Yara Rule - Linadoor Linux Rootkit을 감지
Yara 정의.
Yara Rule - Detects LinaDoor Linux Rootkit
Yara definition.
Author: Florian Roth
Internal Research
date = "2022-05-19"
modified = "2023-05-16"
score = 85
hash1 = "25ff1efe36eb15f8e19411886217d4c9ec30b42dca072b1bf22f041a04049cd9"
hash2 = "4792e22d4c9996af1cb58ed54fee921a7a9fdd19f7a5e7f268b6793cdd1ab4e7"
hash7 = "c5651add0c7db3bbfe0bbffe4eafe9cd5aa254d99be7e3404a2054d6e07d20e7"
$s1 = "/dev/net/.../rootkit_/" ascii
$s2 = "did_exec" ascii fullword
$s3 = "rh_reserved_tp_target" ascii fullword
$s4 = "HIDDEN_SERVICES" ascii fullword
$s5 = "bypass_udp_ports" ascii fullword
$s6 = "DoBypassIP" ascii fullword
$op1 = { 74 2a 4c 89 ef e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 4c 39 f2 }
$op2 = { e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 4c 39 f2 48 0f 46 c3 5b }
$op3 = { 48 89 c3 74 2a 4c 89 ef e8 00 00 00 00 48 89 da 4c 29 e2 48 01 c2 31 c0 }
$op4 = { 4c 29 e2 48 01 c2 31 c0 4c 39 f2 48 0f 46 c3 5b 41 5c 41 5d }
$fp1 = "/wgsyncdaemon.pid"
uint16(0) == 0x457f and
$c = { 25 73 23 33 }
$d = { 25 73 23 34 }
$e = { 2e 74 6d 70 }
/* $f = { 2e 74 6d 70 } */
$g = { 2e 73 61 76 }
$h = { 2e 75 70 64 }```
[https://github.com/Neo23x0/signature-base/commit/ce6460318b25c4328eff51b753713ae0d26b346a](https://github.com/Neo23x0/signature-base/commit/ce6460318b25c4328eff51b753713ae0d26b346a)