I wrote this rule to detect and match Pushdo samples. I ran this against few binaries of the same family and they all returned the same FTPs.
And that’s a lot of FTPs. Interesting.
rule detects_pushdo
{
meta:
author = "Denice"
description = "Checks and detects if the strings match this Pushdo sample"
hash = "891823DE9B05E17DEF459E04FB574F94"
strings:
$str1 = "http://cgi-bim.ru/panel/gate.php"
$str2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
$str3 = "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
$str4 = "Software\\Far\\Plugins\\FTP\\Hosts"
$str5 = "Software\\Far2\\Plugins\\FTP\\Hosts"
$str6 = "Software\\Far Manager\\Plugins\\FTP\\Hosts"
$str7 = "Software\\Far\\SavedDialogHistory\\FTPHost"
$str8 = "Software\\Far2\\SavedDialogHistory\\FTPHost"
$str9 = "Software\\Far Manager\\SavedDialogHistory\\FTPHost"
$str10 = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins"
$str11 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
$ftp1 = "CuteFTP"
$ftp2 = "FTPVoyager.ftp"
$ftp3 = "Leechftp"
$ftp4 = "DeluxeFTP"
$ftp5 = "TurboFTP"
$ftp6 = "novaftp"
$ftp7 = "bitkinex"
condition:
uint16be(0) == 0x4D5A and
4 of ($str*) and
3 of ($ftp*)
}
