[Emerging-Sigs] New UAS seen in Zlob

Darren Spruell phatbuckett at gmail.com
Fri Jan 16 12:49:56 EST 2009


On Thu, Jan 15, 2009 at 9:34 PM, dxp <dxp2532 at gmail.com> wrote:
> Connects to 92.241.163.63 on tcp/80.
>
> GET /image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;1312;1801 HTTP/1.1
> User-Agent: securityinternet

Confirming from our side as well; couple of scripts at that site:

Sat Jan 10 15:42:56 2009 x.x.8.55 securityinternet GET
hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;666;1855
Sat Jan 10 15:43:15 2009 x.x.8.55 securityinternet GET
hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=59248452;666;1855
Sat Jan 10 15:43:23 2009 x.x.8.55 securityinternet GET
hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;2:1:1|6:1:1|34:1:1
Sat Jan 10 15:43:42 2009 x.x.8.55 securityinternet GET
hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;2:1:1|6:1:1|34:1:1
Sat Jan 10 15:44:07 2009 x.x.8.55 securityinternet GET
hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=59248452;666;1855
Sat Jan 10 15:44:13 2009 x.x.8.55 securityinternet GET
hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;

# mod of 2003632
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS
Zlob User Agent (securityinternet)"; flow:established,to_server;
content:"User-Agent\:
securityinternet"; classtype:trojan-activity; sid:XXXXXXX; rev:1;)

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list