[Emerging-Sigs] kazakaza.php trojan communications
Fri Oct 1 15:43:26 EDT 2010
We just pick up the standard set of ET rules:
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
I ended up sending the entire capture thread to evil for him to take a
look at, though it looks like it may not be needed.
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of waldo
Sent: Friday, October 01, 2010 3:39 PM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] kazakaza.php trojan communications
On 10/1/2010 15:12, John Dyson wrote:
> We have run into some malware located on a server in Ukraine -
> 126.96.36.199 and 188.8.131.52. One set of IDS calls it Zeus, but
> and ET is not flagging anything. A quick and dirty rule for it looks
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Unknown
> Malware - possibly Zeus related"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"kazakaza.php";
> http_uri; sid: 3000012;)
> but I am sure there is much better. Part of the packet is:
> 2010-10-01 12:50:41.543280 IP x.x.x.x.36425> 184.108.40.206.80: P
> 1:576(575) ack 1 win 65535
> 0x0000: 0066 0800 4500 0267 a46a 4000 7e06 1c02
.f..E..g.j at .~...
> 0x0010: 8f38 c348 c129 267a 8e49 0050 2fb8 ea12
> 0x0020: 19e1 4663 5018 ffff 3fd2 0000 504f 5354
> 0x0030: 202f 6b61 7a61 6b61 7a61 2e70 6870 2048
> 0x0040: 5454 502f 312e 310d 0a41 6363 6570 743a
> It is eating up some of our systems though (and on a Friday no less...).
> If anyone recognizes this as part of a Snort rule that could just use
> tweaking, I would appreciate it!
do you use ET's compromised ruleset, emerging-compromised??
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
More information about the Emerging-sigs