rule Ebury_SSHD_Malware_Linux { meta: description = "Ebury Malware" author = "Florian Roth" hash = "4a332ea231df95ba813a5914660979a2" strings: $s0 = "keyctl_set_reqkey_keyring" fullword $s1 = "recursive_session_key_scan" fullword $s2 = "keyctl_session_to_parent" fullword $s3 = "keyctl_assume_authority" fullword $s4 = "keyctl_get_security_alloc" fullword $s5 = "keyctl_instantiate_iov" fullword $s6 = "keyutils_version_string" fullword $s7 = "keyctl_join_session_keyring" fullword $a1 = "%[^;];%d;%d;%x;" condition: all of them }
Wer kein Yara verwenden möchte, kann auf diesen Workaround zurückgreifen.
find /lib -type f -size -50k -exec strings -f {} \; | grep '%\[^;\];%d;%d;%x;'
Weitere Informationen zur Erkennung von Ebury CERT Bund.