Created
November 17, 2022 21:58
-
-
Save dmknght/7a4a38a5e656d82ede975ff561e292e2 to your computer and use it in GitHub Desktop.
Yara rule to detect Symbiote Linux Rootkit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import "elf" | |
/* | |
When system is infected by this rootkit | |
all processes load malicious lib (LD_PRELOAD) | |
It's possible to detect via strings, however, | |
current Yara version doesn't load ELF header | |
of mapped file. | |
*/ | |
rule Symbiote_a0d1 { | |
meta: | |
description = "ELF EXE file of 5 samples" | |
md5 = "a0d1e1ec8207c83c7d2d52ff65f0e159" | |
strings: | |
$ = "TUNNEL_CONNECT" fullword ascii | |
$ = "COMMAND_SHELL" fullword ascii | |
$ = "./dnscat" fullword ascii | |
$ = "Type = FIN" fullword ascii | |
condition: | |
elf.type == elf.ET_EXEC and all of them | |
} | |
rule Symbiote_0c27 { | |
meta: | |
description = "First DYN file of 5 samples" | |
md5 = "0c278f60cc4d36741e7e4d935fd2972f" | |
md5 = "59033839c1be695c83a68924979fab58" | |
md5 = "4d8ebed6943ff05118baf30be9515b83" | |
md5 = "87bb1d7e3639be2b21df8a7a273b60c8" | |
strings: | |
$h1 = "hidden_ports" fullword ascii | |
$h2 = "hidden_address" fullword ascii | |
$h3 = "hidden_file" fullword ascii | |
$h4 = "hidden_proc" fullword ascii | |
$s1 = "suporte42atendimento53log" fullword ascii | |
$s2 = ">g^VI" fullword ascii | |
condition: | |
elf.type == elf.ET_DYN and any of ($h*) and any of ($s*) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment