[Snort-sigs] Sig for Linux Trojan

tom at ...2394... tom at ...2394...
Thu Apr 15 06:38:28 EDT 2004

snort-sigs at lists.sourceforge.net

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  alert tcp any any -> any any (msg:"Possible trojan executable";
content:"XEgypT"; content:"password:"; content:"GLIBC_";
flow:established; reference:tom,81; classtype:bad-unknown;)


Summary:Trojans have lately been encrypted with cryptelf.  The default version
of cryptelf
signs each encrypted binary with the author of the cryptelf program: EgypT.  
trojans need to be statically linked to work reliably.  The cryptelf program
also prompts
the user for a password before executable the program.  So we are looking for
executables which are statically linked and calling them suspicious.


Detailed Information:  The cryptelf program also has a distinct piece of code at
the start of the .text portion which prompts the user for a password.

Affected Systems:  Linux ELF format executables only.

Attack Scenarios:

Ease of Attack:

False Positives:

False Negatives:

Corrective Action:

Contributors:  Tom Currie  tom at ...2395...

Additional References:

Park University http://www.park.edu
Changing the world, one degree at a time.

More information about the Snort-sigs mailing list