[Community-sigs] linux backdoor program received
Shaun Hurley
shahurle at sourcefire.com
Mon Mar 30 11:02:18 EDT 2015
Janos,
While we appreciate the submissions, we are trying to scale down on the
number of signatures created using hashes.
Is it possible for you to create either an NDB or an LDB signature based on
the malicious code within the binaries?
The documentation for creating these types of signatures can be located
here:
https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf
Please let me know if you have any questions.
Thank you,
Shaun Hurley
ClamAV Team
On Tue, Mar 24, 2015 at 7:48 AM, Janos Cservenak <hawk at hwk.hu> wrote:
> Filename: Systee32
> Original source: http://222.186.56.69:9987/Systee32
> Architecture: x86
> Detected actions:
> - copy itself as freeBSD in the same directory
> start running like this "/tmp/freeBSD /tmp/freeBSD 1"
> after that delete itself
> - copy itself as Systee32a in the same directory
> and start itself like this "/tmp/Systee32a /tmp/Systee32"
> - after 10 minutes of running, no network traffic detected
>
> External virus scanner results:
> https://www.virustotal.com/en/file/479d8822fdf34a9daed8cd1ead77e7
> 7f0d3808f65b9c26098ea6ee3359a47246/analysis/1427194212/
>
> Signatures:
> md5: 440a60df19dcc800ce00f36de5397801:1128808:Linux.Trojan.Agent.5TAP9C
> sha1: 91bc3fa241bf4ca3d01267eb58b8c0dd40d45f7a:1128808:Linux.
> Trojan.Agent.5TAP9C
> sha256: 479d8822fdf34a9daed8cd1ead77e77f0d3808f65b9c26098ea6ee3359a4
> 7246:1128808:Linux.Trojan.Agent.5TAP9C
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list