[Community-sigs] new sig Linux.Trojan.Xorddos

Tue Apr 7 09:15:59 EDT 2015

Signature:
Linux.Trojan.Xorddos;Target:6;(0|1|2|3|4)>3,3;89C8C1F8??C1E8??8D140183E2??29C20FB682????????30041983C10139F175DF;C744240880070000C744240440000000C70424168771ADE8????0100;2F6574632F63726F6E746162202626206563686F;2F63726F6E2E686F75726C792F756465762E7368;557365722d4167656e743a204d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e5420352e323b205356313b2054656e63656e7454726176656c6572203b202e4e455420434c5220312e312e3433323229

Hashes:
MD5 854f9f0fd26d823d0b678b7228154138
SHA1 ebaed77107d5ba6ff3d45155232d3c3e9fe34373
SHA256 42629d9d813e59c3d2b7aac0da644ddb1824a8b286b39393ad50a945d51ab363


Signatures:
Sig0 (string decryption loop):
89 C8                                   mov     eax, ecx
C1 F8 ??                                sar     eax, 1Fh
C1 E8 ??                                shr     eax, 1Ch
8D 14 01                                lea     edx, [ecx+eax]
83 E2 ??                                and     edx, 0Fh
29 C2                                   sub     edx, eax
0F B6 82 ?? ?? ?? ??                    movzx   eax, byte ptr xorkeys[edx] ; "BB2FA36AAA9541F0"
30 04 19                                xor     [ecx+ebx], al
83 C1 01                                add     ecx, 1
39 F1                                   cmp     ecx, esi
75 DF                                   jnz     short loc_80490A1

Sig1:
C7 44 24 08 80 07 00 00                 mov     dword ptr [esp+8], 780h ; flag
C7 44 24 04 40 00 00 00                 mov     dword ptr [esp+4], 40h ; size
C7 04 24 16 87 71 AD                    mov     dword ptr [esp], 0AD718716h ; key
E8 ?? ?? 01 00                          call    shmget

Sig2:
/etc/crontab && echo

Sig3:
/cron.hourly/udev.sh

Sig4:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)


Regards,
Andrei Saygo