-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathapt_derusbi.yar
137 lines (129 loc) · 4.6 KB
/
apt_derusbi.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
/*
Yara Rule Set
Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud
Date: 2015-12-09
Reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
Identifier: Derusbi Dez 2015
*/
rule derusbi_kernel
{
meta:
description = "Derusbi Driver version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
strings:
$token1 = "$$$--Hello"
$token2 = "Wrod--$$$"
$class = ".?AVPCC_BASEMOD@@"
condition:
uint16(0) == 0x5A4D and $token1 and $token2 and $class
}
rule derusbi_linux
{
meta:
description = "Derusbi Server Linux version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
strings:
$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
$cmd = "unset LS_OPTIONS;uname -a"
$pname = "[diskio]"
$rkfile = "/tmp/.secure"
$ELF = "\x7fELF"
condition:
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-12-15
Identifier: Derusbi Dez 2015
*/
rule Derusbi_Kernel_Driver_WD_UDFS {
meta:
description = "Detects Derusbi Kernel Driver"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 80
hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
strings:
$x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
$x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
$x3 = "\\??\\pipe\\usbpcex%d" fullword wide
$x4 = "\\??\\pipe\\usbpcg%d" fullword wide
$x5 = "$$$--Hello" fullword ascii
$x6 = "Wrod--$$$" fullword ascii
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
$s2 = "Update.dll" fullword ascii
$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide
$s4 = "\\Driver\\nsiproxy" fullword wide
$s5 = "HOST: %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and
(
2 of ($x*) or all of ($s*)
)
}
rule Derusbi_Code_Signing_Cert {
meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 60
strings:
$s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
$s2 = "XL Games Co.,Ltd.0" fullword ascii
$s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}
rule XOR_4byte_Key {
meta:
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 60
strings:
/* Op Code */
$s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 }
/*
test ecx, ecx
jz short loc_590170
xor [esi], eax
add [esi], ebx
add esi, 4
dec ecx
jmp short loc_590162
*/
condition:
uint16(0) == 0x5a4d and filesize < 900KB and all of them
}
rule Derusbi_Backdoor_Mar17_1 {
meta:
description = "Detects a variant of the Derusbi backdoor"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-03-03"
hash1 = "f87915f21dcc527981ebb6db3d332b5b341129b4af83524f59d7178e9d2a3a32"
strings:
$x1 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
$x2 = "c%WINDIR%\\PCHealth\\HelpCtr\\Binaries\\pchsvc.dll" fullword wide
$x3 = "%Systemroot%\\Help\\perfc009.dat" fullword wide
$x4 = "rundll32.exe \"%s\", R32 %s" fullword wide
$x5 = "OfficeUt32.dll" fullword ascii
$x6 = "\\\\.\\pipe\\usb%so" fullword wide
$x7 = "\\\\.\\pipe\\usb%si" fullword wide
$x8 = "\\tmp1.dat" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them )
}