14 lines
784 B
Plaintext
14 lines
784 B
Plaintext
|
|
rule Trojan_Linux_CVE-2012-0056_A_MTB{
|
|
meta:
|
|
description = "Trojan:Linux/CVE-2012-0056.A!MTB,SIGNATURE_TYPE_ELFHSTR_EXT,05 00 05 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {2f 74 6d 70 2f 2e 73 6f 63 6b 70 75 70 70 65 74 } //2 /tmp/.sockpuppet
|
|
$a_00_1 = {53 70 65 63 69 66 79 20 74 68 65 20 65 78 69 74 40 70 6c 74 20 66 75 6e 63 74 69 6f 6e 20 61 64 64 72 65 73 73 20 6d 61 6e 75 61 6c 6c 79 } //1 Specify the exit@plt function address manually
|
|
$a_00_2 = {67 72 65 70 20 27 65 78 69 74 40 70 6c 74 27 } //1 grep 'exit@plt'
|
|
$a_00_3 = {57 61 69 74 69 6e 67 20 66 6f 72 20 74 72 61 6e 73 66 65 72 72 65 64 20 66 64 20 69 6e 20 70 61 72 65 6e 74 } //1 Waiting for transferred fd in parent
|
|
condition:
|
|
((#a_00_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=5
|
|
|
|
} |