Repository: rootkiter/Binary-files
Branch: master
Commit: 77674e8be201
Files: 2
Total size: 1.5 KB

Directory structure:
gitextract_fh0d6iuv/

├── README.md
└── check.yara

================================================
FILE CONTENTS
================================================

================================================
FILE: README.md
================================================
# 关于停止更新声明
最近有多方渠道报道该工具。  
开发本意是给安全研究人员提供一个易用的工具，方便开展网络方面的安全研究，思考IoT时代面临的安全问题。  
没想到它会造成这么严重的影响，为方便各安全厂商能更好的研究和查杀，特此声明，该工具将不再更新，并移除本项目的下载方式。

# 关于检测方式
我在这里附上检测规则([check.yara](https://github.com/rootkiter/Binary-files/blob/master/check.yara))，感谢“[Chris Doman](https://www.alienvault.com/blogs/labs-research/internet-of-termites)” 的警示及提供的规则。如未来出现新的变种，也欢迎大家在这里提交检测规则，该项目长期维护。


================================================
FILE: check.yara
================================================
rule EarthWorm : LinuxMalware
{
    meta:
       author = "AlienVault Labs"
       copyright = "Alienvault Inc. 2019"
       license = "Apache License, Version 2.0"
       sha256 = "f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd"
       description = "EarthWorm Packet Relay Tool"
    strings:
        $elf = {7f 45 4c 46}
        $string_1 = "I_AM_NEW_RC_CMD_SOCK_CLIENT"
        $string_2 = "CONFIRM_YOU_ARE_SOCK_CLIENT"
        $string_3 = "SOCKSv4 Not Support now!"
        $string_4 = "rssocks cmd_socket OK!"

    condition:
        $elf at 0 and 2 of them
}

 

rule Termite : LinuxMalware

{
 meta:

    author = "AlienVault Labs"
    copyright = "Alienvault Inc. 2019"
    license = "Apache License, Version 2.0"
    sha256 = "6062754dbe5503d375ad0e61f6b4342654624f471203fe50eb892e0029451416"
    description = "Termite Packet Relay Tool"
    strings:
        $elf = {7f 45 4c 46}
        $string_1 = "File data send OK!"
        $string_2 = "please set the target first"
        $string_3 = "It support various OS or CPU.For example"
        $string_4 = "xxx -l [lport] -n [name]"

condition:
    $elf at 0 and 2 of them
}