30 Eylül 2015 Çarşamba

XOR DDoS Yara & Snort Rules

XOR DDoS Snort Rule

alert TCP $HOME_NET any -> $EXTERNAL_NET any ( msg: “Xor-DDoS”; \
flow: established; \content: “BB2FA36AAA9541F0BB2FA36AAA9541F0”; \
offset:32; depth: 64; \classtype: trojan-activity; \sid: 201500010; rev: 1;)

XOR DDoS  Yara Rule

rule XOR DDosv1
author = “Akamai SIRT”
description = “Rule to detect XOR DDos infection”
$st0 = “BB2FA36AAA9541F0”
$st1 = “md5=”
$st2 = “denyip=”
$st3 = “filename=”
$st4 = “rmfile=”
$st5 = “exec_packet”
$st6 = “build_iphdr”
all of them

string $st0 is the ASCII XOR key

strings $st1-$st4 are parameters used in the binary related to Trojan activities
string $st5 is the function name to execute a DDoS flood
string $st6 is the function name to build the IP header

Ref: https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html

Hiç yorum yok:

Yorum Gönder