[Snort-sigs] Sig for Linux Trojan

tom at ...2394... tom at ...2394...
Thu Apr 15 06:38:28 EDT 2004


snort-sigs at lists.sourceforge.net

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  alert tcp any any -> any any (msg:"Possible trojan executable";
content:"XEgypT"; content:"password:"; content:"GLIBC_";
flow:established; reference:tom,81; classtype:bad-unknown;)

--
Sid:

--
Summary:Trojans have lately been encrypted with cryptelf.  The default version
of cryptelf
signs each encrypted binary with the author of the cryptelf program: EgypT.  
Additionally,
trojans need to be statically linked to work reliably.  The cryptelf program
also prompts
the user for a password before executable the program.  So we are looking for
encrypted
executables which are statically linked and calling them suspicious.

--
Impact:

--
Detailed Information:  The cryptelf program also has a distinct piece of code at
the start of the .text portion which prompts the user for a password.

--
Affected Systems:  Linux ELF format executables only.

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:

--
Corrective Action:

--
Contributors:  Tom Currie  tom at ...2395...

--
Additional References:


-------------------------------------------------
Park University http://www.park.edu
Changing the world, one degree at a time.




More information about the Snort-sigs mailing list