Rule to detect ELF.DDosTf infection

Hunt Hypothesis

The rule detects potential ELF.DDosTf infection by identifying suspicious file artifacts and process behavior indicative of a known malware family. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement or data exfiltration occurs.

YARA Rule

rule DDosTf
{

meta:
    author = "benkow_ - MalwareMustDie"
    reference = "http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html"
    description = "Rule to detect ELF.DDosTf infection"

strings:
    $st0 = "ddos.tf"
    $st1 = {E8 AE BE E7 BD AE 54 43  50 5F 4B 45 45 50 49 4E 54 56 4C E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPINTVL*/
    $st2 = {E8 AE BE E7 BD AE 54 43  50 5F 4B 45 45 50 43 4E 54 E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPCNT*/
    $st3 = "Accept-Language: zh"
    $st4 = "%d Kb/bps|%d%%"
   
condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
• Source Rule

False Positive Guidance

• Scenario: System update or package installation using apt or yum
  Filter/Exclusion: Check for process parent process (ppid) matching init (PID 1) or system update tools like apt (PID 1234) or yum (PID 1235)
  Example Filter: process.parent_process == "apt" or process.parent_process == "yum"

• Scenario: Scheduled job running a legitimate script using cron or systemd
  Filter/Exclusion: Filter by process name matching known cron or systemd processes (cron, systemd, crond) or check for script paths in known system directories like /etc/cron.d/ or /usr/lib/systemd/
  Example Filter: process.name == "cron" or process.name == "systemd"

• Scenario: Admin task using rsync or scp for data transfer
  Filter/Exclusion: Check for process arguments containing known transfer tools like rsync or scp, and verify if the destination is a legitimate server or internal network IP
  Example Filter: process.args contains "rsync" or process.args contains "scp"

• Scenario: Security tool or EDR agent performing a scan or integrity check
  Filter/Exclusion: Check for process names like clamscan, clamav, bitdefender, or mcafee and verify if the process is associated with a known security tool
  Example Filter: process.name == "clamscan" or process.name == "bitdefender"

• Scenario: Legitimate container orchestration task using docker or k8s
  Filter/Exclusion: Filter by process names like docker, kubelet, or `kubeadm