Ars Technica has recently published an article about the “wiper” malware. In that article they published a Yara rule provided by FBI. However, the rule does not work due to a syntax error. Following rule corrects the syntax error and can be used with Yara 3.2.0.
Happy hunting!
[php]
rule unknown_wiper_error_strings
{
meta:
description = "unique custom error debug strings discovered in the wiper malware"
strings:
$IP1 = "203.131.222.102" fullword nocase
$IP2 = "217.96.33.164" fullword nocase
$IP3 = "88.53.215.64" fullword nocase
$MZ = "MZ"
condition:
$MZ at 0 and all of them
}
[/php]