[Emerging-Sigs] kazakaza.php trojan communications

Eoin Miller eoin.miller at trojanedbinaries.com
Mon Oct 4 11:59:30 EDT 2010

  On 10/4/2010 3:17 PM, Kevin Ross wrote:
> They look fine but a nocase is needed on the uricontent requests so it 
> cannot be evaded by case and also the colon in User-Agent needs a |3A| 
> or escaped. Thanks again for your great research. Kind Regards, Kevin
Well, not really. The http client library in its current form is not 
randomizing the cases of the headers in the requests it is creating and 
the http_inspect preprocessor normalizes traffic so you do not need to 
use rawbyte or escape for that matter any colon's in a content:"foo"; 
http_header;. The signature has been actively tested and is actively 
firing on requests from infected systems within our network.

-- Eoin

More information about the Emerging-sigs mailing list