[Emerging-Sigs] kazakaza.php trojan communications

John Dyson
Fri Oct 1 15:43:26 EDT 2010


We just pick up the standard set of ET rules:
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz

I ended up sending the entire capture thread to evil for him to take a
look at, though it looks like it may not be needed.

John


-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of waldo
kitty
Sent: Friday, October 01, 2010 3:39 PM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] kazakaza.php trojan communications

On 10/1/2010 15:12, John Dyson wrote:
> We have run into some malware located on a server in Ukraine -
> 193.41.38.121 and 193.41.38.122.  One set of IDS calls it Zeus, but
Snort
> and ET is not flagging anything.  A quick and dirty rule for it looks
> like:
>
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"Unknown
Ukraine
> Malware - possibly Zeus related"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"kazakaza.php";
fast_pattern;
> http_uri; sid: 3000012;)
>
>
> but I am sure there is much better.  Part of the packet is:
>
> 2010-10-01 12:50:41.543280 IP x.x.x.x.36425>  193.41.38.122.80: P
> 1:576(575) ack 1 win 65535
>          0x0000:  0066 0800 4500 0267 a46a 4000 7e06 1c02
.f..E..g.j at .~...
>          0x0010:  8f38 c348 c129 267a 8e49 0050 2fb8 ea12
.8.H.)&z.I.P/...
>          0x0020:  19e1 4663 5018 ffff 3fd2 0000 504f 5354
..FcP...?...POST
>          0x0030:  202f 6b61 7a61 6b61 7a61 2e70 6870 2048
./kazakaza.php.H
>          0x0040:  5454 502f 312e 310d 0a41 6363 6570 743a
TTP/1.1..Accept:
>
> It is eating up some of our systems though (and on a Friday no less...).
> If anyone recognizes this as part of a Snort rule that could just use
some
> tweaking, I would appreciate it!

do you use ET's compromised ruleset, emerging-compromised??

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


More information about the Emerging-sigs mailing list