Since I will be busy this coming week with other priorities, I am posting an early month in review blog on signature updates.
In the last 3 weeks we have not seen a whole lot of action on in-the-wild malware, most of what is propagating at the moment are variants of already detected content. That is however not to say there has not been new signatures extracted, allot of this months signatures have come from account level compromises on vulnerable e107, wordpress and joomla installations along with user submissions. There is not a whole lot of ground breaking malware threats, it is more of the usual such as mass mailers, perl/php command shells, irc bots and php socket flooding tools.
In total, the 3 weeks ending Sat July 24th, there has been 128 new signatures in 54 classifications with 65 signatures being added in the last 7 days. This brings us to a total of 2,588 (1002 MD5 / 1586 HEX) signatures, an increase of 117 signatures over the last blog post on signature updates. For those paying attention, there is a discrepancy of -11 signatures between the 128 new signatures and the +117 change since the last update, this is because there has also been 11 signatures removed for poor performance/false positives.
As always new signatures are automatically updated daily or can be manually updated with the -u|–update command line options. The 128 new signatures fall into the following classification groups:
base64.inject.unclassed exp.linux.unclassed perl.cmdshell.n0va perl.ircbot.Arabhack perl.ircbot.BaMbY perl.ircbot.devil perl.ircbot.fx29 perl.ircbot.genol perl.ircbot.karawan perl.ircbot.oldwolf perl.ircbot.plasa perl.ircbot.putr4XtReme perl.ircbot.rafflesia perl.ircbot.UberCracker perl.md5browser.avi perl.shell.cgitelnet php.cmdshell.antichat php.cmdshell.avi php.cmdshell.aZRaiL php.cmdshell.c100 php.cmdshell.DxShell php.cmdshell.h4ntu php.cmdshell.hackru php.cmdshell.KAdot php.cmdshell.lama php.cmdshell.Macker php.cmdshell.mic22 php.cmdshell.myshell php.cmdshell.NCC php.cmdshell.r3v3ng4ns php.cmdshell.r57 php.cmdshell.s72 php.cmdshell.Safe0ver php.cmdshell.SimShell php.cmdshell.SRCrew php.cmdshell.Storm7 php.cmdshell.unclassed php.cmdshell.winx php.cmdshell.wls php.cmdshell.xakep php.cmdshell.ZaCo php.cpcrack.Aria php.exe.globals php.include.remote php.ircbot.NewLive php.mailer.DALLAS php.mailer.unclassed php.mailer.YoUngEST php.nested.base64 php.pktflood.unclassed php.rshell.0wned web.malware.unclassed