/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule RooterCode : Rooter Family { meta: description = "Rooter code features" author = "Seth Hardy" last_modified = "2014-07-10" strings: // xor 0x30 decryption $ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 } condition: any of them } rule RooterStrings : Rooter Family { meta: description = "Rooter Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-10" strings: $group1 = "seed\x00" $group2 = "prot\x00" $group3 = "ownin\x00" $group4 = "feed0\x00" $group5 = "nown\x00" condition: 3 of ($group*) } rule Rooter : Family { meta: description = "Rooter" author = "Seth Hardy" last_modified = "2014-07-10" condition: RooterCode or RooterStrings } rule RookieStrings : Rookie Family { meta: description = "Rookie Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "RookIE/1.0" condition: any of them } rule RookieCode : Rookie Family { meta: description = "Rookie code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // hidden AutoConfigURL $ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 } // hidden ProxyEnable $ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 } // xor on rand value? $ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 } condition: any of them } rule Rookie : Family { meta: description = "Rookie" author = "Seth Hardy" last_modified = "2014-06-25" condition: RookieCode or RookieStrings }