Corrected Yara rule for the Wiper malware

Ars Technica has recently published an article about the “wiper” malware. In that article they published a Yara  rule provided by FBI. However, the rule does not work due to a syntax error. Following rule corrects the syntax error and can be used with Yara 3.2.0.
Happy hunting!

rule unknown_wiper_error_strings
{    
    meta:
        description = "unique custom error debug strings discovered in the wiper malware"

    strings:
        $IP1 = "203.131.222.102" fullword nocase
        $IP2 = "217.96.33.164" fullword nocase
        $IP3 = "88.53.215.64" fullword nocase
        $MZ = "MZ"

    condition:
        $MZ at 0 and all of them

}

Leave a Reply

Your email address will not be published. Required fields are marked *