[Emerging-Sigs] kazakaza.php trojan communications

Eoin Miller eoin.miller at trojanedbinaries.com
Fri Oct 1 15:30:17 EDT 2010


  On 10/1/2010 7:12 PM, John Dyson wrote:
> We have run into some malware located on a server in Ukraine -
> 193.41.38.121 and 193.41.38.122.  One set of IDS calls it Zeus, but Snort
> and ET is not flagging anything.  A quick and dirty rule for it looks
> like:
>
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"Unknown Ukraine
> Malware - possibly Zeus related"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"kazakaza.php"; fast_pattern;
> http_uri; sid: 3000012;)
>
>
> but I am sure there is much better.  Part of the packet is:
>
> 2010-10-01 12:50:41.543280 IP x.x.x.x.36425>  193.41.38.122.80: P
> 1:576(575) ack 1 win 65535
>          0x0000:  0066 0800 4500 0267 a46a 4000 7e06 1c02  .f..E..g.j at .~...
>          0x0010:  8f38 c348 c129 267a 8e49 0050 2fb8 ea12  .8.H.)&z.I.P/...
>          0x0020:  19e1 4663 5018 ffff 3fd2 0000 504f 5354  ..FcP...?...POST
>          0x0030:  202f 6b61 7a61 6b61 7a61 2e70 6870 2048  ./kazakaza.php.H
>          0x0040:  5454 502f 312e 310d 0a41 6363 6570 743a  TTP/1.1..Accept:
>
> It is eating up some of our systems though (and on a Friday no less...).
> If anyone recognizes this as part of a Snort rule that could just use some
> tweaking, I would appreciate it!
>
> Thanks -
> John
Definately ZeuS, this IP's are listed on zeustracker:

https://zeustracker.abuse.ch/monitor.php?search=193.41.38.121
https://zeustracker.abuse.ch/monitor.php?search=193.41.38.122

Definately a shame this isn't being picked up though. Looks like some 
new variant?

-- Eoin


More information about the Emerging-sigs mailing list