Signature Updates: Month In Review

Since I will be busy this coming week with other priorities, I am posting an early month in review blog on signature updates.

In the last 3 weeks we have not seen a whole lot of action on in-the-wild malware, most of what is propagating at the moment are variants of already detected content. That is however not to say there has not been new signatures extracted, allot of this months signatures have come from account level compromises on vulnerable e107, wordpress and joomla installations along with user submissions. There is not a whole lot of ground breaking malware threats, it is more of the usual such as mass mailers, perl/php command shells, irc bots and php socket flooding tools.

In total, the 3 weeks ending Sat July 24th, there has been 128 new signatures in 54 classifications with 65 signatures being added in the last 7 days. This brings us to a total of 2,588 (1002 MD5 / 1586 HEX) signatures, an increase of 117 signatures over the last blog post on signature updates. For those paying attention, there is a discrepancy of -11 signatures between the 128 new signatures and the +117 change since the last update, this is because there has also been 11 signatures removed for poor performance/false positives.

As always new signatures are automatically updated daily or can be manually updated with the -u|–update command line options. The 128 new signatures fall into the following classification groups:

base64.inject.unclassed    exp.linux.unclassed
perl.cmdshell.n0va         perl.ircbot.Arabhack
perl.ircbot.BaMbY          perl.ircbot.devil
perl.ircbot.fx29           perl.ircbot.genol
perl.ircbot.karawan        perl.ircbot.oldwolf
perl.ircbot.plasa          perl.ircbot.putr4XtReme
perl.ircbot.rafflesia      perl.ircbot.UberCracker
perl.md5browser.avi        perl.shell.cgitelnet
php.cmdshell.antichat      php.cmdshell.avi
php.cmdshell.aZRaiL        php.cmdshell.c100
php.cmdshell.DxShell       php.cmdshell.h4ntu
php.cmdshell.hackru        php.cmdshell.KAdot
php.cmdshell.lama          php.cmdshell.Macker
php.cmdshell.mic22         php.cmdshell.myshell
php.cmdshell.NCC           php.cmdshell.r3v3ng4ns
php.cmdshell.r57           php.cmdshell.s72
php.cmdshell.Safe0ver      php.cmdshell.SimShell
php.cmdshell.SRCrew        php.cmdshell.Storm7
php.cmdshell.unclassed     php.cmdshell.winx
php.cmdshell.wls           php.cmdshell.xakep
php.cmdshell.ZaCo          php.cpcrack.Aria
php.exe.globals            php.include.remote
php.ircbot.NewLive         php.mailer.DALLAS
php.mailer.unclassed       php.mailer.YoUngEST
php.nested.base64          php.pktflood.unclassed
php.rshell.0wned           web.malware.unclassed

lmd, malware, projects

Print article

This entry was posted by Ryan M. on July 24, 2010 at 3:15 pm, and is filed under Development, My Blog. Follow any responses to this post through RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed.

Related Posts
Comments (2)

#1 written by Ryan M.
about 1 year ago

Reply Quote

I do retain all the malware in an archive for purposes just such as these, though I would rather not change the maldet signature format at the moment too contain file sizes, I can publish the file sizes with the API data so that the API can be used to extract clamav compatible MD5 signatures.

The API can be found at:
http://www.rfxn.com/api/lmd?id=recent
http://www.rfxn.com/api/lmd?id=all
http://www.rfxn.com/api/lmd?id=ID#

I will simply add a filesize field for the md5 entries.
#2 written by Mike
about 1 year ago

Reply Quote

Can you publish the file sizes with your MD5 malware signatures? They would work great in clamav, but clamav now requires filesizes for md5 sigs (so yours dont work). But your hex sigs seem to work with clam great!

LMD 1.4.1: Delivering on your requests

about 2 months ago - 1 comment

The release of LMD 1.4.1 is now live and with it comes a few new features. In this small update, I have tried to deliver on on a couple of common feature requests from users which were in-line with my development goals. That said, right to it… The biggest change has come in the form More >

Linux Malware Detect: 2 Years Strong

about 4 months ago - 7 comments

As cliche as it sounds, where has the time gone? Today we celebrate two years of Linux Malware Detect, open-source (web) malware detection. The project has seen allot of change since the first release. What was initially started as an internal project to deal with a large increase in malware activity at my job, a More >

LMD 1.4: Little Something For Everyone!

about 9 months ago - 2 comments

The much awaited for 1.4 release of Linux Malware Detect is here! In this release there is quite literally something for everyone, from massive performance gains to FreeBSD support and everything in between . For those who wish to dive straight into it, you can run the -d or –update-ver option to update your install More >

LMD 1.3.9r1: Hexdepth Bug

about 10 months ago - No comments

I have put up a revision to the 1.3.9 release of LMD that fixes a hexdepth bug in which malware greater than 65Kbytes would cause an error in the internal hexstring.pl script and be considered clean on the stage2 hex scanning of malware. This would mean that unless malware had a MD5 signature for it More >

LMD 1.3.9: Quietly Awesome

about 10 months ago - No comments

It has been a busy couple of weeks for the LMD project, lots of late nights and sleepless days behind me and I can say I am a ‘little’ happier with where things are in the project now This release has no major feature changes or additions other than a modification in the default hexdepth More >

LMD 1.3.7: Milestones, Fixes & Signature Updates

about 1 year ago - 1 comment

Today marks the release of LMD 1.3.7, which is a minor release update that fixes a few bugs and is also the final 1.x release before version 2.0 as described in the LMD: one year later blog post. The bug list for LMD has remained very small over the last 6 months and this release More >

LMD: One Year Later

about 1 year ago - 7 comments

With my move back to Canada behind me and adjusting to some new routines with life, its about time to get back into the mix with the projects. Though things have been slow the last couple of months, it has not stopped me from making sure regular and prompt malware updates are released. Today, we More >

Signature Updates & Threat Database

about 1 year ago - No comments

It has been a very active month for those that pay attention to the signatures as they are released, you might have noticed a sudden spike about two weeks ago in signatures from 2,500′ish to the now 4,425 mark. The vast majority of these signatures were put up in MD5 format as a great many More >

Tracking & Killing Bot Networks

about 1 year ago - 1 comment

In a previous blog I discussed how one of the more enjoyable parts of my day-to-day malware rituals also involves the tracking and killing of command and control bot networks. Recently I have begun automating this process a bit; I have created a series of scripts that extract irc servers, port numbers and channels from More >

Understanding Signatures

about 1 year ago - 2 comments

The signature naming scheme for LMD is a little confusing and something I’ve received more than a few questions about, more so about what the *.unclassed signatures mean. The naming scheme (to me) is straight forward and breaks down as follows: {SIG_FORMAT}lang/vector.type.name.ID# The ‘SIG_FORMAT’ is either HEX or MD5 reflecting the internal format of the More >