 |
 | Signatures For Chinese Iron Tiger Group Linux Malware |  |
|
GuitarBob
|
|
Below are some HDB and MDB signatures for the Chinese Iron Tiger APT group’s Linux version of their cyber espionage malware tool. There are probably no computers using ClamWin that would be infected with it, but who knows. Clam AV doesn’t have any signatures for it, and it is supposed to protect Linux email servers.
Copy mdb signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.mdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.mdb and nothing else. Copy hdb signatures to a new Notepad or similar text writer file and save it in the ClamWin database folder as a file named Sigfile.hdb, with a file type of “All Files”. Do not save the file as a text file. The file name should be Sigfile.hdb and nothing else. For multiple signatures, put each signature on a separate line in a Notepad or similar file. Put mdb and hdb signatures in separate files. You can add multiple signatures to the top of an existing mdb or hdb signature file. Copy the signatures, add one blank line to the top of the file and paste the signatures there—any additional lines needed will be added. Do not add signatures to the bottom of existing hdb and mdb signature files or you will get a ClamWin scanning error. Delete any blank lines between signatures in a file before saving the file. After you save a signature file (.hdb, .mdb or .yar) in the ClamWin database folder, scan a file with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only those signatures that you just posted to an existing mdb or hdb file and re-save it after first removing any blank lines in the signature file. For multiple signature files, run a scan after you save each file to help you locate a file that could cause a scan error. After 4 weeks, the malware will probably be updated, so you can delete mdb and hdb signatures then. The date (USA) and time (24 hr) are the last two items in each mdb and hdb signature. Yara signatures can be kept permanently if they are not for a specific malware—keep nonspecific sigs for two or three months. Thanks to Trend Micro by way of Bleeping Computer! HDB Signatures 35a03722fc3938763495cbe893febe8d:82528:Linux.Trojan.Agent-030123.1951 a4f702e862fff5b71cb0941f39843437:175688:Linux.Trojan.LuckyMouse-030123.1953 6fdae1ac4cd875ad05f72dca3f51ac6c:72240:Linux.Trojan.LuckyMouse-030123.1955 67e692af4eb50b7c095e0294cba31a18289860:Linux.Trojan.Spy-030123.2002 4438db676a7bf532e1c1c6ee11bb6690:289685:Linux.Trojan.Spy-030123.2004 ba9879386b6809a5040cc4e80261de55:549216:Linux.Trojan.Spy-030123.2006 MDB Signatures 41984:0b55554748417bb2db50fdb0f9799591:Linux.Trojan.LuckyMouse-030123.1958 19456:4c17cec20da52f38704dca7128571d35:Linux.Trojan.LuckyMouse-030123.2001 440832:d9562d856343a2f61a60bd22c7563aad:Linux.Trojan.Spy-030123.2009 440832:7fbd1e561b224d5223dcdb989b59bc6a:Linux.Trojan.Spy-030123.2011 |
|||||||||||
|
|||||||||||||
 |
 | Signatures For Chinese Iron Tiger Group Linux Malware | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.