[Emerging-Sigs] kazakaza.php trojan communications

evilghost@packetmail.net evilghost at packetmail.net
Fri Oct 1 16:05:07 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 10/01/2010 02:52 PM, L0rd Ch0de1m0rt wrote:
> Hello. Don't we have a rule to detect an IP address in a HTTP Host
> header? I know it is not specific to this threat but it should alert
> on the pcap Eoin sent.
> 
> -L0rd Ch0de1m0rt

We had SID 2010348 but Matt had disabled it due to a few
false-positives.  It may be wise to revisit it perhaps; it was intended
as a ZeuS catch-all.

We also have SID 2010861; we may want to adjust the UA here.  Actually
2010861 is a really good match for this one.  We probably just need to
relax the User-Agent a bit.

How about (quickly modified, untested, double-check me)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Zeus Bot Request to CnC"; flow:established,to_server; uricontent:".bin";
content:"GET /"; depth:5; content:".bin HTTP/1.1|0d 0a|Accept\: */*|0d
0a|Connection\: Close|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE
"; content: "|0d 0a|Host\: "; distance:0; content:!"|0d 0a|Referer|3a|";
nocase; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2010861;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus;
sid:2010861; rev:5;)

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMpj7yAAoJENgimYXu6xOHtKUP/jmyomFkjNNJ/Pfm/3Cau9AG
tgG1vgSi321po50rMx+TP4Ng8xZcGms3vsRyQNfJFcGNlZbRrcrMY1puZ+86mAL6
/w+l/LjD47IQieF2zKyz+/YXG2Hvq5BtznH5VTqHZAzlrvdnBZpO6tOL0LGMHbPH
qYEynypibZBpZgdxYJPCs/agfFbK/69qm421lANzADWb8Uu7M9L7VM843lJf6e+N
ly/1j73UbS0Gk927mlajibT8ZvbdpHyhe4iomb6dHactz3u7BIxcEMGes4VwIPhl
mRycTZ5KAX+4BClUR8pAehtYsJHqVF583NZBdYK5FgS0zk5zYkiTVLIlj4/88Kk4
PO4iAuRkhbFW6cpX3ATKovp6IX64DAL77rfc+MYzQvpQ79Q243NxWGLCX+Fxm1oI
b8FOczRxMBYBg7dVZOKOu5QJp/cO4Dy8HhUZq6ytM6yWV2PeeINGxI0HOuUYiCdX
EnAYtwglQz1sznnD1vuIKsN1OzH1fvReTx6lXBo8jsfe7Lusk7c8DlsfzLFXKtvb
GAlxTqX4qXW8RK8qmZNui3o/dhEIHuaZWKUuFcW9NL98aq5k0YXOJKlFLEj6KAzV
zz4EBe5McAZY9SEN2XOHOIOWc0XUp9xNqkStuTgtLMTVX6owbBKGQVQFemJVyg8o
vH9MDp/4AvggWTRaAvTp
=tNSb
-----END PGP SIGNATURE-----


More information about the Emerging-sigs mailing list