23 Mart 2015 Pazartesi

Poseidon POS Malware

C&C IP Addresses

151.236.11.167
185.13.32.132
185.13.32.48
31.184.192.196
91.220.131.116
91.220.131.87

4 Mart 2015 Çarşamba

PwnPOS Yara Rule

rule PoS_Malware_PwnPOS : PwnPOS
{
meta:
author = “Trend Micro, Inc.”
date = “2015-02-25¨
description = “Used to detect PwnPOS RAM Scraper”
sample_filetype = “exe”
strings:
$string0 = “\\$l9D$d”
$string1 = “c:\\r1\\Release\\r1.pdb”
$string2 = “CMicrosoft Visual C++ Runtime Library” wide
$string3 = “StartServiceCtrlDispatcher(): service already running.”
$string4 = “DebugConsole.log”

2 Mart 2015 Pazartesi

RAMNIT YARA Rules



1 - ramnit _ cookie _ module
rule ramnit _ cookie _ module
{
meta:
tags = “Ramnit”
strings:
$cookie1 = “IE Cookies\x00FireFox Cookies\\Profile %d\\cookies.txt\
x00”
$cookie2 = “Chrome\\Cookies\x00Chrome\\Extension Cookies\x00Opera\\
Profile %d\\cookies4.dat\x00”
condition:
any of them
}