Today I found the time and energy, despite how tedious it was, to go over the last two weeks worth of malware submissions and missed edge IPS data from when I was away. This resulted in a total of 126 new signatures (67 MD5 / 59 HEX) which brings LMD to a total of 2,471 signatures (894 MD5 / 1577 HEX). This now also gives the project a unique distinction among anti-virus and malware detection offerings, as the single largest project, commercial or open source, detecting Linux malware.
To further illustrate the lapse in coverage by other vendors, we can turn to CYMRU analysis of the MD5 hashes in LMD, as discussed on the LMD home page, CRYMRU provides malware data to vendors such as trendmicro, symantec, kaspersky, microsoft, google and more.
KNOWN MALWARE: 301 % AV DETECT (AVG): 57 % AV DETECT (LOW): 58 % AV DETECT (HIGH): 71 UNKNOWN MALWARE: 593
This in short shows that of all the vendors that CYMRU provides data for, only 301 of LMD’s 894 MD5 signatures are detected by competing solutions and of those threats detected, on average, only 57% of vendors detect each threat. This information really has no other significance than to reinforce the validity of this project and the time I am investing into it, chalk one up for stroking own ego!
New signatures in this update are classified into the following groups, you will notice ALLOT of command shells in this update, including an interesting addition, a JSP command shell!
base64.inject.unclassed exp.linux.unclassed jsp.cmdshell.zerocnbct perl.cmdshell.n0va perl.ircbot.Arabhack perl.ircbot.BaMbY perl.ircbot.devil perl.ircbot.genol perl.ircbot.karawan perl.ircbot.rafflesia perl.ircbot.UberCracker perl.md5browser.avi php.cmdshell.antichat php.cmdshell.avi php.cmdshell.aZRaiL php.cmdshell.DxShell php.cmdshell.h4ntu php.cmdshell.hackru php.cmdshell.KAdot php.cmdshell.lama php.cmdshell.Macker php.cmdshell.myshell php.cmdshell.NCC php.cmdshell.r3v3ng4ns php.cmdshell.s72 php.cmdshell.Safe0ver php.cmdshell.SimShell php.cmdshell.SRCrew php.cmdshell.unclassed php.cmdshell.winx php.cmdshell.wls php.cmdshell.xakep php.cmdshell.ZaCo php.include.remote php.mailer.DALLAS php.rshell.0wned