[Emerging-Sigs] kazakaza.php trojan communications

John Dyson
Fri Oct 1 15:43:26 EDT 2010

We just pick up the standard set of ET rules:
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz

I ended up sending the entire capture thread to evil for him to take a
look at, though it looks like it may not be needed.


-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of waldo
Sent: Friday, October 01, 2010 3:39 PM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] kazakaza.php trojan communications

On 10/1/2010 15:12, John Dyson wrote:
> We have run into some malware located on a server in Ukraine -
> and  One set of IDS calls it Zeus, but
> and ET is not flagging anything.  A quick and dirty rule for it looks
> like:
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"Unknown
> Malware - possibly Zeus related"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"kazakaza.php";
> http_uri; sid: 3000012;)
> but I am sure there is much better.  Part of the packet is:
> 2010-10-01 12:50:41.543280 IP x.x.x.x.36425> P
> 1:576(575) ack 1 win 65535
>          0x0000:  0066 0800 4500 0267 a46a 4000 7e06 1c02
.f..E..g.j at .~...
>          0x0010:  8f38 c348 c129 267a 8e49 0050 2fb8 ea12
>          0x0020:  19e1 4663 5018 ffff 3fd2 0000 504f 5354
>          0x0030:  202f 6b61 7a61 6b61 7a61 2e70 6870 2048
>          0x0040:  5454 502f 312e 310d 0a41 6363 6570 743a
> It is eating up some of our systems though (and on a Friday no less...).
> If anyone recognizes this as part of a Snort rule that could just use
> tweaking, I would appreciate it!

do you use ET's compromised ruleset, emerging-compromised??

Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net

Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and

More information about the Emerging-sigs mailing list