The hypothesis is that the detection identifies the initial deployment of a drive-by DDoS malware variant, which could indicate the start of a coordinated attack leveraging compromised systems. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage threats before they escalate into large-scale DDoS operations.
YARA Rule
rule DirtJumper_drive
{
meta:
author = "Jason Jones <[email protected]>"
date = "2013-08-26"
description = "Identify first version of drive DDoS malware"
source = "https://github.com/arbor/yara/blob/master/drive.yara"
strings:
$cmd1 = "-get" fullword
$cmd2 = "-ip" fullword
$cmd3 = "-ip2" fullword
$cmd4 = "-post1" fullword
$cmd5 = "-post2" fullword
$cmd6 = "-udp" fullword
$str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
$str2 = "-timeout" fullword
$str3 = "-thread" fullword
$str4 = " Local; ru) Presto/2.10.289 Version/"
$str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
$newver1 = "-icmp"
$newver2 = "<xmp>"
condition:
4 of ($cmd*) and all of ($str*) and not any of ($newver*)
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled disk cleanup using cleanmgr.exe or dism.exe to free up space on the drive.
Filter/Exclusion: Check for process.name containing cleanmgr.exe or dism.exe and exclude these processes from the alert.
Scenario: A backup job is running using wbadmin.exe to back up the system drive, which temporarily increases disk I/O.
Filter/Exclusion: Include process.name matching wbadmin.exe or check for process.command_line containing backup-related flags.
Scenario: An IT admin is using diskpart.exe to manage disk partitions or perform disk maintenance tasks.
Filter/Exclusion: Filter out processes with process.name equal to diskpart.exe or check for known admin user accounts (e.g., Administrator, SysAdmin).
Scenario: A legitimate PowerShell script is running to monitor disk usage or perform disk defragmentation, using defrag.exe or Get-PSDrive.
Filter/Exclusion: Check for process.name containing powershell.exe and filter out known admin scripts or processes with process.command_line containing defrag.exe.
Scenario: A system update or patching task is executed via wuauclt.exe or msiexec.exe, which may cause temporary spikes in disk activity.
Filter/Exclusion: Exclude processes with process.name matching wuauclt.exe, msiexec.exe, or check for process.parent.name related to system update services.