rule torlus_20150112: malware linux { meta: author = "@h3x2b " description = "Detects Torlus/LizKebab/GayFgt/Bashdoor samples - 20150112" //Check also: //http://tracker.h3x.eu/corpus/690 //http://tracker.h3x.eu/info/690 //Samples: //https://github.com/gh0std4ncer/lizkebab/blob/master/client.c strings: $cmd_00 = "PING" $cmd_01 = "GETLOCALIP" $cmd_02 = "SCANNER" $cmd_03 = "HOLD" $cmd_04 = "JUNK" $cmd_05 = "UDP" $cmd_06 = "TCP" $cmd_07 = "KILLATTK" $cmd_08 = "LOLNOGTFO" $cmd_09 = "EMAIL" $msg_01 = "MAC: %02X:%02X:%02X:%02X:%02X:%02X\n" $msg_02 = "Failed to connect...\n" $msg_03 = "Link closed by server.\n" $msg_04 = "REPORT %s:%s:" $msg_05 = "Failed opening raw socket." $msg_06 = "Failed setting raw headers mode." $msg_07 = "Invalid flag \"%s\"" $msg_08 = "My IP: %s" $msg_09 = "EMAIL " $msg_10 = "HOLD