private rule is_elf
{
strings:
$header = { 7F 45 4C 46 }
condition:
$header at 0
}
rule moose
{
meta:
Author = "Thomas Dupuy"
Date = "2015/04/21"
Description = "Linux/Moose malware"
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
Source = "https://github.com/eset/malware-ioc/"
Contact = "github@eset.com"
License = "BSD 2-Clause"
strings:
$s0 = "Status: OK"
$s1 = "--scrypt"
$s2 = "stratum+tcp://"
$s3 = "cmd.so"
$s4 = "/Challenge"
$s7 = "processor"
$s9 = "cpu model"
$s21 = "password is wrong"
$s22 = "password:"
$s23 = "uthentication failed"
$s24 = "sh"
$s25 = "ps"
$s26 = "echo -n -e "
$s27 = "chmod"
$s28 = "elan2"
$s29 = "elan3"
$s30 = "chmod: not found"
$s31 = "cat /proc/cpuinfo"
$s32 = "/proc/%s/cmdline"
$s33 = "kill %s"
condition:
is_elf and all of them
}
Ref: http://www.welivesecurity.com/
Hiç yorum yok:
Yorum Gönder