100 Days of YARA – Day 27: LOKI2

LOKI2 is an old backdoor released in Phrack Magazine in 1997. This tool is still somewhat novel even in 2021, providing a shell over the ICMP protocol.

A few years ago, I read an article that highlighted this tool’s use by the Turla group that piqued my interest. Due to this tool running over ICMP, I figured it would be fun to use in attack/defend CTFs because many players focus too much on TCP and UDP, and completely neglect to monitor ICMP traffic.

rule loki2
{
	meta:
		description = "http://phrack.org/issues/51/6.html"

	strings:
		$a = "lokid: inactive client <%d> expired from list [%d]"
		$b = "[SUPER fatal] control should NEVER fall here"

	condition:
		any of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 27: LOKI2

  1. Pingback: Week 03 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s