X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fwin_malware_rcl.txt;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fwin_malware_rcl.txt;h=03ed59446ac5697440e67be0f225205a7e69c3e1;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/debian/ossec-hids/var/ossec/etc/shared/win_malware_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/win_malware_rcl.txt new file mode 100644 index 0000000..03ed594 --- /dev/null +++ b/debian/ossec-hids/var/ossec/etc/shared/win_malware_rcl.txt @@ -0,0 +1,122 @@ +# OSSEC Windows Malware list - (C) 2018 OSSEC Project +# +# Released under the same license as OSSEC. +# More details at the LICENSE file included with OSSEC or online +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE +# +# [Malware name] [any or all] [reference] +# type:; +# +# Type can be: +# - f (for file or directory) +# - r (registry entry) +# - p (process running) +# +# Additional values: +# For the registry and for directories, use "->" to look for a specific entry and another +# "->" to look for the value. +# Also, use " -> r:^\. -> ..." to search all files in a directory +# For files, use "->" to look for a specific value in the file. +# +# # Values can be preceded by: =: (for equal) - default +# r: (for ossec regexes) +# >: (for strcmp greater) +# <: (for strcmp lower) +# Multiple patterns can be specified by using " && " between them. +# (All of them must match for it to return true). + +# http://www.iss.net/threats/ginwui.html +[Ginwui Backdoor {PCI_DSS: 11.4}] [any] [http://www.iss.net/threats/ginwui.html] +f:%WINDIR%\System32\zsyhide.dll; +f:%WINDIR%\System32\zsydll.dll; +r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll; +r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll; + +# http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2 +[Wargbot Backdoor {PCI_DSS: 11.4}] [any] [] +f:%WINDIR%\System32\wgareg.exe; +r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg; + +# http://www.f-prot.com/virusinfo/descriptions/sober_j.html +[Sober Worm {PCI_DSS: 11.4}] [any] [] +f:%WINDIR%\System32\nonzipsr.noz; +f:%WINDIR%\System32\clonzips.ssc; +f:%WINDIR%\System32\clsobern.isc; +f:%WINDIR%\System32\sb2run.dii; +f:%WINDIR%\System32\winsend32.dal; +f:%WINDIR%\System32\winroot64.dal; +f:%WINDIR%\System32\zippedsr.piz; +f:%WINDIR%\System32\winexerun.dal; +f:%WINDIR%\System32\winmprot.dal; +f:%WINDIR%\System32\dgssxy.yoi; +f:%WINDIR%\System32\cvqaikxt.apk; +f:%WINDIR%\System32\sysmms32.lla; +f:%WINDIR%\System32\Odin-Anon.Ger; + +# http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2 +[Hotword Trojan {PCI_DSS: 11.4}] [any] [] +f:%WINDIR%\System32\_; +f:%WINDIR%\System32\explore.exe; +f:%WINDIR%\System32\ svchost.exe; +f:%WINDIR%\System32\mmsystem.dlx; +f:%WINDIR%\System32\WINDLL-ObjectsWin*.DLX; +f:%WINDIR%\System32\CFXP.DRV; +f:%WINDIR%\System32\CHJO.DRV; +f:%WINDIR%\System32\MMSYSTEM.DLX; +f:%WINDIR%\System32\OLECLI.DL; + +[Beagle worm {PCI_DSS: 11.4}] [any] [] +f:%WINDIR%\System32\winxp.exe; +f:%WINDIR%\System32\winxp.exeopen; +f:%WINDIR%\System32\winxp.exeopenopen; +f:%WINDIR%\System32\winxp.exeopenopenopen; +f:%WINDIR%\System32\winxp.exeopenopenopenopen; + +# http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99 +[Gpcoder Trojan {PCI_DSS: 11.4}] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99] +f:%WINDIR%\System32\ntos.exe; +f:%WINDIR%\System32\wsnpoem; +f:%WINDIR%\System32\wsnpoem\audio.dll; +f:%WINDIR%\System32\wsnpoem\video.dll; +r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe; + +# [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2 +[Looked.BK Worm {PCI_DSS: 11.4}] [any] [] +f:%WINDIR%\uninstall\rundl132.exe; +f:%WINDIR%\Logo1_.exe; +f:%Windir%\RichDll.dll; +r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe; + +[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] [] +p:r:svchost.exe && !%WINDIR%\System32\svchost.exe; +f:!%WINDIR%\SysWOW64; + +[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] [] +p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe; +f:!%WINDIR%\SysWOW64; + +[Possible Malware - Rbot/Sdbot detected {PCI_DSS: 11.4}] [any] [] +f:%Windir%\System32\rdriv.sys; +f:%Windir%\lsass.exe; + +[Possible Malware File {PCI_DSS: 11.4}] [any] [] +f:%WINDIR%\utorrent.exe; +f:%WINDIR%\System32\utorrent.exe; +f:%WINDIR%\System32\Files32.vxd; + +# Modified /etc/hosts entries +# Idea taken from: +# http://blog.tenablesecurity.com/2006/12/detecting_compr.html +# http://www.sophos.com/security/analyses/trojbagledll.html +# http://www.f-secure.com/v-descs/fantibag_b.shtml +[Anti-virus site on the hosts file] [any] [] +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|symantec.com; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:networkassociates.com; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com; +f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;