[Emerging-Sigs] kazakaza.php trojan communications

waldo kitty wkitty42 at windstream.net
Fri Oct 1 15:54:09 EDT 2010


On 10/1/2010 15:12, John Dyson wrote:
> We have run into some malware located on a server in Ukraine -
> 193.41.38.121 and 193.41.38.122.  One set of IDS calls it Zeus, but Snort
> and ET is not flagging anything.  A quick and dirty rule for it looks
> like:
>
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"Unknown Ukraine
> Malware - possibly Zeus related"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"kazakaza.php"; fast_pattern;
> http_uri; sid: 3000012;)
>
>
> but I am sure there is much better.  Part of the packet is:
>
> 2010-10-01 12:50:41.543280 IP x.x.x.x.36425>  193.41.38.122.80: P

FWIW: that IP is known to the zeustracker project at 
https://zeustracker.abuse.ch/ ... they use a self-signed certificate and there 
does not appear to be a connection on http... only https...

also, 193.41.38.* has numerous entries in emerging-compromised.rules but 122 
doesn't seem to be listed yet...


More information about the Emerging-sigs mailing list