Actor(s): Winnti Umbrella
There is no description at this point.
rule elf_winnti_w0 { meta: desc = "Detection of Linux variant of Winnti (main backdoor)" author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security" version = "1.0" date = "2019-05-15" TLP = "White" sha256 = "ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti" malpedia_version = "20190518" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $uuid_lookup = "/usr/sbin/dmidecode | grep -i 'UUID' |cut -d' ' -f2 2>/dev/null" $dbg_msg = "[advNetSrv] can not create a PF_INET socket" $rtti_name1 = "CNetBase" $rtti_name2 = "CMyEngineNetEvent" $rtti_name3 = "CBufferCache" $rtti_name4 = "CSocks5Base" $rtti_name5 = "CDataEngine" $rtti_name6 = "CSocks5Mgr" $rtti_name7 = "CRemoteMsg" condition: ($dbg_msg and 1 of ($rtti*)) or (5 of ($rtti*)) or ($uuid_lookup and 2 of ($rtti*)) }
rule elf_winnti_w1 { meta: desc = "Detection of Linux variant of Winnti (azazel_fork)" author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security" version = "1.0" date = "2019-05-15" TLP = "White" sha256 = "4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti" malpedia_version = "20190518" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $config_decr = { 48 89 45 F0 C7 45 EC 08 01 00 00 C7 45 FC 28 00 00 00 EB 31 8B 45 FC 48 63 D0 48 8B 45 F0 48 01 C2 8B 45 FC 48 63 C8 48 8B 45 F0 48 01 C8 0F B6 00 89 C1 8B 45 F8 89 C6 8B 45 FC 01 F0 31 C8 88 02 83 45 FC 01 } $export1 = "our_sockets" $export2 = "get_our_pids" condition: all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY