YARA rules for Derusbi
10 rules · scoped to tool · back to Derusbi
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule apt_nix_elf_derusbi {
meta:
description = "Detects Derusbi Backdoor ELF"
author = "Fidelis Cybersecurity"
date = "2016/02/29"
modified = "2023-05-04"
reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021"
id = "c825c5d6-1c2f-5ee7-871e-4be3f41d73f7"
strings:
$s1 = "LxMain"
$s2 = "execve"
$s3 = "kill"
$s4 = "cp -a %s %s"
$s5 = "%s &"
$s6 = "dbus-daemon"
$s7 = "--noprofile"
$s8 = "--norc"
$s9 = "TERM=vt100"
$s10 = "/proc/%u/cmdline"
$s11 = "loadso"
$s12 = "/proc/self/exe"
$s13 = "Proxy-Connection: Keep-Alive"
$s14 = "Connection: Keep-Alive"
$s15 = "CONNECT %s"
$s16 = "HOST: %s:%d"
$s17 = "User-Agent: Mozilla/4.0"
$s18 = "Proxy-Authorization: Basic %s"
$s19 = "Server: Apache"
$s20 = "Proxy-Authenticate"
$s21 = "gettimeofday"
$s22 = "pthread_create"
$s23 = "pthread_join"
$s24 = "pthread_mutex_init"
$s25 = "pthread_mutex_destroy"
$s26 = "pthread_mutex_lock"
$s27 = "getsockopt"
$s28 = "socket"
$s29 = "setsockopt"
$s30 = "select"
$s31 = "bind"
$s32 = "shutdown"
$s33 = "listen"
$s34 = "opendir"
$s35 = "readdir"
$s36 = "closedir"
$s37 = "rename"
condition:
uint32(0) == 0x464c457f and all of them
}
rule apt_nix_elf_derusbi_kernelModule
{
meta:
description = "Detects Derusbi Backdoor ELF Kernel Module"
author = "Fidelis Cybersecurity"
date = "2016/02/29"
modified = "2023-05-04"
reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021"
id = "98196ffc-8a6f-5edc-a688-eeb449410b72"
strings:
$s1 = "__this_module"
$s2 = "init_module"
$s3 = "unhide_pid"
$s4 = "is_hidden_pid"
$s5 = "clear_hidden_pid"
$s6 = "hide_pid"
$s7 = "license"
$s8 = "description"
$s9 = "srcversion="
$s10 = "depends="
$s12 = "vermagic="
$s13 = "current_task"
$s14 = "sock_release"
$s15 = "module_layout"
$s16 = "init_uts_ns"
$s17 = "init_net"
$s18 = "init_task"
$s19 = "filp_open"
$s20 = "__netlink_kernel_create"
$s21 = "kfree_skb"
condition:
uint32(0) == 0x464c457f and all of them
}
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation {
meta:
description = "Detects Derusbi Backdoor ELF Shared Memory Creation"
author = "Fidelis Cybersecurity"
date = "2016/02/29"
reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021"
id = "068b7bea-853d-57e8-a9fe-8b451dbc7582"
strings:
$byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
condition:
uint32(0) == 0x464C457F and any of them
}
rule apt_nix_elf_Derusbi_Linux_Strings {
meta:
description = "Detects Derusbi Backdoor ELF Strings"
author = "Fidelis Cybersecurity"
date = "2016/02/29"
reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021"
id = "06717cc9-678d-5912-a671-65605b9c9968"
strings:
$a1 = "loadso" wide ascii fullword
$a2 = "\nuname -a\n\n" wide ascii
$a3 = "/dev/shm/.x11.id" wide ascii
$a4 = "LxMain64" wide ascii nocase
$a5 = "# \\u@\\h:\\w \\$ " wide ascii
$b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
$b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
$b3 = "ret %d" wide fullword
$b4 = "uname -a\n\n" wide ascii
$b5 = "/proc/%u/cmdline" wide ascii
$b6 = "/proc/self/exe" wide ascii
$b7 = "cp -a %s %s" wide ascii
$c1 = "/dev/pts/4" wide ascii fullword
$c2 = "/tmp/1408.log" wide ascii fullword
condition:
uint32(0) == 0x464C457F and
(
(1 of ($a*) and 4 of ($b*) ) or
(1 of ($a*) and 1 of ($c*)) or
2 of ($a*) or
all of ($b*)
)
}
rule apt_win_exe_trojan_derusbi {
meta:
description = "Detects Derusbi Backdoor Win32"
author = "Fidelis Cybersecurity"
date = "2016/02/29"
reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021"
id = "6e7fecfa-f801-59b2-a394-df4c368011b7"
strings:
$sa_4 = "HOST: %s:%d"
$sa_6 = "User-Agent: Mozilla"
$sa_7 = "Proxy-Connection: Keep-Alive"
$sa_8 = "Connection: Keep-Alive"
$sa_9 = "Server: Apache"
$sa_12 = "ZwUnloadDriver"
$sa_13 = "ZwLoadDriver"
$sa_18 = "_time64"
$sa_19 = "DllRegisterServer"
$sa_20 = "DllUnregisterServer"
$sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver
$sb_1 = "PCC_CMD_PACKET"
$sb_2 = "PCC_CMD"
$sb_3 = "PCC_BASEMOD"
$sb_4 = "PCC_PROXY"
$sb_5 = "PCC_SYS"
$sb_6 = "PCC_PROCESS"
$sb_7 = "PCC_FILE"
$sb_8 = "PCC_SOCK"
$sc_1 = "bcdedit -set testsigning" wide ascii
$sc_2 = "update.microsoft.com" wide ascii
$sc_3 = "_crt_debugger_hook" wide ascii
$sc_4 = "ue8G5" wide ascii
/* $sd_1 = "NET" wide ascii */ /* disabled due to performance reasons */
$sd_2 = "\\\\.\\pipe\\%s" wide ascii
$sd_3 = ".dat" wide ascii
$sd_4 = "CONNECT %s:%d" wide ascii
$sd_5 = "\\Device\\" wide ascii
$se_1 = "-%s-%04d" wide ascii
$se_2 = "-%04d" wide ascii
/* $se_3 = "FAL" wide ascii */ /* disabled due to performance reasons */
/* $se_4 = "OK" wide ascii */ /* disabled due to performance reasons */
$se_5 = "2.03" wide ascii
/* $se_6 = "XXXXXXXXXXXXXXX" wide ascii */ /* disabled due to memory usage reasons */
condition:
uint16(0) == 0x5A4D and (
all of ($sa_*) or
(
(8 of ($sa_*)) and (
(5 of ($sb_*)) or
(3 of ($sc_*)) or
(all of ($sd_*)) or
( 1 of ($sc_*) and all of ($se_*) )
)
)
)
}
rule derusbi_kernel
{
meta:
description = "Derusbi Driver version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
id = "a60ab93a-e2be-53ee-a7da-56c763bc5533"
strings:
$token1 = "$$$--Hello"
$token2 = "Wrod--$$$"
$class = ".?AVPCC_BASEMOD@@"
condition:
uint16(0) == 0x5A4D and $token1 and $token2 and $class
}
rule derusbi_linux
{
meta:
description = "Derusbi Server Linux version"
date = "2015-12-09"
author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
id = "2b33afb5-be87-5d41-b05e-b99d0c1d8ed9"
strings:
$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
$cmd = "unset LS_OPTIONS;uname -a"
$pname = "[diskio]"
$rkfile = "/tmp/.secure"
$ELF = "\x7fELF"
condition:
$ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}
rule Derusbi_Kernel_Driver_WD_UDFS {
meta:
description = "Detects Derusbi Kernel Driver"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 80
hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"
id = "51d80d19-f87f-5b09-ac49-08ebcb464013"
strings:
$x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
$x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
$x3 = "\\??\\pipe\\usbpcex%d" fullword wide
$x4 = "\\??\\pipe\\usbpcg%d" fullword wide
$x5 = "$$$--Hello" fullword ascii
$x6 = "Wrod--$$$" fullword ascii
$s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" wide
$s2 = "Update.dll" fullword ascii
$s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" wide
$s4 = "\\Driver\\nsiproxy" wide
$s5 = "HOST: %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and
(
2 of ($x*) or all of ($s*)
)
}
rule Derusbi_Code_Signing_Cert {
meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
date = "2015-12-15"
score = 60
id = "d123fde9-0182-5232-a716-b76e8d9830c4"
strings:
$s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii
$s2 = "XL Games Co.,Ltd.0" fullword ascii
$s3 = "Wemade Entertainment co.,Ltd0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}
rule Derusbi_Backdoor_Mar17_1 {
meta:
description = "Detects a variant of the Derusbi backdoor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-03-03"
hash1 = "f87915f21dcc527981ebb6db3d332b5b341129b4af83524f59d7178e9d2a3a32"
id = "5c8838d6-b9c2-589e-b6a2-a8c7ad6f10cc"
strings:
$x1 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide
$x2 = "c%WINDIR%\\PCHealth\\HelpCtr\\Binaries\\pchsvc.dll" fullword wide
$x3 = "%Systemroot%\\Help\\perfc009.dat" fullword wide
$x4 = "rundll32.exe \"%s\", R32 %s" fullword wide
$x5 = "OfficeUt32.dll" fullword ascii
$x6 = "\\\\.\\pipe\\usb%so" fullword wide
$x7 = "\\\\.\\pipe\\usb%si" fullword wide
$x8 = "\\tmp1.dat" wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them )
}