Yara Rule - 백도어 XZ 라이브러리 (Xzutil) CVE-2024-3094에서 사용하는 주입 된 코드를 감지
Yara 정의.
Yara Rule - Detects injected code used by the backdoored XZ library (xzutil) CVE-2024-3094.
Yara definition.
Author: Florian Roth
https://www.openwall.com/lists/oss-security/2024/03/29/4
date = "2024-03-30"
score = 80
$x1 = "/bad-3-corrupt_lzma2.xz | tr " ascii
$x2 = "/tests/files/good-large_compressed.lzma|eval $i|tail -c +31265|" ascii
$x3 = "eval $zrKcKQ" ascii
date = "2024-03-30"
score = 75
hash1 = "319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae"
hash2 = "605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4"
hash3 = "8fa641c454c3e0f76de73b7cc3446096b9c8b9d33d406d38b8ac76090b0344fd"
hash4 = "b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963"
hash5 = "cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537"
$op1 = { 48 8d 7c 24 08 f3 ab 48 8d 44 24 08 48 89 d1 4c 89 c7 48 89 c2 e8 ?? ?? ?? ?? 89 c2 }
$op2 = { 31 c0 49 89 ff b9 16 00 00 00 4d 89 c5 48 8d 7c 24 48 4d 89 ce f3 ab 48 8d 44 24 48 }
$op3 = { 4d 8b 6c 24 08 45 8b 3c 24 4c 8b 63 10 89 85 78 f1 ff ff 31 c0 83 bd 78 f1 ff ff 00 f3 ab 79 07 }
$xc1 = { 30 F1 EF A5 54 88 9F 54 C8 9C E5 38 9F B8 1E 70 00 00 08 04 88 3E C2 84 88 95 42 41 84 88 94 C2 41 00 }
uint16(0) == 0x457f```
[https://github.com/Neo23x0/signature-base/commit/ceee785df7f86adb259a6c94b1a16c7a5370f2f6](https://github.com/Neo23x0/signature-base/commit/ceee785df7f86adb259a6c94b1a16c7a5370f2f6)