JohnGalt14

Yara Rules from the Symantec Waterbug Report

Jan 26th, 2015
845
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import "pe"
  2.  
  3. rule WaterBug_wipbot_2013_core_PDF {
  4.     meta:
  5.         description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
  6.         author = "Symantec Security Response"
  7.         date = "22.01.2015"
  8.         reference = "http://t.co/rF35OaAXrl"
  9.     strings:
  10.         $PDF = "%PDF-"
  11.         $a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
  12.         $b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
  13.     condition:
  14.         ($PDF at 0) and #a > 150 and #b > 200
  15. }
  16.  
  17. rule WaterBug_wipbot_2013_dll {
  18.     meta:
  19.         description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
  20.         author = "Symantec Security Response"
  21.         date = "22.01.2015"
  22.         reference = "http://t.co/rF35OaAXrl"       
  23.     strings:
  24.         $string1 = "/%s?rank=%s"
  25.         $string2 = "ModuleStart\x00ModuleStop\x00start"
  26.         $string3 = "1156fd22-3443-4344-c4ffff"
  27.         //read file... error..
  28.         $string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
  29.     condition:
  30.         2 of them
  31. }
  32.  
  33. rule WaterBug_wipbot_2013_core {
  34.     meta:
  35.         description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
  36.         author = "Symantec Security Response"
  37.         date = "22.01.2015"
  38.         reference = "http://t.co/rF35OaAXrl"           
  39.     strings:
  40.         $mz = "MZ"
  41.         $code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
  42.         $code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
  43.         $code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
  44.     condition:
  45.         $mz at 0 and (($code1 or $code2) or ($code3 and $code4))
  46. }
  47.  
  48. rule WaterBug_turla_dropper {
  49.     meta:
  50.         description = "Symantec Waterbug Attack - Trojan Turla Dropper"
  51.         author = "Symantec Security Response"
  52.         date = "22.01.2015"
  53.         reference = "http://t.co/rF35OaAXrl"
  54.     strings:
  55.         $a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
  56.         $b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
  57.     condition:
  58.         all of them
  59. }
  60.  
  61. rule WaterBug_turla_dll {
  62.     meta:
  63.         description = "Symantec Waterbug Attack - Trojan Turla DLL"
  64.         author = "Symantec Security Response"
  65.         date = "22.01.2015"
  66.         reference = "http://t.co/rF35OaAXrl"   
  67.     strings:
  68.         $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
  69.     condition:
  70.         pe.exports("ee") and $a
  71. }
  72.  
  73. rule WaterBug_fa_malware {
  74.     meta:
  75.         description = "Symantec Waterbug Attack - FA malware variant"
  76.         author = "Symantec Security Response"
  77.         date = "22.01.2015"
  78.         reference = "http://t.co/rF35OaAXrl"
  79.     strings:
  80.         $mz = "MZ"
  81.         $string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
  82.         $string2 = "d:\\proj\\cn\\fa64\\"
  83.         $string3 = "sengoku_Win32.sys\x00"
  84.         $string4 = "rk_ntsystem.c"
  85.         $string5 = "\\uroboros\\"
  86.         $string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
  87.     condition:
  88.         ($mz at 0) and (any of ($string*))
  89. }
  90.  
  91. rule WaterBug_sav_dropper {
  92.     meta:
  93.         description = "Symantec Waterbug Attack - SAV Dropper"
  94.         author = "Symantec Security Response"
  95.         date = "22.01.2015"
  96.         reference = "http://t.co/rF35OaAXrl"
  97.     strings:
  98.         $mz = "MZ"
  99.         $a = /[a-z]{,10}_x64.sys\x00hMZ\x00/
  100.     condition:
  101.         ($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a
  102. }
  103.  
  104. rule WaterBug_sav {
  105.     meta:
  106.         description = "Symantec Waterbug Attack - SAV Malware"
  107.         author = "Symantec Security Response"
  108.         date = "22.01.2015"
  109.         reference = "http://t.co/rF35OaAXrl"    
  110.     strings:
  111.         $mz = "MZ"
  112.         $code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
  113.         $code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73
  114.                     17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B
  115.                     55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E
  116.                     8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC
  117.                     3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC
  118.                     8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75
  119.                     07 }
  120.         $code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2
  121.                     75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08
  122.                     00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31
  123.                     14 81 40 3B C6 72 F5 }
  124.         $code2 =  { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00
  125.                     00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17
  126.                     8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08
  127.                     FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
  128.     condition:
  129.         ($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
  130. }
  131.  
  132. rule WaterBug_ComRat {
  133.     meta:
  134.         description = "Symantec Waterbug Attack - ComRat Trojan"
  135.         author = "Symantec Security Response"
  136.         date = "22.01.2015"
  137.         reference = "http://t.co/rF35OaAXrl"    
  138.     strings:
  139.         $mz = "MZ"
  140.         $b = { C6 45 ?? ?? }
  141.         $c = { C6 85 ?? FE FF FF ?? }
  142.         $d = { FF A0 ?? 0? 00 00 }
  143.         $e = { 89 A8 ?? 00 00 00 68 ?? 00 00 00 56 FF D7 8B }
  144.         $f = { 00 00 48 89 ?? ?? 03 00 00 48 8B }
  145.     condition:
  146.         ($mz at 0) and ((#c > 200 and #b > 200 ) or (#d > 40) and (#e > 15 or #f > 30))
  147. }
RAW Paste Data