30 Nisan 2015 Perşembe

Magic Quadrant for Enterprise Network Firewalls


NionSpy YARA Rule

rule NionSpy
{
meta:
description = “Triggers on old and new variants of W32/NionSpy file infector”
strings:
$variant2015_infmarker = “aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT”
$variant2013_infmarker = “ad6af8bd5835d19cc7fdc4c62fdf02a1″
$variant2013_string = “%s?cstorage=shell&comp=%s”
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($variant*)
}

Ref:  https://blogs.mcafee.com

22 Nisan 2015 Çarşamba

Hellsing Yara Rules

rule apt_hellsing_implantstrings {
meta:
version = "1.0"
filetype = "PE"
author = "Costin Raiu, Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "2015-04-07"
description = "detection for Hellsing implants"
strings:
$mz="MZ"
$a1="the file uploaded failed !"
$a2="ping 127.0.0.1"
$b1="the file downloaded failed !"
$b2="common.asp"

21 Nisan 2015 Salı

Punkey Yara Rule

rule Punkey
{
  meta:
    author = "Trustwave SpiderLabs"
    date = "2015-04-09"
    description = "Used to detect Punkey malware.  Blog: https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/"
  strings:
    $pdb1 = "C:\\Documents and Settings\\Administrator\\Desktop\\Verios\\jusched\\jusched32.pdb" nocase

20 Nisan 2015 Pazartesi

FighterPOS YARA Rules

rule ActiveComponent {
meta:
description: “RAM scrapper component used by FighterPOS”
author: “Trend Micro, Inc”
strings:
$pdb = /:\\users\\tom\\.{20,200}scan\.pdb/ nocase
condition:
$pdb
}

15 Nisan 2015 Çarşamba

Detects Webshell YARA Rules

rule GIFCloaked_Webshell {
meta:
description = "Detects a webshell that cloakes itself with GIF header(s) - Based on Dark Security Team Webshell"
author = "Florian Roth"
hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
score = 50
strings:
$magic = "GIF"
$s0 = "input type"
$s1 = "<%eval request"
$s2 = "<%eval(Request.Item["
$s3 = "LANGUAGE='VBScript'"
condition:
( $magic at 0 ) and ( 1 of ($s*) )
}

7 Nisan 2015 Salı

NewPOSThings YARA Rule

rule PoS_Malware_NewPOSThings2015 : newposthings2015
{
meta:
author = “Trend Micro, Inc.”
date = “2015-03-10″
description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
strings:
$pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
$pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
$pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase

2 Nisan 2015 Perşembe

VOLATILE CEDAR EXPLOSIVE YARA Rules

rule explosive_exe
{
meta:
author = “Check Point Software Technologies Inc.”
info = “Explosive EXE”
strings:
$MZ = “MZ”
$DLD_S = “DLD-S:”
$DLD_E = “DLD-E:”
condition:
$MZ at 0 and all of them
}

1 Nisan 2015 Çarşamba

njRAT IoC Rule

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="0df46744-c585-4956-aa80-4ad873879eef" last-modified="2014-03-15T01:15:13" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description> njRAT Trojan</short_description>
    <authored_by>@iocbucket</authored_by>
  <authored_date>2014-03-15T01:05:10</authored_date>
  <links />
  <definition>
    <Indicator operator="OR" id="fa9132c1-60ca-47d3-ba8a-e37d7e1bba3c">
      <IndicatorItem id="042d544b-da96-428c-ada9-4d3a2430b62d" condition="is">
        <Context document="FileItem" search="FileItem/StringList/string" type="mir" />
        <Content type="string">c:\users\allosh hacker\documents\visual studio 2012\Projects\allosh\allosh\obj\Debug\Windows.pdb</Content>
      </IndicatorItem>
      <Indicator operator="AND" id="e582324c-7d69-4fb3-9651-3d8387713ea8">
        <IndicatorItem id="aa0a4f56-7f12-4205-885e-85071f631456" condition="is">
          <Context document="FileItem" search="FileItem/FileName" type="mir" />
          <Content type="string">psiphon.exe</Content>
        </IndicatorItem>
        <IndicatorItem id="b7f05f86-2ebd-435f-a0b5-d0c53b559230" condition="is">
          <Context document="FileItem" search="FileItem/Md5sum" type="mir" />
          <Content type="md5">28bf01f67db4a5e8e6174b066775eae0</Content>
        </IndicatorItem>
        <IndicatorItem id="dd75ce96-15ea-4239-b67a-f360097c8773" condition="is">
          <Context document="FileItem" search="FileItem/PEInfo/DigitalSignature/SignatureExists" type="mir" />
          <Content type="string">False</Content>
        </IndicatorItem>

njRAT Yara Rules

rule win_exe_njRAT
{
meta:
author = "info@fidelissecurity.com"
descripion = "njRAT - Remote Access Trojan"
comment = "Variants have also been observed obfuscated with .NET Reactor"
filetype = "pe"
date = "2013-07-15"
version = "1.0"
hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b"
hash2 = "3576d40ce18bb0349f9dfa42b8911c3a"
hash3 = "24cc5b811a7f9591e7f2cb9a818be104"
hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52"
hash5 = "a98b4c99f64315aac9dd992593830f35"
hash6 ="5fcb5282da1a2a0f053051c8da1686ef"
hash7 = "a669c0da6309a930af16381b18ba2f9d"
hash8 = "79dce17498e1997264346b162b09bde8"
hash9 = "fc96a7e27b1d3dab715b2732d5c86f80"
ref1 = "http://bit.ly/19tlf4s"
ref2 = "http://www.fidelissecurity.com/threatadvisory"
ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njratuncovered.html"
ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf"