Initial commit

2026-06-08 17:57:13 +00:00 · 2020-06-26 15:52:52 +02:00
commit 0e38277d9e
130 changed files with 15371 additions and 0 deletions
@@ -0,0 +1,28 @@
+import "elf"
+
+rule Linux_Virus_Vit : tc_detection malicious
+{
+    meta:
+
+        author              = "ReversingLabs"
+        tc_detection_type   = "Virus"
+        tc_detection_name   = "Vit"
+        tc_detection_factor = 5
+
+    strings:
+
+      $vit_entry_point = {
+        55 89 E5 81 EC 40 31 00 00 57 56 50 53 51 52 C7 85 D8 CE FF FF 00 00 00 00 C7 85 D4
+        CE FF FF 00 00 00 00 C7 85 FC CF FF FF CA 08 00 00 C7 85 F8 CF FF FF B8 06 00 00 C7
+        85 F4 CF FF FF AD 08 00 00 C7 85 F0 CF FF FF 50 06 00 00 6A 00 6A 00 8B 45 08 50 E8
+        18 FA FF FF 89 C6 83 C4 0C 85 F6 0F 8C E6 01 00 00 6A 00 68 ?? ?? ?? ?? 56 E8 2E FA
+        FF FF 83 C4 0C 85 C0 0F 8C C4 01 00 00 8B 85 FC CF FF FF 50 8D 85 00 D0 FF FF 50 56
+        E8 2A FA FF FF 89 C2 8B 85 FC CF FF FF 83 C4 0C 39 C2 0F 85 9D 01 00 00 56 E8 E1 F9
+        FF FF BE FF FF FF FF 6A 00 6A 00 E9
+      }
+
+      $vit_str = "vi324.tmp"
+
+    condition:
+        uint32(0) == 0x464C457F and $vit_entry_point at elf.entry_point and $vit_str
+}