[Emerging-Sigs] kazakaza.php trojan communications

Eoin Miller eoin.miller at trojanedbinaries.com
Mon Oct 4 11:59:30 EDT 2010


  On 10/4/2010 3:17 PM, Kevin Ross wrote:
> They look fine but a nocase is needed on the uricontent requests so it 
> cannot be evaded by case and also the colon in User-Agent needs a |3A| 
> or escaped. Thanks again for your great research. Kind Regards, Kevin
>
Well, not really. The http client library in its current form is not 
randomizing the cases of the headers in the requests it is creating and 
the http_inspect preprocessor normalizes traffic so you do not need to 
use rawbyte or escape for that matter any colon's in a content:"foo"; 
http_header;. The signature has been actively tested and is actively 
firing on requests from infected systems within our network.

-- Eoin


More information about the Emerging-sigs mailing list