[Emerging-Sigs] kazakaza.php trojan communications

Eoin Miller eoin.miller at trojanedbinaries.com
Fri Oct 1 17:25:12 EDT 2010


  On 10/1/2010 8:58 PM, Matthew Jonkman wrote:
>
>> alert tcp $HOME_NET any ->   $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> Zeus Bot Request to CnC"; flow:established,to_server; uricontent:".bin";
>> content:"GET /"; depth:5; content:".bin HTTP/1.1|0d 0a|Accept\: */*|0d
>> 0a|Connection\: Close|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE
>> "; content:"|0d 0a|Host\: "; distance:0; content:!"|0d 0a|Referer|3a|";
>> nocase; classtype:trojan-activity;
>> reference:url,doc.emergingthreats.net/2010861;
>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus;
>> sid:2010861; rev:5;)
>>
>> --evilghost
Wrote and ran a new-er school style one and it has already picked us up 
some infected systems (didn't post until testing was completed):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN 
ZeuS CnC request for .bin"; content:".bin"; http_uri; 
pcre:"/\.bin(\x3F|$)/Ui"; content:"GET"; http_method; content:"Accept: 
*/*|0D 0A|Connection: Close|0D 0A|User-Agent: "; http_header; 
classtype:trojan-activity; sid:5600168; rev:1;)

Could probably get rid of the content:"GET"; http_method; in this 
honestly. I'll also work on creating one to track the POST's later on. 
Zero FP's so far so evilghost's one should be pretty good to go.

-- Eoin


More information about the Emerging-sigs mailing list