[Community-sigs] new sig Linux.Backdoor.Concbak
Alain Zidouemba
azidouemba at sourcefire.com
Wed Mar 18 10:52:23 EDT 2015
If you know and are interested in providing Snort rules for malware
samples, we will add your rules (again, after testing and tweaking if
necessary) to the community ruleset:
http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html
You'll of course be given credit for your Snort rules, just as you are
given credit for your ClamAV signatures.
Thank you very much for your contribution,
- Alain
On Wed, Mar 18, 2015 at 10:42 AM, <andreisaygo at live.ie> wrote:
> Hi Ben,
> Sounds great, thanks. I'll make sure to include similar info (if possible)
> from now on.
>
> Regards,
> Andrei Saygo
> > Date: Wed, 18 Mar 2015 10:39:20 -0400
> > From: bbaker at sourcefire.com
> > To: community-sigs at lists.clamav.net
> > Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
> >
> > Thanks Andrei! Your sig passed FP check and has been published. Since you
> > included really unique network info, I'll make a Snort rule for that as
> > well.
> >
> > On Mon, Mar 16, 2015 at 7:52 PM, <andreisaygo at live.ie> wrote:
> >
> > > Signature:
> > >
> > >
> Linux.Backdoor.Concbak;Target:6;(0&1&2)&(3|4|5);2F676174652E706870;2670636E616D653D00;26687769643D00;756470666C6F6F6400;6261636B636F6E6E65637400;2F6574632F736861646F7700
> > >
> > > Hashes:
> > > MD5: 88119dc700357d2d486efb2d1369b105
> > > SHA1: 36361d6472d3c675182a2ca01ceed968d6c8e46b
> > > SHA256:
> 6b2cc3d64aa719c4910b89dc841f7ae07a5eab481d9ad2ed75059ac5173092b1
> > >
> > > Sig0:
> > > /gate.php
> > >
> > > Sig1:
> > > &pcname=
> > >
> > > Sig2:
> > > &hwid=
> > >
> > > Sig3:
> > > udpflood
> > > Sig4:
> > > backconnect
> > > Sig5:
> > > /etc/shadow
> > >
> > > Additional details:
> > > Full link:
> > > hxxp://webcrawl.marketplay.be:80//platforms/linux_v6//gate.php
> > >
> > > HTTP header:
> > > User-Agent: Firefox.3.5
> > > Referer: http://google.com/
> > > Accept-Encoding: identity
> > >
> > >
> > > Regards,
> > > Andrei Saygo
> > > _______________________________________________
> > > Community-sigs mailing list
> > > Community-sigs at lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list