728x90
I had a guest diary entry about my XORSearch tool using shellcode detection rules from Frank Boldewin's OfficeMalScanner. To detect malicious documents, Frank coded rules to detect shellcode and other indicators of executable code inside documents.
I also translated Frank's detection rules to YARA rules. You can find them here, the file is maldoc.yara.
This is an example:
rule maldoc_API_hashing
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
$a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
condition:
any of them
}728x90
'malware ' 카테고리의 다른 글
| NewPosThings Has New PoS Things (0) | 2015.04.03 |
|---|---|
| Crypto-Ransomware Sightings and Trends for 1Q 2015 (0) | 2015.04.03 |
| CVE-2011-2461 (0) | 2015.04.01 |
| Baidu’s traffic hijacked to DDoS GitHub.com (0) | 2015.03.30 |
| Malicious XML: Matryoshka Edition (0) | 2015.03.30 |