20 lines
993 B
Plaintext
20 lines
993 B
Plaintext
|
|
rule Backdoor_Linux_Kitmos_A{
|
|
meta:
|
|
description = "Backdoor:Linux/Kitmos.A,SIGNATURE_TYPE_MACHOHSTR_EXT,10 00 10 00 09 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {2f 75 73 72 2f 73 62 69 6e 2f 73 63 72 65 65 6e 63 61 70 74 75 72 65 } //02 00 /usr/sbin/screencapture
|
|
$a_01_1 = {2f 62 69 6e 2f 73 68 } //02 00 /bin/sh
|
|
$a_01_2 = {2f 75 73 72 2f 62 69 6e 2f 63 75 72 6c } //02 00 /usr/bin/curl
|
|
$a_01_3 = {58 2d 41 53 49 48 54 54 50 52 65 71 75 65 73 74 2d 45 78 70 69 72 65 73 } //02 00 X-ASIHTTPRequest-Expires
|
|
$a_01_4 = {6d 5f 46 6f 6c 64 65 72 4c 69 73 74 } //02 00 m_FolderList
|
|
$a_01_5 = {6d 5f 7a 69 70 55 70 6c 6f 61 64 } //02 00 m_zipUpload
|
|
$a_01_6 = {6d 5f 43 6f 6d 70 75 74 65 72 4e 61 6d 65 5f 55 73 65 72 4e 61 6d 65 } //02 00 m_ComputerName_UserName
|
|
$a_01_7 = {6d 5f 75 70 6c 6f 61 64 55 52 4c } //02 00 m_uploadURL
|
|
$a_01_8 = {2f 6c 61 6e 67 2e 70 68 70 } //00 00 /lang.php
|
|
$a_00_9 = {5d 04 00 00 5d 05 03 80 5c 28 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |