4 Mart 2015 Çarşamba

PwnPOS Yara Rule

rule PoS_Malware_PwnPOS : PwnPOS
{
meta:
author = “Trend Micro, Inc.”
date = “2015-02-25¨
description = “Used to detect PwnPOS RAM Scraper”
sample_filetype = “exe”
strings:
$string0 = “\\$l9D$d”
$string1 = “c:\\r1\\Release\\r1.pdb”
$string2 = “CMicrosoft Visual C++ Runtime Library” wide
$string3 = “StartServiceCtrlDispatcher(): service already running.”
$string4 = “DebugConsole.log”

$string5 = “-service”
$string6 = ” :: DebugConsole BEGIN Tee log ———-”
$string7 = “ERRLOG:”
$string8 = “lWindows Media Help” wide
$string9 = “- unable to open console device” wide
condition:
10 of them
}

Ref: http://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

Hiç yorum yok:

Yorum Gönder