[Emerging-Sigs] Zeus? Virut? Krap? FakeAV?

Packet Hack inurbitz at yahoo.com
Wed Jan 27 00:16:54 EST 2010

Or even bredolab...

As I mentioned before we have some snort rules that watch for traffic to known Zeus hosts. 

Lately we've been getting hits to muza-flowers.biz that look like this:

    POST /blog.php?a8ea17ad031bf763b98b32690f49973c HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Referer: http://muza-flowers.biz/
    Content-Type: application/x-www-form-urlencoded
    Content-Encoding: gzip
    UA-CPU: x86
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
    Host: muza-flowers.biz
    Content-Length: 250
    Connection: Close
    Cache-Control: no-cache

    <binary data>

This looked similar to POSTs to Zeus drop sites, but there are more headers than the typical Zeus

The remote IPs included these:

none of which mapped to the IP of muza-flowers.biz ( Eventually I discovered these
were Tor nodes:


Other examples of POSTs include these:

    POST /blog.php?afe7f1106cc20f7cd26c9abac312ae34 HTTP/1.1
    POST /download.php?file=74af7000e8ec44f21e002097bead52d8 HTTP/1.1
    POST /entry.php?d61ed78b2f894e820c508ef954715e75 HTTP/1.1
    POST /forums.php?fid=10 HTTP/1.1
    POST /index.php?topic=127.175 HTTP/1.1
    POST /login.php?user=982bf7a19e789c32ac98ce3783d5adf8 HTTP/1.1
    POST /logout.php?sessid=99fe0fb08230bb2cb1838c1d249d0943 HTTP/1.1
    POST /memberlist.php?mode=viewprofile&u=43 HTTP/1.1
    POST /newpost.php?sub=newthread&fid=21 HTTP/1.1
    POST /redirect.php?url=e687fc40e4032d6e8ca8f219ea2a3d72 HTTP/1.1
    POST /viewforum.php?f=81 HTTP/1.1
    POST /YaBB.pl?num=222 HTTP/1.1

This seemed like it could be a software package (YaBB?), but a google search of the links brought me to
this page:


Instead of go-thailand-now.com my hosts were hitting muza-flowers.biz ( I eventually
did see a hit to go-thailand-now.com) . Searching for that domain I ran across this:


Since multiple hosts on my networks were using Tor to access muza-flowers.biz, it seemed like 
a clear case of Zbot now using Tor, so I began notifying based on these incidents.

However, further investigation shows the same URLs in other ThreatExpert reports (google
search for 'go-thailand-now.com'): 


So this could be anything. Has anyone seen this kind of traffic and done any kind of forensics
on it to determine exactly what it is? My organization is fairly spread out so I can't always get
my hands on the actual infected machine. 

Coming up with sigs for these shouldn't be too difficult, but I want to make sure I am at least
in the ballpark when giving the sig a name. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100126/fa504209/attachment-0001.html

More information about the Emerging-sigs mailing list