16,432 Free Yara rules created by
Switch branches/tags
Nothing to show
Clone or download
Latest commit 649ac61 Oct 3, 2018
Permalink
Failed to load latest commit information.
h26d4 minor additions of clusters with well detected samples. All of these Oct 2, 2018
h3ed added 1800 hex based signatures Nov 20, 2017
i2319 another thousand baseline cluster signatures Oct 3, 2018
i2320 another thousand baseline cluster signatures Oct 3, 2018
i2321 another 4000 signatures Nov 25, 2017
i2329 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
i232c minor additions of clusters with well detected samples. All of these Oct 2, 2018
i233f 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
i26bb another thousand baseline cluster signatures Oct 3, 2018
i26c0 baseline signatures Oct 2, 2018
i26e2 another thousand baseline cluster signatures Oct 3, 2018
i3e9 another 4000 signatures Nov 25, 2017
i3ec another 4000 signatures Nov 25, 2017
i3ed another 4000 signatures Nov 25, 2017
i3f4 may the gods be merciful Nov 24, 2017
i3f7 another 4000 signatures Nov 25, 2017
i403 added 1800 hex based signatures Nov 20, 2017
i445 another 4000 signatures Nov 25, 2017
j2318 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
j2319 another thousand baseline cluster signatures Oct 3, 2018
j231b baseline signatures Oct 2, 2018
j2320 baseline signatures Oct 2, 2018
j2321 another 4000 signatures Nov 25, 2017
j2322 may the gods be merciful Nov 24, 2017
j2328 another thousand baseline cluster signatures Oct 3, 2018
j233f 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
j2341 added 1800 hex based signatures Nov 20, 2017
j2377 another 4000 signatures Nov 25, 2017
j26bb another thousand baseline cluster signatures Oct 3, 2018
j26bf another thousand baseline cluster signatures Oct 3, 2018
j26c0 baseline signatures Oct 2, 2018
j26c1 another thousand baseline cluster signatures Oct 3, 2018
j26c9 baseline signatures Oct 2, 2018
j26d4 baseline signatures Oct 2, 2018
j26df another thousand baseline cluster signatures Oct 3, 2018
j26f3 baseline signatures Oct 2, 2018
j2706 another thousand baseline cluster signatures Oct 3, 2018
j3e7 another 4000 signatures Nov 25, 2017
j3e9 another 4000 signatures Nov 25, 2017
j3eb another 4000 signatures Nov 25, 2017
j3ec another 4000 signatures Nov 25, 2017
j3ed may the gods be merciful Nov 24, 2017
j3ef may the gods be merciful Nov 24, 2017
j3f0 another 4000 signatures Nov 25, 2017
j3f4 another 4000 signatures Nov 25, 2017
j3f6 may the gods be merciful Nov 24, 2017
j3f7 another 4000 signatures Nov 25, 2017
j3f8 baseline signatures Oct 2, 2018
j3f9 another 4000 signatures Nov 25, 2017
j3fd another 4000 signatures Nov 25, 2017
j4b1 may the gods be merciful Nov 24, 2017
k2318 another thousand baseline cluster signatures Oct 3, 2018
k2319 another thousand baseline cluster signatures Oct 3, 2018
k231b another thousand baseline cluster signatures Oct 3, 2018
k231f may the gods be merciful Nov 24, 2017
k2321 added just one more Nov 26, 2017
k2322 may the gods be merciful Nov 24, 2017
k2328 another thousand baseline cluster signatures Oct 3, 2018
k232f another thousand baseline cluster signatures Oct 3, 2018
k234c may the gods be merciful Nov 24, 2017
k2377 another 4000 signatures Nov 25, 2017
k24c1 another 4000 signatures Nov 25, 2017
k26bb another thousand baseline cluster signatures Oct 3, 2018
k26bf baseline signatures Oct 2, 2018
k26c0 baseline signatures Oct 2, 2018
k26c3 baseline signatures Oct 2, 2018
k26c9 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
k26d4 another thousand baseline cluster signatures Oct 3, 2018
k26d7 another thousand baseline cluster signatures Oct 3, 2018
k26dd another thousand baseline cluster signatures Oct 3, 2018
k26df another thousand baseline cluster signatures Oct 3, 2018
k26ef 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
k2726 another thousand baseline cluster signatures Oct 3, 2018
k3e7 another 4000 signatures Nov 25, 2017
k3e9 another 4000 signatures Nov 25, 2017
k3ec another 4000 signatures Nov 25, 2017
k3ed another 4000 signatures Nov 25, 2017
k3ee added 1500 new signatures, including hex sigs Nov 12, 2017
k3ef another 4000 signatures Nov 25, 2017
k3f0 may the gods be merciful Nov 24, 2017
k3f1 another 4000 signatures Nov 25, 2017
k3f4 another 4000 signatures Nov 25, 2017
k3f6 added 1800 hex based signatures Nov 20, 2017
k3f7 another 4000 signatures Nov 25, 2017
k3f8 baseline signatures Oct 2, 2018
k3f9 another 4000 signatures Nov 25, 2017
k3fe may the gods be merciful Nov 24, 2017
k400 another 4000 signatures Nov 25, 2017
k403 another 4000 signatures Nov 25, 2017
k407 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
k41a another 4000 signatures Nov 25, 2017
k44a another 4000 signatures Nov 25, 2017
k932 another thousand baseline cluster signatures Oct 3, 2018
kfc8 baseline signatures Oct 2, 2018
m2318 another 4000 signatures Nov 25, 2017
m2319 another thousand baseline cluster signatures Oct 3, 2018
m231b another thousand baseline cluster signatures Oct 3, 2018
m231d baseline signatures Oct 2, 2018
m231f another 4000 signatures Nov 25, 2017
m2320 another thousand baseline cluster signatures Oct 3, 2018
m2321 another 4000 signatures Nov 25, 2017
m2322 another 4000 signatures Nov 25, 2017
m2377 another 4000 signatures Nov 25, 2017
m24c1 may the gods be merciful Nov 24, 2017
m24c4 another 4000 signatures Nov 25, 2017
m26bb another thousand baseline cluster signatures Oct 3, 2018
m26bf baseline signatures Oct 2, 2018
m26c0 another thousand baseline cluster signatures Oct 3, 2018
m26c1 another thousand baseline cluster signatures Oct 3, 2018
m26c9 baseline signatures Oct 2, 2018
m26cd baseline signatures Oct 2, 2018
m26d4 another thousand baseline cluster signatures Oct 3, 2018
m26d7 another thousand baseline cluster signatures Oct 3, 2018
m26df minor additions of clusters with well detected samples. All of these Oct 2, 2018
m26e5 baseline signatures Oct 2, 2018
m26ef 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
m2726 baseline signatures Oct 2, 2018
m3e7 minor additions of clusters with well detected samples. All of these Oct 2, 2018
m3e9 another 4000 signatures Nov 25, 2017
m3ea another 4000 signatures Nov 25, 2017
m3eb added 1800 hex based signatures Nov 20, 2017
m3ec another 4000 signatures Nov 25, 2017
m3ed another 4000 signatures Nov 25, 2017
m3ee another 4000 signatures Nov 25, 2017
m3ef added 1500 new signatures, including hex sigs Nov 12, 2017
m3f0 another 4000 signatures Nov 25, 2017
m3f1 another 4000 signatures Nov 25, 2017
m3f2 added 1500 new signatures, including hex sigs Nov 12, 2017
m3f4 another 4000 signatures Nov 25, 2017
m3f7 another 4000 signatures Nov 25, 2017
m3f8 another thousand baseline cluster signatures Oct 3, 2018
m3f9 another 4000 signatures Nov 25, 2017
m3fa added 503 addtional signatures Aug 25, 2017
m3fe Added another 1200 signatures Oct 17, 2017
m400 added 1500 new signatures, including hex sigs Nov 12, 2017
m41a baseline signatures Oct 2, 2018
m923 another 4000 signatures Nov 25, 2017
m926 minor additions of clusters with well detected samples. All of these Oct 2, 2018
mfc8 another thousand baseline cluster signatures Oct 3, 2018
n2319 another thousand baseline cluster signatures Oct 3, 2018
n231a minor additions of clusters with well detected samples. All of these Oct 2, 2018
n231b another thousand baseline cluster signatures Oct 3, 2018
n231d another thousand baseline cluster signatures Oct 3, 2018
n231e 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
n2321 may the gods be merciful Nov 24, 2017
n2326 baseline signatures Oct 2, 2018
n26bb another thousand baseline cluster signatures Oct 3, 2018
n26bf another thousand baseline cluster signatures Oct 3, 2018
n26c0 another thousand baseline cluster signatures Oct 3, 2018
n26c1 baseline signatures Oct 2, 2018
n26c9 another thousand baseline cluster signatures Oct 3, 2018
n26cb another thousand baseline cluster signatures Oct 3, 2018
n26d4 another thousand baseline cluster signatures Oct 3, 2018
n26d5 another thousand baseline cluster signatures Oct 3, 2018
n26d7 another thousand baseline cluster signatures Oct 3, 2018
n26df minor additions of clusters with well detected samples. All of these Oct 2, 2018
n26e5 another thousand baseline cluster signatures Oct 3, 2018
n26ef another thousand baseline cluster signatures Oct 3, 2018
n2706 another thousand baseline cluster signatures Oct 3, 2018
n2726 another thousand baseline cluster signatures Oct 3, 2018
n2800 baseline signatures Oct 2, 2018
n3e7 another 4000 signatures Nov 25, 2017
n3e9 another 4000 signatures Nov 25, 2017
n3ea another 4000 signatures Nov 25, 2017
n3eb Added another 1200 signatures Oct 17, 2017
n3ec may the gods be merciful Nov 24, 2017
n3ed another 4000 signatures Nov 25, 2017
n3ee may the gods be merciful Nov 24, 2017
n3ef another 4000 signatures Nov 25, 2017
n3f0 another 4000 signatures Nov 25, 2017
n3f1 another 4000 signatures Nov 25, 2017
n3f4 another 4000 signatures Nov 25, 2017
n3f6 may the gods be merciful Nov 24, 2017
n3f7 another 4000 signatures Nov 25, 2017
n3f8 another thousand baseline cluster signatures Oct 3, 2018
n3f9 may the gods be merciful Nov 24, 2017
n3fa may the gods be merciful Nov 24, 2017
n3fd another 4000 signatures Nov 25, 2017
n3fe added 503 addtional signatures Aug 25, 2017
n403 Added another 1200 signatures Oct 17, 2017
n414 baseline signatures Oct 2, 2018
n94d another thousand baseline cluster signatures Oct 3, 2018
nfc8 another thousand baseline cluster signatures Oct 3, 2018
o2319 another thousand baseline cluster signatures Oct 3, 2018
o231b baseline signatures Oct 2, 2018
o231d another thousand baseline cluster signatures Oct 3, 2018
o2321 may the gods be merciful Nov 24, 2017
o26bb another thousand baseline cluster signatures Oct 3, 2018
o26bf another thousand baseline cluster signatures Oct 3, 2018
o26c0 another thousand baseline cluster signatures Oct 3, 2018
o26c9 baseline signatures Oct 2, 2018
o26d4 another thousand baseline cluster signatures Oct 3, 2018
o26d5 another thousand baseline cluster signatures Oct 3, 2018
o26d7 another thousand baseline cluster signatures Oct 3, 2018
o26ef another thousand baseline cluster signatures Oct 3, 2018
o2706 another thousand baseline cluster signatures Oct 3, 2018
o3e7 another 4000 signatures Nov 25, 2017
o3e9 another 4000 signatures Nov 25, 2017
o3ea another 4000 signatures Nov 25, 2017
o3ec may the gods be merciful Nov 24, 2017
o3ed another 4000 signatures Nov 25, 2017
o3f0 another 4000 signatures Nov 25, 2017
o3f1 another 4000 signatures Nov 25, 2017
o3f4 another 4000 signatures Nov 25, 2017
o3f7 another 4000 signatures Nov 25, 2017
o3f8 baseline signatures Oct 2, 2018
o3f9 may the gods be merciful Nov 24, 2017
o3fd may the gods be merciful Nov 24, 2017
o3fe may the gods be merciful Nov 24, 2017
o422 another thousand baseline cluster signatures Oct 3, 2018
o42d another 4000 signatures Nov 25, 2017
o443 added 503 addtional signatures Aug 25, 2017
o468 another thousand baseline cluster signatures Oct 3, 2018
ofc8 another thousand baseline cluster signatures Oct 3, 2018
p231d 400+ new signatures, most are of well detected clusters. considered Oct 2, 2018
p2321 may the gods be merciful Nov 24, 2017
p26bb another thousand baseline cluster signatures Oct 3, 2018
p26c9 minor additions of clusters with well detected samples. All of these Oct 2, 2018
p26d4 another thousand baseline cluster signatures Oct 3, 2018
p26d7 another thousand baseline cluster signatures Oct 3, 2018
p26e5 baseline signatures Oct 2, 2018
p26ef another thousand baseline cluster signatures Oct 3, 2018
p3e9 another 4000 signatures Nov 25, 2017
p3ec Added another 1200 signatures Oct 17, 2017
p3ed another 4000 signatures Nov 25, 2017
p3f0 may the gods be merciful Nov 24, 2017
p3f1 another 4000 signatures Nov 25, 2017
p3f4 Added another 1200 signatures Oct 17, 2017
p3f7 may the gods be merciful Nov 24, 2017
pfc8 another thousand baseline cluster signatures Oct 3, 2018
qfc8 minor additions of clusters with well detected samples. All of these Oct 2, 2018
LICENSE Update LICENSE Aug 11, 2017
README.md spelling corrections Dec 12, 2017

README.md

Project Icewater

This project provides open-source YARA rules for the detection of malware and malicious files. the anti-virus industry prefers names for a threat. This is my attempt to publish signatures as numbers. Since I find the naming of threats to be confusing and misleading I am attempting to locate threats in a phase-space so that their relationships can be measured, visualized and scientifically described.

Each YARA signature in this archive is organized by a prefix and a 64 bit integer. The prefix is an index into file size and file type while the suffix is a 64 bit coordinate in a multi dimensional hyper space. Within a prefix, edit distance may be used to understand how two clusters relate to each other.

The Starting Problem

The basis of this research and this contribution to internet security is the idea of the Starting Problem which derives itself from Turing complete machines halting problem documented by Allen Turing in 1936. The staring problem I am defining thus: Knowing if a program should be allowed to run without running the program. My solution is to run about 4% of programs and by running them infer if the other 96% should be allowed to run.

Icewater is the project that clusters and sorts things on the interent. Icewater writes these rules in the hope that they are a compact form of transmitting knowledge regarding programs that should have their evil-bit set :)

How these rules get written

Icewater clusters malicious objects on the internet and when it has enough information about these objects it will publish a YARA rule that can be used to detect the threat. Since I am generally annoyed with the state of internet security I am publishing many of the rules Icewater writes.

Each rule leverages the hash module of the YARA tools. I provide an offset into a file and the amount of data that you should hash and the hash algorithm. I choose MD5 because it is fast and most folks dislike it because of the possibility of collision. If you think I should choose a different hashing algorithm please explain over beers.

QA

Each rule is tested against the cluster that it is written from and against part of our larger data set. The rule should fire only for its cluster or a neighbor cluster that both have the same "family." Rules that pass these qualifications are published in this archive. Rules that fail these tests are used to inform the process and debug the systems that generate the rules. If you find a rule that is missing its target please let me know, contact details are below.

Is Icewater a form of Artifical Intelligence?

Yes, if you are a VC -- Icewater is based off a kind of mathematics that is used to describe the physical world, much like the math that we use for training AI. Icewater uses the same algorithms all Eukaryote (any cell that has a nucleus) use to organize their DNA. If you don't think binaries either in PE or COFF format are like DNA... Well, they are. You are a robot -- get used to it.

Remember Icewater writes the rules, I just write the part that writes Icewater, but I didn't write the algorithm -- nature did.

Goals

My goal for this project is to place a large quantity of YARA rules into the network security community that it measurably effects global cybersecurity. Please let me know when you think I'm getting close to my goal.

License

Pay close attention to the RIL (Rick's Internet License) is is similar to the BSD with a 3rd clause that requires that if you use these rules and know me in physical space, you may need to acknowledge that you use these rules. I do enforce the license at public and private events.

Contact

webpage: http://icewater.io
blog: http://cyberwarhead.com
Twitter: @wessorh