2016-02-15 09:22:28 +00:00
|
|
|
rule Fake_AdobeReader_EXE
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file"
|
|
|
|
date = "2014-09-11"
|
|
|
|
author = "Florian Roth"
|
|
|
|
score = 50
|
|
|
|
strings:
|
|
|
|
$s1 = "Adobe Systems" ascii
|
2017-03-28 06:32:20 +00:00
|
|
|
$s2 = "Adobe Reader" ascii wide
|
2016-02-15 09:22:28 +00:00
|
|
|
condition:
|
2017-03-28 06:32:20 +00:00
|
|
|
uint16(0) == 0x5a4d and
|
|
|
|
filename matches /AcroRd32.exe/i and
|
|
|
|
not $s1 in (filesize-2500..filesize)
|
|
|
|
and not $s2
|
2016-02-15 09:22:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
rule Fake_FlashPlayerUpdaterService_EXE
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file"
|
|
|
|
date = "2014-09-11"
|
|
|
|
author = "Florian Roth"
|
|
|
|
score = 50
|
|
|
|
strings:
|
2017-03-28 06:32:20 +00:00
|
|
|
$s1 = "Adobe Systems Incorporated" ascii wide
|
2016-02-15 09:22:28 +00:00
|
|
|
condition:
|
2017-03-28 06:32:20 +00:00
|
|
|
uint16(0) == 0x5a4d and
|
|
|
|
filename matches /FlashPlayerUpdateService.exe/i and
|
2017-04-28 08:32:36 +00:00
|
|
|
not $s1
|
2016-02-15 09:22:28 +00:00
|
|
|
}
|