forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathworm.yara
51 lines (41 loc) · 1.6 KB
/
worm.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
rule ssh_shell_worm: critical {
meta:
description = "SSH worm implemented in shell"
hash_2024_SSH_Snake_Snake_nocomments = "9491fa95f40a69f27ce99229be636030fdc49f315cb9c897db3b602c34a8ceda"
hash_2024_SSH_Snake = "b0a2bf48e29c6dfac64f112ac1cb181d184093f582615e54d5fad4c9403408be"
strings:
$dot_ssh = ".ssh" fullword
$key_pem = ".pem" fullword
$key_rsa = "id_rsa" fullword
$key_identity_file = "IdentityFile" fullword
$hosts_authorized_keys = "authorized_keys"
$hosts_etc_hosts = "/etc/hosts"
$hosts_getent = "getent ahostsv4"
$hosts_ssh_config = /grep.{1,8}HostName.{1,8}\/\.ssh\/config/
$hosts_bash_history = /(scp|ssh).{2,64}bash_history/
$hosts_known_hosts = "known_hosts"
$remote_base64 = "base64"
$remote_uname = "uname"
$remote_curl = "curl -"
$remote_wget = "wget"
$remote_lwp = "lwp-download"
$ssh_strict_host = "StrictHostKeyChecking"
$ssh_known_hosts = "UserKnownHostsFile"
$ssh_connect_timeout = "ConnectTimeout"
condition:
filesize < 32KB and $dot_ssh and 2 of ($ssh*) and 1 of ($remote*) and 3 of ($hosts*) and any of ($key*)
}
rule ssh_worm_router: high {
meta:
description = "ssh worm targeting routers"
strings:
$s_dot_ssh = ".ssh"
$h_etc_hosts = "/etc/hosts"
$p_root123 = "root123"
$p_passw0rd = "Passw0rd"
$p_admin123 = "admin123"
$p_Admin123 = "Admin123"
$p_qwerty123 = "qwerty123"
condition:
filesize < 1MB and all of ($s*) and any of ($h*) and 2 of ($p*)
}