30 Nisan 2015 Perşembe

NionSpy YARA Rule

rule NionSpy
{
meta:
description = “Triggers on old and new variants of W32/NionSpy file infector”
strings:
$variant2015_infmarker = “aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT”
$variant2013_infmarker = “ad6af8bd5835d19cc7fdc4c62fdf02a1″
$variant2013_string = “%s?cstorage=shell&comp=%s”
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($variant*)
}

Ref:  https://blogs.mcafee.com

Hiç yorum yok:

Yorum Gönder