"Linux hack tools - file screen" match on OSX FP?

[BrianCrosby34]

|20160401T09:02:06Z,s-MacBook-Pro.local,WARNING,Yara Rule MATCH: LinuxHacktool_eyes_screen TYPE: UNKNOWN DESCRIPTION: Linux hack tools - file screen FILE: /usr/bin/screen FIRST_BYTES: cffaedfe07000001030000800200000011000000 / MD5: add6935225e31b5d6672cd2fa3a238bf SHA1: 827dcbe3f792bcb099af63e2a2c9c5f8edcbcf40 SHA256: 7294dbfec928009ac30646fa2d18c8525a35aff172d4ebc81035032525c8394c MATCHES: Str1: or: %s -r [host.tty] Str2: %s: process: character, ^x, or (octal) \032 expected. Str3: Type "screen [-d] -r [pid.]tty.host" to resum ... (truncated)

Any thoughts?

[Neo23x0]

Interesting - these are the strings and all of them have to match to trigger the rule.
The utility was bundled with a hack tool set.
Looking at the string I guessed that is malicious too. I have no idea if I should mark this as false positive or not. I'll start a run on a goodware set to see if the tool is benign.

    strings:
        $s0 = "or: %s -r [host.tty]" fullword ascii
        $s1 = "%s: process: character, ^x, or (octal) \\032 expected." fullword ascii
        $s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." fullword ascii
        $s6 = "%s: at [identifier][%%|*|#] command [args]" fullword ascii
        $s8 = "Slurped only %d characters (of %d) into buffer - try again" fullword ascii
        $s11 = "command from %s: %s %s" fullword ascii
        $s16 = "[ Passwords don't match - your armor crumbles away ]" fullword ascii
        $s19 = "[ Passwords don't match - checking turned off ]" fullword ascii
    condition:
        all of them

[Neo23x0]

Could you run the tool and see what it does?
Should be a hack tool / port scanner if the signature matches.

My research shows unambiguous results:

90af44cbb1c8a637feda1889d301d82fff7a93b0c1a09534909458a64d8d8558 - LinuxHacktool_eyes_screen - FILE
RESULT: 27 / 54
7347970e3f929177210bb70ae3754d99ea1acc312be11d0cd33c6d2cb33748e5 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
7ade70b102fb0724ec97a061ecf8485291bf613912687ae59808cb8e1e519ab9 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 54
68e374d974432fceb6a5984f49b9dd801b5dbdc73371c111310bf5dd379f228b - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
f4c257104f65e46b130fbe2b60a0e8f541a1af1fae8b1c59902086996bdfc171 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 54
ce529b5bea7a570ece323d8ca8d4325cbae31e33647a938510a73efa786aea84 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
51ad92fa411567c4b7d67e38ffd60e7cbd8b77097c3d6c2947c024d913df7335 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 54
4c5dc56d0110670ac048774400b2a85ddcaf0aea109600f2dcae9e29b1d8559f - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
8ffa0b9614ec465d758ddce43e961886b9b7c19f8a941d0e9f89eb91ca1c4fe2 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
4da0e535c36c0c52eaa66a5df6e070c52e7ddba13816efc3da5691ea2ec06c18 - LinuxHacktool_eyes_screen - FILE
RESULT: 32 / 57
e395ca5f932419a4e6c598cae46f17b56eb7541929cdfb67ef347d9ec814dea3 - LinuxHacktool_eyes_screen - FILE
RESULT: 32 / 56
5f80bd2db608a47e26290f3385eeb5bfc939d63ba643f06c4156704614def986 - LinuxHacktool_eyes_screen - FILE
RESULT: 31 / 55
c4524644014ca6b22261fa69f98ad3fdec067d9c197ae34bf01752e152590029 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 57
10d515305aa9db8a95ec6a5d325746f1c383e6d99b5134d768adfceb319165c4 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 58
85542cbdd62491d73deda0628565b3a7e3d14c2c0cfdce394a64dc95f64ea427 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 55

[Neo23x0]

OK, I replaced the rule with better ones.
You could scan again with an updated signature-base.

Neo23x0/signature-base@dd4cb5d

[BrianCrosby34]

OK, have run a scan on /usr with 15.2 and the new sig base. That match is gone, these though have shown up instead.

,Scanning /usr ...
20160403T07:30:34Z,s-MacBook-Pro.local,NOTICE,Yara Rule MATCH: Cloaked_as_JPG TYPE: GZIP DESCRIPTION: Detects a cloaked file as JPG FILE: /usr/share/cups/ipptool/color.jpg FIRST_BYTES: 1f8b08008aad11510203ecb87554d4cffff8fb5a / QuTZ MD5: c1009419741729cd00ef3a5ecc0adbcc SHA1: d2197fe6f11c418aa712b96524aa632081ec020e SHA256: 8bfb6cc965792621615907afc7372410a021e91d0c829d863ba20f55dfa58839 MATCHES:
20160403T07:30:39Z,s-MacBook-Pro.local,NOTICE,Yara Rule MATCH: Cloaked_as_JPG TYPE: GZIP DESCRIPTION: Detects a cloaked file as JPG FILE: /usr/share/cups/ipptool/gray.jpg FIRST_BYTES: 1f8b0800a62f714e02039cba073cd5efff37fe36 / /qN<76 MD5: 0c1332067154dd6dd8a17bb9a4fd8161 SHA1: 10c15a8c16c9712991c9e0396172578ff5cc034d SHA256: 995089ff7e5e3c03430910e66251074f1615ccf164307feee03f2959f14cb506 MATCHES:
20160403T07:30:40Z,s-MacBook-Pro.local,NOTICE,Yara Rule MATCH: Cloaked_as_JPG TYPE: GZIP DESCRIPTION: Detects a cloaked file as JPG FILE: /usr/share/cups/ipptool/testfile.jpg FIRST_BYTES: 1f8b0800cf5265480203ecba55505c41d7363ab8 / ReHUP\A6: MD5: cf45166223e626d143d9b2113aff7e65 SHA1: 19254ce0a3cc984ee4f2cf10dadf8f0568187a11 SHA256: b99adc3de6526722974c17a2f28c6e5b52232acf34b79ac0d93d890ace8b660c MATCHES:
20160403T07:40:13Z,s-MacBook-Pro.local,RESULT,SYSTEM SEEMS TO BE CLEAN.

[Neo23x0]

That's good news.
The "Notice" level messages are false positives but I don't want to change the signature. It's true that those JPG files are in fact GZIP files. We often found that attackers used JPG cloaking to hide their EXE, ZIP, RAR files.

[BrianCrosby34]

Excellent, I'll close this then.