I've collected detection rules for the following funny stuff:


Malware.Fraud.MalwareDefense
Trojan.Dwarf
Trojan.Virtumode
Trojan.Dropper/Win-NV

hello,

your rules look good for starters but I have some remarks:

AutoRun: The AutoRun command is a combined command that will detect the registry entry for the autorun and the first file with full path that is called during the autorun.
For instance:



AutoRun:"settdebugx.exe","<$LOCALSETTINGS>\Temp\settdebugx.exe","flagifnofile=1"

will also cover the following 2 rules:



RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","settdebugx.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\settdebugx.exe"

The editor puts them out by default since they can be useful. For instance if a dll file is called via autorun, it is not called directly but with rundll32.exe, and if rundll32.exe would be given the full path rundll32.exe would be targeted by the AutoRun command while the RegyValue command and File command would leave the rundll32.exe out.

File: The File command is usually good for targeting a file, however advanced file parameters should be used whenever possible. If file path and file name are unique advanced file parameters might not be necessary but in such a case as:


File:"<$FILE_EXE>","<$SYSDIR>\install\server.exe"

This could cause false positives in the future. At first glance this rule does not look like it would provoke a false positive right away, but unfortunately software vendors tend to name and put their files to various locations disregarding many conventions.
In this case the AutoRun command should suffice since it has one additional parameter which is very unlikely to be used by a legit software vendor.



AutoRun:"HKCU","<$SYSDIR>\install\server.exe","flagifnofile=1"


I hope this helps you with creating future rules :rockon: