Signature Updates: Month In Review

Since I will be busy this coming week with other priorities, I am posting an early month in review blog on signature updates.

In the last 3 weeks we have not seen a whole lot of action on in-the-wild malware, most of what is propagating at the moment are variants of already detected content. That is however not to say there has not been new signatures extracted, allot of this months signatures have come from account level compromises on vulnerable e107, wordpress and joomla installations along with user submissions. There is not a whole lot of ground breaking malware threats, it is more of the usual such as mass mailers, perl/php command shells, irc bots and php socket flooding tools.

In total, the 3 weeks ending Sat July 24th, there has been 128 new signatures in 54 classifications with 65 signatures being added in the last 7 days. This brings us to a total of 2,588 (1002 MD5 / 1586 HEX) signatures, an increase of 117 signatures over the last blog post on signature updates. For those paying attention, there is a discrepancy of -11 signatures between the 128 new signatures and the +117 change since the last update, this is because there has also been 11 signatures removed for poor performance/false positives.

As always new signatures are automatically updated daily or can be manually updated with the -u|–update command line options. The 128 new signatures fall into the following classification groups:

base64.inject.unclassed    exp.linux.unclassed
perl.cmdshell.n0va         perl.ircbot.Arabhack
perl.ircbot.BaMbY          perl.ircbot.devil
perl.ircbot.fx29           perl.ircbot.genol
perl.ircbot.karawan        perl.ircbot.oldwolf
perl.ircbot.plasa          perl.ircbot.putr4XtReme
perl.ircbot.rafflesia      perl.ircbot.UberCracker
php.cmdshell.antichat      php.cmdshell.avi
php.cmdshell.aZRaiL        php.cmdshell.c100
php.cmdshell.DxShell       php.cmdshell.h4ntu
php.cmdshell.hackru        php.cmdshell.KAdot
php.cmdshell.lama          php.cmdshell.Macker
php.cmdshell.mic22         php.cmdshell.myshell
php.cmdshell.NCC           php.cmdshell.r3v3ng4ns
php.cmdshell.r57           php.cmdshell.s72
php.cmdshell.Safe0ver      php.cmdshell.SimShell
php.cmdshell.SRCrew        php.cmdshell.Storm7
php.cmdshell.unclassed     php.cmdshell.winx
php.cmdshell.wls           php.cmdshell.xakep
php.cmdshell.ZaCo          php.cpcrack.Aria
php.exe.globals            php.include.remote
php.ircbot.NewLive         php.mailer.DALLAS
php.mailer.unclassed       php.mailer.YoUngEST
php.nested.base64          php.pktflood.unclassed
php.rshell.0wned           web.malware.unclassed

The other side: who uses projects?

In one of my usual A.D.D. moments I decided to aggregate some data on project downloads and daily update queries to the server, to get a picture of who exactly is using the projects. Although this information is not terribly important, I do find it interesting. I need to stress that none of the listed organizations, agencies or businesses in any way endorse, sponsor or represent the opinions expressed on this site, they are simply users of my projects. That said, lets have a look at who uses the projects.

The basics:
1,808 Unique Networks across 117 Countries

Top 10 Usage Networks:
GNAX – Global Net Access
Hetzner Online
Waveform Technology
SoftLayer Technologies
MZIMA – Mzima Networks
CORPCOLO – Corporate Colocation
ThePlanet Internet Services

Top 10 Institutions of Higher Learning:
Columbia University
University of California at Berkeley
University of Maryland
Stanford University
York University
Washington University
University of Iowa
University of Puerto Rico
University of Alaska
University of Western Australia

Top Federal & Governmental Agencies:
State of Minnesota
Lafayette Consolidated Government
United States Coast Guard
Federal Aviation Administration

Top Corporations:
Yahoo (Bangalore Network Monitoring Center)
Yahoo (China Datacenter)
Microsoft Corp
Sun Microsystems
Google Inc
Cisco Systems
Bell Canada
Internap Network Services
IBM New Zealand

Top 15 Countries:
United States
United Kingdom
Russian Federation

Projects: The personal costs

When you do open source development, especially as an independent developer, there is a constant struggle that must be balanced between that of work and personal obligations. As any open source developer will tell you, 99% of the time, the projects we develop fall strictly into the realm of personal time, no matter how much they may apply to our work field. It is difficult to justify the time that is required in maintaining one let alone a series of active projects when you also work a full-time job while trying to have some semblance of a life.

So, when you are faced with something you are truly passionate about, that constantly rubs up against a barrier that is your job and ever limited personal time, you start to question or more importantly look for change, in how you manage that passion. That is what I am currently faced with, the projects at the moment consume an increasing amount of my personal time on evenings and weekends — which has been that way for a long time — but recently, priorities and life have changed such that I can no longer allow that to be the case. I have managed these projects for almost 8 years, which I would not change for anything, I have and still do love working on them. However, the time has come that I need to start setting measurable, tangible, goals on the cost of maintaining these projects which will allow me, permitting donations or sponsors, to create dedicated time within my work week to manage the projects with focus strictly on them.

That said, I am seeking about $1,000 USD per month in donations or month-to-month sponsorships (which all sponsors will be duly pimped out on the site with a widget and on each project page); at the moment donations only average about $50-200 per month, it varies widely month-to-month towards the lower end. How did I come up with this amount? well it is simply a goal, a target, that reflects the amount of time I spend on the projects per-month (about 60hrs) and what I believe would allow me to take time out of other areas of my life to dedicate consistently that amount of time every month. This would make continuing to work on the projects much easier on me personally, easier on those in my life and easier on me occupationally/financially.

There is a donation tracker widget now on the right sidebar of the site, it simply uses paypal as the checkout process, the tracker will reset every 30 days. If you are interested in becoming a regular contributor or sponsor, please email me at ryan at to discuss it. Thank you in advance for your understanding.

Bot Networks: Jacking the Jackers

One of the more interesting parts of my malware hunting routine is when I notice new command & control hubs for bot networks in the source of ircbot malware content. I am not the type to just look and not play, I always dive into these networks and poke around. When it gets really fun is when the attackers get lazy thinking they are untouchable and leave open their irc networks with a series of simple administrator nick names that can be used to control the bots on the network.

So, what I sometimes do is sign into these irc networks, monitor & log them for a little while for abuse reporting purposes to the network hosting them, then I literally, jack the network from under the attacker and make every single bot exit with by telling all the bots to e.g: “killall -9 perl” which terminates the bot program. Some of the rage from these little kiddies is obscenely retarded but at the same time incredibly fun to watch prepubescent teens get mad over shit they should rightly be tossed into jail for.

Now, on occasion, this does backfire on me, I have had my home internet DDoS to death more than a few times to the point where I had to unplug my cable modem for hours to let the DHCP IP release and renew as a new one. It still is worth it and incredibly fun to ruin these kiddies week or month, with all the hard work they put into these bot networks amassing hundreds upon hundreds of zombies. Just as fun is when the kiddies think they’ve got you all figured out and locked the bot network down, you get a reply from a network administrator over at the company you sent an abuse email too telling you they are looking into the matter then minutes later, the network goes tits up cause the server hosting it was shut down 🙂

Yup that was my story time for the day, I will try post some of the funnier bits from network take down shortly, I will also be putting up some c&c stats into the soon-to-be-released threat statistics section, thats it for now, kthxbye!