[Emerging-Sigs] kazakaza.php trojan communications
eoin.miller at trojanedbinaries.com
Fri Oct 1 15:30:17 EDT 2010
On 10/1/2010 7:12 PM, John Dyson wrote:
> We have run into some malware located on a server in Ukraine -
> 188.8.131.52 and 184.108.40.206. One set of IDS calls it Zeus, but Snort
> and ET is not flagging anything. A quick and dirty rule for it looks
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Unknown Ukraine
> Malware - possibly Zeus related"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"kazakaza.php"; fast_pattern;
> http_uri; sid: 3000012;)
> but I am sure there is much better. Part of the packet is:
> 2010-10-01 12:50:41.543280 IP x.x.x.x.36425> 220.127.116.11.80: P
> 1:576(575) ack 1 win 65535
> 0x0000: 0066 0800 4500 0267 a46a 4000 7e06 1c02 .f..E..g.j at .~...
> 0x0010: 8f38 c348 c129 267a 8e49 0050 2fb8 ea12 .8.H.)&z.I.P/...
> 0x0020: 19e1 4663 5018 ffff 3fd2 0000 504f 5354 ..FcP...?...POST
> 0x0030: 202f 6b61 7a61 6b61 7a61 2e70 6870 2048 ./kazakaza.php.H
> 0x0040: 5454 502f 312e 310d 0a41 6363 6570 743a TTP/1.1..Accept:
> It is eating up some of our systems though (and on a Friday no less...).
> If anyone recognizes this as part of a Snort rule that could just use some
> tweaking, I would appreciate it!
> Thanks -
Definately ZeuS, this IP's are listed on zeustracker:
Definately a shame this isn't being picked up though. Looks like some
More information about the Emerging-sigs