100 Days of YARA – Day 51: bdvl

On By DanielIn 100 days of Yara

bdvl is another LD_PRELOAD rootkit. This rule matched on a few samples I had available.

rule bdvl
{
	meta:
		description = "bdvl LD_PRELOAD rootkit"

	strings:
		$s1 = "Canadians are weird"
		$s2 = "ICMP backdoor up."
		$s3 = "It seems something may have went wrong installing..."
		$s4 = "Unable to evaluate total size of stolen stuff..."
		$s5 = "bdvlsuperreallygay"
		$s6 = "You're now totally visible. 'exit' when you want to return to being hidden."

	condition:
		uint32(0) == 0x464c457f
		and any of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 51: bdvl

  1. Pingback: Week 07 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s