bdvl
is another LD_PRELOAD rootkit. This rule matched on a few samples I had available.
rule bdvl
{
meta:
description = "bdvl LD_PRELOAD rootkit"
strings:
$s1 = "Canadians are weird"
$s2 = "ICMP backdoor up."
$s3 = "It seems something may have went wrong installing..."
$s4 = "Unable to evaluate total size of stolen stuff..."
$s5 = "bdvlsuperreallygay"
$s6 = "You're now totally visible. 'exit' when you want to return to being hidden."
condition:
uint32(0) == 0x464c457f
and any of them
}
Pingback: Week 07 – 2022 – This Week In 4n6