rule linux_mal_hcrootkit_2 {
	meta:
		description = "Detects Linux HCRootkit Wide, unpacked"
		hash1 = "2daa5503b7f068ac471330869ccfb1ae617538fecaea69fd6c488d57929f8279"
		hash2 = "10c7e04d12647107e7abf29ae612c1d0e76a79447e03393fa8a44f8a164b723d"
		author = "Lacework Labs"
		ref = "https://posts.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/"
	strings:
		$s1 = "s_hide_pids"
		$s2 = "handler_kallsyms_lookup_name"
		$s3 = "s_proc_ino"
		$s4 = "n_filldir"
		$s5 = "s_is_proc_ino"
		$s6 = "n_tcp4_seq_show"
		$s7 = "r_tcp4_seq_show"
		$s8 = "s_hide_tcp4_ports"
		$s9 = "s_proc_open"
		$s10 = "s_proc_show"
		$s11 = "s_passwd_buf"
		$s12 = "s_passwd_buf_len"
		$s13 = "r_sys_write"
		$s14 = "r_sys_mmap"
		$s15 = "r_sys_munmap"
		$s16 = "s_hide_strs"
		$s17 = "s_proc_write"
		$s18 = "s_proc_inl_operations"
		$s19 = "s_inl_entry"
		$s20 = "kp_kallsyms_lookup_name"
		$s21 = "s_sys_call_table"
		$s22 = "kp_do_exit"
		$s23 = "r_sys_getdents"
		$s24 = "s_hook_remote_ip"
		$s25 = "s_hook_remote_port"
		$s26 = "s_hook_local_port"
		$s27 = "s_hook_local_ip"
		$s28 = "nf_hook_pre_routing"
	condition:
		uint32(0) == 0x464c457f and 10 of them
}