[Community-sigs] new sig Linux.Backdoor.Turla

Tue Dec 9 08:57:08 EST 2014

Signature:
Linux.Backdoor.Turla;Target:6;(0|1|2|3)>2;5f5f77655f6172655f68617070795f5f;772b002f746d702f2e*00722b00;446573637c*46696c656e616d65*73697a65*7c73746174657c;80C305329A??????08889A??????084283FA0876E9

Hashes:
MD5: 19fbd8cbfb12482e8020a887d6427315
SHA1: 7f043eb95d74d051ac780aee52ebf1c497c43060
SHA256: 8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667


Sig3:
//08048372 80C305                          add        bl, 0x5
//08048375 329A??????08              xor        bl, byte [ds:edx+0x80cd6cb]
//0804837b 889A??????08              mov        byte [ds:edx+__xored__buffer__], bl
//08048381 42                                   inc        edx
//08048382 83FA08                          cmp        edx, 0x8
//08048385 76E9                              jbe        0x8048370

Regards,
Andrei Saygo