24 lines
780 B
Text
24 lines
780 B
Text
|
import "elf"
|
||
|
|
||
|
rule Kaiten
|
||
|
{
|
||
|
meta:
|
||
|
description = "Linux IRC DDoS Malware"
|
||
|
family = "Linux.Backdoor.Kaiten"
|
||
|
filetype = "ELF"
|
||
|
hash = "6b5386d96b90a4cb811c5ddd6f35f6b0d4c65c69c8160216077e7a0f43a8888d"
|
||
|
hash = "965a9594ef80e7134e1a9e5a4cce0a3dce98636107d1f6410224386dfccb9d5b"
|
||
|
hash = "2c772242de272bff1bb940b0687445739ec544aceec1bc5591a374a57cd652b5"
|
||
|
|
||
|
strings:
|
||
|
$irc = /(PING)|(PONG)|(NOTICE)|(PRIVMSG)/
|
||
|
$kill = "Killing pid %d" nocase
|
||
|
$subnet = "What kind of subnet address is that" nocase
|
||
|
$version = /(Helel mod)|(Kaiten wa goraku)/
|
||
|
$flood = "UDP <target> <port> <secs>" nocase
|
||
|
|
||
|
condition:
|
||
|
elf.type == elf.ET_EXEC and $irc and
|
||
|
2 of ($kill, $subnet, $version, $flood)
|
||
|
}
|