Blog

Detecting Linux/Cdorked.A with Halo

4266807089_276b4c32e3_mAccording to a very detailed ESET blog post, the Linux/Cdorked.A Apache webserver backdoor variant is one of the most sophisticated that they’ve encountered. Difficult to detect, Linux/Cdorked.A was designed to drive traffic to malicious websites. “All of the information related to the backdoor is stored in shared memory,” According to ESET. “The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.”

The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary. This is where CloudPassage Halo’s File Integrity Monitoring Capabilities help ensure that critical system binaries, among other files, remain unchanged and in full working order. Should any person or entity try to change your web server binary, associated configuration files, or modify file metadata, the change will automatically be reported by Halo as it will fail to match the approved and expected baseline.

FIM Alert cdorked

If for some reason you do not have an up-to-date baseline of your system, or you suspect that your only baselines include the malicious file in question, you may find value in using the VicRail.

The script, named in honor of Victory (‘Vic’) Rail who died of the first known reported case of the Hendra virus, is used to easily send the cryptographic checksum of a suspected compromised file to Virus Total, Shadowserver, and Team Cymru for comparison with other reported cases of known malware.

VicRail can be download from the CloudPassage GitHub page at https://github.com/cloudpassage/VicRail. To use the tool, the uirusu Ruby Gem is required and you also require a free public api key from virustotal.com that will allow you to compare the hash values of your suspect files against the Virus Total database.

Usage

# ruby vicrail.rb /path/to/file1 /path/to/file2 /path/to/file3 ... /path/to/file234

e.g.

$ ruby vicrail.rb apache2 eicar.com
==== VirusTotal - www.virustotal.com ====
apache2 - sha1
Hash identified in the database...
91e70da15f5d08793d2ab8258eece06331232959: Scanner: TotalDefense Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: MicroWorld-eScan Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: nProtect Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: CAT-QuickHeal Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: McAfee Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Malwarebytes Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: K7AntiVirus Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: K7GW Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: TheHacker Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: NANO-Antivirus Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: F-Prot Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Symantec Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Norman Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: ByteHero Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: TrendMicro-HouseCall Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Avast Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: eSafe Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: ClamAV Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Kaspersky Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: BitDefender Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Agnitum Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: ViRobot Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Sophos Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Comodo Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: F-Secure Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: DrWeb Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: VIPRE Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: AntiVir Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: TrendMicro Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: McAfee-GW-Edition Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Emsisoft Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Jiangmin Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Antiy-AVL Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Kingsoft Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Microsoft Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: SUPERAntiSpyware Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: GData Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Commtouch Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: AhnLab-V3 Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: VBA32 Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: PCTools Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: ESET-NOD32 Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Ikarus Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Fortinet Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: AVG Result: Nothing detected
91e70da15f5d08793d2ab8258eece06331232959: Scanner: Panda Result: Nothing detected

eicar.com – sha1
Hash identified in the database…
3395856ce81f2b7382dee72602f798b642f14140: Scanner: TotalDefense Result: the EICAR test string
3395856ce81f2b7382dee72602f798b642f14140: Scanner: MicroWorld-eScan Result: EICAR-Test-File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: nProtect Result: EICAR-Test-File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: CAT-QuickHeal Result: EICAR Test File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: McAfee Result: EICAR test file
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Malwarebytes Result: Nothing detected
3395856ce81f2b7382dee72602f798b642f14140: Scanner: K7AntiVirus Result: EICAR_Test_File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: K7GW Result: EICAR_Test_File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: TheHacker Result: EICAR_Test_File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: NANO-Antivirus Result: Marker.Dos.EICAR-Test-File.dyb
3395856ce81f2b7382dee72602f798b642f14140: Scanner: F-Prot Result: EICAR_Test_File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Symantec Result: EICAR Test String
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Norman Result: EICAR_Test_file_not_a_virus!
3395856ce81f2b7382dee72602f798b642f14140: Scanner: ByteHero Result: Nothing detected
3395856ce81f2b7382dee72602f798b642f14140: Scanner: TrendMicro-HouseCall Result: Eicar_test_file
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Avast Result: EICAR Test-NOT virus!!!
3395856ce81f2b7382dee72602f798b642f14140: Scanner: eSafe Result: EICAR Test File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: ClamAV Result: Eicar-Test-Signature
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Kaspersky Result: EICAR-Test-File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: BitDefender Result: EICAR-Test-File (not a virus)
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Agnitum Result: EICAR_test_file
3395856ce81f2b7382dee72602f798b642f14140: Scanner: ViRobot Result: EICAR-test
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Sophos Result: EICAR-AV-Test
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Comodo Result: Application.EICAR-Test-File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: F-Secure Result: EICAR_Test_File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: DrWeb Result: EICAR Test File (NOT a Virus!)
3395856ce81f2b7382dee72602f798b642f14140: Scanner: VIPRE Result: EICAR (v)
3395856ce81f2b7382dee72602f798b642f14140: Scanner: AntiVir Result: Eicar-Test-Signature
3395856ce81f2b7382dee72602f798b642f14140: Scanner: TrendMicro Result: Eicar_test_file
3395856ce81f2b7382dee72602f798b642f14140: Scanner: McAfee-GW-Edition Result: EICAR test file
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Emsisoft Result: EICAR-Test-File (not a virus) (B)
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Jiangmin Result: EICAR-Test-File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Antiy-AVL Result: AVTEST/EICAR.ETF
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Kingsoft Result: Test.eicar.aa
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Microsoft Result: Virus:DOS/EICAR_Test_File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: SUPERAntiSpyware Result: NotAThreat.EICAR[TestFile]
3395856ce81f2b7382dee72602f798b642f14140: Scanner: GData Result: EICAR-Test-File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Commtouch Result: EICAR_Test_File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: AhnLab-V3 Result: EICAR_Test_File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: VBA32 Result: EICAR-Test-File
3395856ce81f2b7382dee72602f798b642f14140: Scanner: PCTools Result: Virus.DOS.EICAR_test_file
3395856ce81f2b7382dee72602f798b642f14140: Scanner: ESET-NOD32 Result: Eicar test file
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Ikarus Result: EICAR-ANTIVIRUS-TESTFILE
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Fortinet Result: EICAR_TEST_FILE
3395856ce81f2b7382dee72602f798b642f14140: Scanner: AVG Result: EICAR_Test
3395856ce81f2b7382dee72602f798b642f14140: Scanner: Panda Result: EICAR-AV-TEST-FILE

apache2 – sha256
Hash identified in the database…
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: TotalDefense Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: MicroWorld-eScan Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: nProtect Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: CAT-QuickHeal Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: McAfee Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Malwarebytes Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: K7AntiVirus Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: K7GW Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: TheHacker Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: NANO-Antivirus Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: F-Prot Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Symantec Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Norman Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: ByteHero Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: TrendMicro-HouseCall Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Avast Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: eSafe Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: ClamAV Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Kaspersky Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: BitDefender Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Agnitum Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: ViRobot Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Sophos Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Comodo Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: F-Secure Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: DrWeb Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: VIPRE Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: AntiVir Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: TrendMicro Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: McAfee-GW-Edition Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Emsisoft Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Jiangmin Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Antiy-AVL Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Kingsoft Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Microsoft Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: SUPERAntiSpyware Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: GData Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Commtouch Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: AhnLab-V3 Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: VBA32 Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: PCTools Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: ESET-NOD32 Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Ikarus Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Fortinet Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: AVG Result: Nothing detected
e8d08e7a00b0b3d635f8bb75a542a9daa873008d99f2aa377ec301dd48a71e1f: Scanner: Panda Result: Nothing detected

eicar.com – sha256
Hash identified in the database…
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: TotalDefense Result: the EICAR test string
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: MicroWorld-eScan Result: EICAR-Test-File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: nProtect Result: EICAR-Test-File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: CAT-QuickHeal Result: EICAR Test File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: McAfee Result: EICAR test file
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Malwarebytes Result: Nothing detected
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: K7AntiVirus Result: EICAR_Test_File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: K7GW Result: EICAR_Test_File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: TheHacker Result: EICAR_Test_File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: NANO-Antivirus Result: Marker.Dos.EICAR-Test-File.dyb
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: F-Prot Result: EICAR_Test_File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Symantec Result: EICAR Test String
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Norman Result: EICAR_Test_file_not_a_virus!
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: ByteHero Result: Nothing detected
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: TrendMicro-HouseCall Result: Eicar_test_file
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Avast Result: EICAR Test-NOT virus!!!
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: eSafe Result: EICAR Test File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: ClamAV Result: Eicar-Test-Signature
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Kaspersky Result: EICAR-Test-File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: BitDefender Result: EICAR-Test-File (not a virus)
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Agnitum Result: EICAR_test_file
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: ViRobot Result: EICAR-test
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Sophos Result: EICAR-AV-Test
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Comodo Result: Application.EICAR-Test-File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: F-Secure Result: EICAR_Test_File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: DrWeb Result: EICAR Test File (NOT a Virus!)
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: VIPRE Result: EICAR (v)
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: AntiVir Result: Eicar-Test-Signature
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: TrendMicro Result: Eicar_test_file
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: McAfee-GW-Edition Result: EICAR test file
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Emsisoft Result: EICAR-Test-File (not a virus) (B)
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Jiangmin Result: EICAR-Test-File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Antiy-AVL Result: AVTEST/EICAR.ETF
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Kingsoft Result: Test.eicar.aa
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Microsoft Result: Virus:DOS/EICAR_Test_File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: SUPERAntiSpyware Result: NotAThreat.EICAR[TestFile]
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: GData Result: EICAR-Test-File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Commtouch Result: EICAR_Test_File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: AhnLab-V3 Result: EICAR_Test_File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: VBA32 Result: EICAR-Test-File
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: PCTools Result: Virus.DOS.EICAR_test_file
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: ESET-NOD32 Result: Eicar test file
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Ikarus Result: EICAR-ANTIVIRUS-TESTFILE
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Fortinet Result: EICAR_TEST_FILE
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: AVG Result: EICAR_Test
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f: Scanner: Panda Result: EICAR-AV-TEST-FILE

==== Shadowserver – http://bin-test.shadowserver.org/ ====
apache2 – sha1
The hash was not found in the database…

eicar.com – sha1
Hash identified in the database…
3395856ce81f2b7382dee72602f798b642f14140 {“source”: “NIST”, “filename”: “eicar.com.txt”, “crc32”: “6851CF3C”, “product_name”: “Linux Format”, “mfg_name”: “Linux Format”, “os_name”: “Linux”, “language”: “English”, “source_version”: “$version”, “product_version”: “April 2005”, “os_version”: “Generic”, “application_type”: “Software”, “filesize”: “68”, “os_mfg”: “Linux”}

==== Team Cymru Malware Hash Registry – http://www.team-cymru.org/Services/MHR/ ====
apache2 – sha1
The hash was not found in the database…

eicar.com – sha1
Hash identified in the database…
3395856ce81f2b7382dee72602f798b642f14140 1259633424 83

Using VicRail and CloudPassage Halo together, you can investigate potentially malicious files quickly and effectively. Halo can report on changed files and VicRail can generate the hash and send it off for comparison. Just another tool to add to your incident responder tool belt from your friends at CloudPassage.

Photo Credit: blakespot via Compfight cc

Related Posts