20 Nisan 2015 Pazartesi

FighterPOS YARA Rules

rule ActiveComponent {
meta:
description: “RAM scrapper component used by FighterPOS”
author: “Trend Micro, Inc”
strings:
$pdb = /:\\users\\tom\\.{20,200}scan\.pdb/ nocase
condition:
$pdb
}


rule fighterpos_infector
{
meta:
description: “Main FighterPOS infector”
author: “Trend Micro, Inc”
strings:
$ = “BrFighter”
$ = “bot/dumper.php?id=”
$ = “bot/keylogger.php?id=”
$ = “\\Users\\avanni\\”
condition:
any of them
}

rule msr2006
{
meta:
description: “MSR 2006 EMV recorder by FighterPOS actor”
author: “Trend Micro, Inc”
strings:
$a = “send_apdu -sc 0” wide
$ = “C:\\GPShell\\data.dat” wide nocase
$ = “MSVBVM60.DLL” ascii
$ = “MSR 2006”
condition:
#a > 10 and all of them
}

Ref:  http://blog.trendmicro.com

Hiç yorum yok:

Yorum Gönder