[Emerging-Sigs] Request #2 - ET signature for Linux/AES.DDoS

Hendrik Adrian 1 at 1rik.com
Sun Sep 21 08:25:35 EDT 2014


Hello ET friends,

Here is another request, for the blocking signature to the different
ELF DDoS threat malware I investigated, called: Linux/AES.DDoS.
I made the dedicated repo for this threat too, in here, feel free to
use as reference:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483

The complete initial connection to CNC was successfully recorded,
please see the attached images.
<attached 2 PNG files>

I will send the PCAP to the email addresses noted in the Cc.

The "VERSONEX", "Hacke\nr", "INFO" are strings hard coded in the
binary, can be used for sig purpose.
"Mbps" is also useable but I recommended not to, since I saw versions
not using these (the PPC or MIPS version)
Please help to generate the signature accordingly and feel free to
direct email me for more request or questions.

Best regards

Rick of MalwareMustDie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 008.png
Type: image/png
Size: 120067 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140921/d0d56985/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 009.png
Type: image/png
Size: 96295 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140921/d0d56985/attachment-0003.png>


More information about the Emerging-sigs mailing list