[Emerging-Sigs] New UAS seen in Zlob

Matt Jonkman jonkman at jonkmans.com
Fri Jan 16 23:34:22 EST 2009


Committed. Thanks all!!

Matt

Darren Spruell wrote:
> On Thu, Jan 15, 2009 at 9:34 PM, dxp <dxp2532 at gmail.com> wrote:
>> Connects to 92.241.163.63 on tcp/80.
>>
>> GET /image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;1312;1801 HTTP/1.1
>> User-Agent: securityinternet
> 
> Confirming from our side as well; couple of scripts at that site:
> 
> Sat Jan 10 15:42:56 2009 x.x.8.55 securityinternet GET
> hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=0;666;1855
> Sat Jan 10 15:43:15 2009 x.x.8.55 securityinternet GET
> hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=59248452;666;1855
> Sat Jan 10 15:43:23 2009 x.x.8.55 securityinternet GET
> hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;2:1:1|6:1:1|34:1:1
> Sat Jan 10 15:43:42 2009 x.x.8.55 securityinternet GET
> hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;2:1:1|6:1:1|34:1:1
> Sat Jan 10 15:44:07 2009 x.x.8.55 securityinternet GET
> hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php?param=59248452;666;1855
> Sat Jan 10 15:44:13 2009 x.x.8.55 securityinternet GET
> hXXp://92.241.163.63/image/qsdyuioff/pubenmgfuy/spjhsmrt.php?param=59248452;
> 
> # mod of 2003632
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS
> Zlob User Agent (securityinternet)"; flow:established,to_server;
> content:"User-Agent\:
> securityinternet"; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list