rule Nosedive_custom_dropper {
	meta:
		author = "Lumen Technologies - Black Lotus Labs"
	strings:
		$r1 = "#!/bin/sh" ascii fullword
		$s1 = "/tmp"
		$s2 = "/var/tmp"
		$s3 = "wget http://"
		$s4 = "rm -rf $0" ascii fullword
		$s5 = "kill -9 `pidof"
		$s6 = "sleep 1" ascii fullword
		$s7 = "while true" ascii fullword
	condition:
		filesize < 3KB and $r1 at 0 and 6 of ($s*)
}