16 lines
1.3 KiB
Plaintext
16 lines
1.3 KiB
Plaintext
|
|
rule Backdoor_Win32_Htbot_C{
|
|
meta:
|
|
description = "Backdoor:Win32/Htbot.C,SIGNATURE_TYPE_PEHSTR,04 00 04 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {3f 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 3d 00 67 00 65 00 74 00 62 00 61 00 63 00 6b 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 } //1 ?command=getbackconnect
|
|
$a_01_1 = {5c 00 4d 00 6e 00 74 00 6f 00 32 00 } //1 \Mnto2
|
|
$a_01_2 = {66 00 69 00 72 00 65 00 77 00 61 00 6c 00 6c 00 20 00 61 00 64 00 64 00 20 00 61 00 6c 00 6c 00 6f 00 77 00 65 00 64 00 70 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 22 00 25 00 73 00 22 00 20 00 22 00 25 00 73 00 22 00 20 00 45 00 4e 00 41 00 42 00 4c 00 45 00 } //1 firewall add allowedprogram "%s" "%s" ENABLE
|
|
$a_01_3 = {25 00 73 00 3f 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 3d 00 75 00 70 00 64 00 61 00 74 00 65 00 26 00 69 00 64 00 3d 00 25 00 73 00 26 00 69 00 70 00 3d 00 25 00 73 00 26 00 70 00 6f 00 72 00 74 00 3d 00 25 00 64 00 } //1 %s?command=update&id=%s&ip=%s&port=%d
|
|
$a_01_4 = {25 00 73 00 3f 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 3d 00 67 00 68 00 6c 00 26 00 69 00 64 00 3d 00 25 00 73 00 } //1 %s?command=ghl&id=%s
|
|
$a_01_5 = {5c 00 66 00 61 00 72 00 63 00 6c 00 65 00 6e 00 2e 00 65 00 78 00 65 00 } //1 \farclen.exe
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=4
|
|
|
|
} |