[Emerging-Sigs] Request #2 - ET signature for Linux/AES.DDoS

Will Metcalf wmetcalf at emergingthreatspro.com
Sun Sep 21 08:55:05 EDT 2014


Awesome! Thank you Rick!

Regards,

Will

On Sun, Sep 21, 2014 at 7:25 AM, Hendrik Adrian <1 at 1rik.com> wrote:

> Hello ET friends,
>
> Here is another request, for the blocking signature to the different
> ELF DDoS threat malware I investigated, called: Linux/AES.DDoS.
> I made the dedicated repo for this threat too, in here, feel free to
> use as reference:
> http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
>
> The complete initial connection to CNC was successfully recorded,
> please see the attached images.
> <attached 2 PNG files>
>
> I will send the PCAP to the email addresses noted in the Cc.
>
> The "VERSONEX", "Hacke\nr", "INFO" are strings hard coded in the
> binary, can be used for sig purpose.
> "Mbps" is also useable but I recommended not to, since I saw versions
> not using these (the PPC or MIPS version)
> Please help to generate the signature accordingly and feel free to
> direct email me for more request or questions.
>
> Best regards
>
> Rick of MalwareMustDie
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140921/92e2ba93/attachment.html>


More information about the Emerging-sigs mailing list