[
  {
    "path": "README.md",
    "content": "# 关于停止更新声明\n最近有多方渠道报道该工具。  \n开发本意是给安全研究人员提供一个易用的工具，方便开展网络方面的安全研究，思考IoT时代面临的安全问题。  \n没想到它会造成这么严重的影响，为方便各安全厂商能更好的研究和查杀，特此声明，该工具将不再更新，并移除本项目的下载方式。\n\n# 关于检测方式\n我在这里附上检测规则([check.yara](https://github.com/rootkiter/Binary-files/blob/master/check.yara))，感谢“[Chris Doman](https://www.alienvault.com/blogs/labs-research/internet-of-termites)” 的警示及提供的规则。如未来出现新的变种，也欢迎大家在这里提交检测规则，该项目长期维护。\n"
  },
  {
    "path": "check.yara",
    "content": "rule EarthWorm : LinuxMalware\n{\n    meta:\n       author = \"AlienVault Labs\"\n       copyright = \"Alienvault Inc. 2019\"\n       license = \"Apache License, Version 2.0\"\n       sha256 = \"f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd\"\n       description = \"EarthWorm Packet Relay Tool\"\n    strings:\n        $elf = {7f 45 4c 46}\n        $string_1 = \"I_AM_NEW_RC_CMD_SOCK_CLIENT\"\n        $string_2 = \"CONFIRM_YOU_ARE_SOCK_CLIENT\"\n        $string_3 = \"SOCKSv4 Not Support now!\"\n        $string_4 = \"rssocks cmd_socket OK!\"\n\n    condition:\n        $elf at 0 and 2 of them\n}\n\n \n\nrule Termite : LinuxMalware\n\n{\n meta:\n\n    author = \"AlienVault Labs\"\n    copyright = \"Alienvault Inc. 2019\"\n    license = \"Apache License, Version 2.0\"\n    sha256 = \"6062754dbe5503d375ad0e61f6b4342654624f471203fe50eb892e0029451416\"\n    description = \"Termite Packet Relay Tool\"\n    strings:\n        $elf = {7f 45 4c 46}\n        $string_1 = \"File data send OK!\"\n        $string_2 = \"please set the target first\"\n        $string_3 = \"It support various OS or CPU.For example\"\n        $string_4 = \"xxx -l [lport] -n [name]\"\n\ncondition:\n    $elf at 0 and 2 of them\n}\n"
  }
]