[Emerging-Sigs] Zeus? Virut? Krap? FakeAV?

Packet Hack inurbitz at yahoo.com
Wed Jan 27 00:16:54 EST 2010 

Or even bredolab...

As I mentioned before we have some snort rules that watch for traffic to known Zeus hosts. 

Lately we've been getting hits to muza-flowers.biz that look like this:

    POST /blog.php?a8ea17ad031bf763b98b32690f49973c HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Referer: http://muza-flowers.biz/
    Content-Type: application/x-www-form-urlencoded
    Content-Encoding: gzip
    UA-CPU: x86
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
    Host: muza-flowers.biz
    Content-Length: 250
    Connection: Close
    Cache-Control: no-cache

    <binary data>

This looked similar to POSTs to Zeus drop sites, but there are more headers than the typical Zeus
communication. 

The remote IPs included these:

    96.0.203.114
    66.96.224.213
    204.12.231.186

none of which mapped to the IP of muza-flowers.biz (166.128.170.186). Eventually I discovered these
were Tor nodes:

    https://www.dan.me.uk/tornodes 

Other examples of POSTs include these:

    POST /blog.php?afe7f1106cc20f7cd26c9abac312ae34 HTTP/1.1
    POST /download.php?file=74af7000e8ec44f21e002097bead52d8 HTTP/1.1
    POST /entry.php?d61ed78b2f894e820c508ef954715e75 HTTP/1.1
    POST /forums.php?fid=10 HTTP/1.1
    POST /index.php?topic=127.175 HTTP/1.1
    POST /login.php?user=982bf7a19e789c32ac98ce3783d5adf8 HTTP/1.1
    POST /logout.php?sessid=99fe0fb08230bb2cb1838c1d249d0943 HTTP/1.1
    POST /memberlist.php?mode=viewprofile&u=43 HTTP/1.1
    POST /newpost.php?sub=newthread&fid=21 HTTP/1.1
    POST /redirect.php?url=e687fc40e4032d6e8ca8f219ea2a3d72 HTTP/1.1
    POST /viewforum.php?f=81 HTTP/1.1
    POST /YaBB.pl?num=222 HTTP/1.1

This seemed like it could be a software package (YaBB?), but a google search of the links brought me to
this page:

  http://www.threatexpert.com/report.aspx?md5=9c3a859ac9088b237fd48f28cfb4cd90

Instead of go-thailand-now.com my hosts were hitting muza-flowers.biz ( I eventually
did see a hit to go-thailand-now.com) . Searching for that domain I ran across this:

    http://superuser.com/questions/88788/how-do-i-un-gzip-data-captured-by-wireshark 

Since multiple hosts on my networks were using Tor to access muza-flowers.biz, it seemed like 
a clear case of Zbot now using Tor, so I began notifying based on these incidents.

However, further investigation shows the same URLs in other ThreatExpert reports (google
search for 'go-thailand-now.com'): 

    http://www.threatexpert.com/report.aspx?md5=7f275041f3019908400ec48789069d61
    http://www.threatexpert.com/report.aspx?md5=f46a6e78cadc4a7f8457b97bbd8ce2f3
    http://www.threatexpert.com/report.aspx?md5=448dc5c8de3418869a328e76ca4a5750

So this could be anything. Has anyone seen this kind of traffic and done any kind of forensics
on it to determine exactly what it is? My organization is fairly spread out so I can't always get
my hands on the actual infected machine. 

Coming up with sigs for these shouldn't be too difficult, but I want to make sure I am at least
in the ballpark when giving the sig a name. 

Thanks,
--pkthck


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100126/fa504209/attachment-0001.html

More information about the Emerging-sigs mailing list