Month: June 2010

Today I found the time and energy, despite how tedious it was, to go over the last two weeks worth of malware submissions and missed edge IPS data from when I was away. This resulted in a total of 126 new signatures (67 MD5 / 59 HEX) which brings LMD to a total of 2,471 signatures (894 MD5 / 1577 HEX). This now also gives the project a unique distinction among anti-virus and malware detection offerings, as the single largest project, commercial or open source, detecting Linux malware.

To further illustrate the lapse in coverage by other vendors, we can turn to CYMRU analysis of the MD5 hashes in LMD, as discussed on the LMD home page, CRYMRU provides malware data to vendors such as trendmicro, symantec, kaspersky, microsoft, google and more.

KNOWN MALWARE:       301
 % AV DETECT (AVG):  57
 % AV DETECT (LOW):  58
 % AV DETECT (HIGH): 71
 UNKNOWN MALWARE:    593

This in short shows that of all the vendors that CYMRU provides data for, only 301 of LMD’s 894 MD5 signatures are detected by competing solutions and of those threats detected, on average, only 57% of vendors detect each threat. This information really has no other significance than to reinforce the validity of this project and the time I am investing into it, chalk one up for stroking own ego!

New signatures in this update are classified into the following groups, you will notice ALLOT of command shells in this update, including an interesting addition, a JSP command shell!

base64.inject.unclassed     exp.linux.unclassed
jsp.cmdshell.zerocnbct      perl.cmdshell.n0va
perl.ircbot.Arabhack        perl.ircbot.BaMbY
perl.ircbot.devil           perl.ircbot.genol
perl.ircbot.karawan         perl.ircbot.rafflesia
perl.ircbot.UberCracker     perl.md5browser.avi
php.cmdshell.antichat       php.cmdshell.avi
php.cmdshell.aZRaiL         php.cmdshell.DxShell
php.cmdshell.h4ntu          php.cmdshell.hackru
php.cmdshell.KAdot          php.cmdshell.lama
php.cmdshell.Macker         php.cmdshell.myshell
php.cmdshell.NCC            php.cmdshell.r3v3ng4ns
php.cmdshell.s72            php.cmdshell.Safe0ver
php.cmdshell.SimShell       php.cmdshell.SRCrew
php.cmdshell.unclassed      php.cmdshell.winx
php.cmdshell.wls            php.cmdshell.xakep
php.cmdshell.ZaCo           php.include.remote
php.mailer.DALLAS           php.rshell.0wned

I am back, fresh off a trip home to Montreal, which I must say was an absolutely amazing time. It has left me reflecting on a lot of things, most importantly that there really is no place like home — I miss Montreal more than I can even describe. That said though, time to get back into the mix of things — there is a mountain of malware submissions to review, 91 to be exact. Today I really could not find the energy or time to go through them all but I did process the edge IPS data to extract some in the wild signature data which generated 8 new signatures that are now live. In the coming days, I will work through the malware submissions and get those signatures out as soon as possible.