Top 5 Malware Signatures – Week 27-28

We keep on fighting against malwares! In the past weeks we added hundreds of malware signatures to the database, below you can find the Top 5 from the past two weeks! Don’t forget that you are able to create your own malware signature too! We experienced that this crowdsourcing method between severals thousands of servers works fantastic in our IP reputation system, so keep on making the internet a safer place together! Thanks to your contribution we already have more than 15 000 malware signatures in our database.

#5 PHP Backdoor Hexa Botnet Variant 2

Possible variant of the Hexa Botnet. Uses different hex string (high nibble first) than Variant 0 and 1.

Source code:

#4 PHP Backdoor Eval Obfuscated Are You Ok

The malware downloads the source code to be executed from domainnamespace.top/lf.txt, the script checks and updates itself from this file. The backdoor owner can manipulate the behaviour by changing this file. At the time of the SA signature creation this source contains a complete hacker toolset. The access is protected with password for the hacker.

Source code:

#3 PHP Backdoor Eval Obfuscated Agent Webshell

A simple backdoor. Gets the command via COOKIE. If the message is e, runs the base64 encoded code with eval. If the message is i, returns the phpinfo() output. The script is obfuscated with gzinflate and base64_encode. On VirusTotal, runs by the name of Trojan.Agent.

Source code:

#2 PHP Backdoor Hexa Botnet Variant 0

It is a possible variant of the Hexa botnet which uses hex string (high nibble first). The backdoor’s file name is always 8 random characters and the content is especially obfuscated.

Source code:

#1 PHP Backdoor Hexa Botnet Variant 1

It is a possible variant of the Hexa botnet. Uses different hex string (high nibble first) than Variant 0.

Source code:

If you haven’t tried BitNinja yet don’t forget to registerfor the 7-day free trial! No credit card needed!

Sign up for a free trial

For our subscribers we also provide valuable information about malwares and the most recent news from the cybersecurity world.