dx" fullword wide ascii
$A1 = "Ace123dxl!" fullword wide ascii
$A2 = "Ace123dx!@#x" fullword wide ascii
$C = "/Catelog/login1.asp" wide ascii
$DF = "~DFTMP$$$$$.1" wide ascii
$G = "GET /Query.asp?loginid=" wide ascii
$L = "LoadConfigFromReg failded" wide ascii
$L1 = "LoadConfigFromBuildin success" wide ascii
$ph = "/photoe/photo.asp HTTP" wide ascii
$PO = "POST /photos/photo.asp" wide ascii
$PC = "PCC_IDENT" wide ascii
condition:
any of them
}
/*
Yara Rule Set
Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud
Date: 2015-12-09
Reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
Identifier: Derusbi Dez 2015
*/
rule derusbi_kernel
{
meta:
description = "Derusbi Driver version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
strings:
$token1 = "$$$--Hello"
$token2 = "Wrod--$$$"
$cfg = "XXXXXXXXXXXXXXX"
$class = ".?AVPCC_BASEMOD@@"
$MZ = "MZ"
condition:
$MZ at 0 and $token1 and $token2 and $cfg and $class
}
rule derusbi_linux
{
meta:
description = "Derusbi Server Linux version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
strings:
$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
$cmd = "unset LS_OPTIONS;uname -a"
$pname = "[diskio]"
$rkfile = "/tmp/.secure"
$ELF = "\x7fELF"
condition:
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-12-15
Identifier: Derusbi Dez 2015
*/
rule Derusbi_Kernel_Driver_WD_UDFS
{
meta:
description = "Detects Derusbi Kernel Driver"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 80
hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
strings:
$x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
$x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
$x3 = "\\??\\pipe\\usbpcex%d" fullword wide
$x4 = "\\??\\pipe\\usbpcg%d" fullword wide
$x5 = "$$$--Hello" fullword ascii
$x6 = "Wrod--$$$" fullword ascii
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
$s2 = "Update.dll" fullword ascii
$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide
$s4 = "\\Driver\\nsiproxy" fullword wide
$s5 = "HOST: %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and (2 of ($x*) or all of ($s*))
}
rule Derusbi_Code_Signing_Cert
{
meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 40
strings:
$s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
$s2 = "XL Games Co.,Ltd.0" fullword ascii
$s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}
rule XOR_4byte_Key
{
meta:
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 60
strings:
/* Op Code */
$s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 }
/*
test ecx, ecx
jz short loc_590170
xor [esi], eax
add [esi], ebx
add esi, 4
dec ecx
jmp short loc_590162
*/
condition:
uint16(0) == 0x5a4d and filesize < 900KB and all of them
}
rule apt_win32_dll_bergard_pgv_pvid_variant
{
meta:
copyright = "Fidelis Cybersecurity"
reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
strings:
$ = "Accept:"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Cache-Control: no-cache"
$ = "Connection: Keep-Alive"
$ = "Cookie: pgv_pvid="
$ = "Content-Type: application/x-octet-stream"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Pragma: no-cache"
$ = "Connection: Keep-Alive"
$ = "HTTP/1.0"
condition:
(uint16(0) == 0x5A4D) and (all of them)
}