This seems to get stuck for me after a few minutes (grep stops taking up CPU cycles). I thought maybe it was getting stuck trying to read something it shouldn't, but lsof gives no clues.
I can't confirm that it works but I was going off this:
> Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or 80.248.65.183, which are the addresses of known command and control channels hardcoded into the Linux trojan. Admins can also build a signature using a tool called YARA that detects the strings "TREX_PID=%u" and "Remote VS is empty !"
Being able to provide simple easily verified command on a public forum to detect the most stealthy malware is testament to the brilliant design of unix-style systems. If someone offered a Widows utility to do the same thing on a forum, only fools would run it.
The search box in explorer searches binaries these days? Honest question, I haven't used it in years.
That seems like it would be pretty counterintuitive for users though. Someone tries to search for the string 'program' and it returns all binaries that have 'This program cannot be run in DOS mode' in them. (Which I think is pretty much all PE binaries)
I recall "search all files" only searching indexed folders, which by default leaves a lot of room for the virus to install itself somewhere that is not being search without even trying.
