[Emerging-Sigs] A request for ELF "Linux/BillGates" DDoS'er ET Signature

Hendrik Adrian 1 at 1rik.com
Sun Sep 21 04:27:46 EDT 2014


Hello Will,

Cc: Matt, ET List

Allow me to request a blocking scheme for the ELF DDoS'er
"Linux/BillGates" as per rapidly spotted in hacked servers and
routers, below is the PoC of the threat:
https://twitter.com/unixfreaxjp/status/513599384286531584
https://twitter.com/unixfreaxjp/status/513586918127173632
https://twitter.com/unixfreaxjp/status/513160603494391808
https://twitter.com/unixfreaxjp/status/512820029037879297
https://twitter.com/unixfreaxjp/status/512686082048004096
(these are only data I gained from Sept 19th until now.. there are
many more of these that I did not tweet)

We are in effort to stop the CNC, so far we nuked more than 35 of
their panels, but there are still many more activity spotted according
to some netflow data I received.

The initial communication pattern during the callback is finally can
be captured completely during one specific analysis of a case, which
will be useful for signature building, as per attached picture.
<attached 2 PNG image files>
Hopefully the ET detection signature can be published, accordingly.
Please kindly support.
The PCAP is a private possession, so it will be shared via direct
email, off-list.

Look forward, with many thank's in advance.

Regards/Rick of MalwareMustDie

-- 
PGP/MIT.EDU: RSA 2048/0xEC61AB9
http://about.me/unixfreaxjp

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

This email is confidential and may be legally privileged. It is intended
as a confidential communication only for the person(s) named above.
Any other use or disclosure is prohibited.
If you have received this message in error, please delete it, disregard
its contents.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 006.png
Type: image/png
Size: 125511 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140921/899eb9b1/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 005.png
Type: image/png
Size: 60545 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140921/899eb9b1/attachment-0003.png>


More information about the Emerging-sigs mailing list