Compromised websites may be used to host and spread versions of Drive DDoS malware, leveraging their traffic to launch distributed denial-of-service attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential large-scale network attacks before they cause significant disruption.
YARA Rule
rule DirtJumper_drive3
{
meta:
author = "Jason Jones <[email protected]>"
date = "2014-03-17"
description = "Identify version of Drive DDoS malware using compromised sites"
source = "https://github.com/arbor/yara/blob/master/drive3.yara"
strings:
$cmd1 = "-get" fullword
$cmd2 = "-ip" fullword
$cmd3 = "-ip2" fullword
$cmd4 = "-post1" fullword
$cmd5 = "-post2" fullword
$cmd6 = "-udp" fullword
$str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
$str2 = "-timeout" fullword
$str3 = "-thread" fullword
$str4 = " Local; ru) Presto/2.10.289 Version/"
$str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
$newver1 = "-icmp"
$newver2 = "-byte"
$newver3 = "-long"
$drive3 = "99=1"
condition:
4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3
}This YARA rule can be deployed in the following contexts:
This rule contains 15 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication and the backup process is accessing external URLs to download configuration files.
Filter/Exclusion: Exclude traffic initiated by the Veeam Backup Service or processes with the Veeam executable path.
Scenario: A developer is using Git to pull updates from a remote repository, and the pull command includes a URL that matches a known compromised site.
Filter/Exclusion: Exclude Git operations initiated by the git executable or processes associated with GitHub Actions or GitLab CI/CD.
Scenario: A database administrator is using SQL Server Agent to run a maintenance job that connects to an external monitoring service, which is flagged as a compromised site.
Filter/Exclusion: Exclude connections made by the SQL Server Agent service or processes with the sqlservr.exe executable.
Scenario: A system is running a Windows Task Scheduler job that periodically fetches updates from a legitimate update server, which is mistakenly flagged as a compromised site.
Filter/Exclusion: Exclude tasks scheduled by the Task Scheduler or processes with the schtasks.exe executable.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic, and the capture includes traffic to a compromised site for analysis purposes.
Filter/Exclusion: Exclude traffic initiated by Wireshark or processes with the wireshark.exe executable.