[Emerging-Sigs] kazakaza.php trojan communications

evilghost@packetmail.net evilghost at packetmail.net
Mon Oct 4 12:06:08 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 10/04/2010 10:59 AM, Eoin Miller wrote:
>   On 10/4/2010 3:17 PM, Kevin Ross wrote:
>> They look fine but a nocase is needed on the uricontent requests so it 
>> cannot be evaded by case and also the colon in User-Agent needs a |3A| 
>> or escaped. Thanks again for your great research. Kind Regards, Kevin
>>
> Well, not really. The http client library in its current form is not 
> randomizing the cases of the headers in the requests it is creating and 
> the http_inspect preprocessor normalizes traffic so you do not need to 
> use rawbyte or escape for that matter any colon's in a content:"foo"; 
> http_header;. The signature has been actively tested and is actively 
> firing on requests from infected systems within our network.

+1, the last thing we need is more superfluous nocase when not needed.
Nice signature Eoin, thanks.

Infected systems for this ZeuS infection will pull kazkkkkaz.bin,
kakakakz.bin, kazakakzka.bin, kazkakakzkk1.bin, and/or kazkkkkaz.bin
from 193.41.38.222, webhqadmin.com, webdealport.com, and wordborn.com.

Looks like the injection script is also coming from aeheix.ru

> -- Eoin

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMqftwAAoJENgimYXu6xOH/i8QAJC0IgpNZBiMB/Wmb9LpNetN
0jZfzAZw4hScssVAcbV0kKtJ70YPoJoVevCdBwGCuVJ3jV4kAYsFvNhpGovKkiau
CKwZNDGZIhX4cSmibL+9eSKnZce6hoT82b2ZarIJTb773fXDeaAfh3qYtDkdBROs
j0sLuCtl88fmo17EMQxkAX6uRBX0xEmZ473vl0UCo2C0drsG+hZs6M8emIT2mkZ2
I4qgZgYsXAvGSORF3Eqbu7YYLIiveNiJdJfWsSwSPoH0R5a+Gxc9YLCl4I9PAbbn
pZlRL4Yl9k6hglKTYmj8vquBsIrL+OUFN0h6lSZauMTKlHz3vjuee3SBWPYgV+ZQ
nyUoS6uyh2Iw6XBGw6a0+EzCwAgkmqQYj1Rm793Z/N/aVgtAB5N5JmxudVIVN49o
xPtic9rV2IBXeZRw6fIv5m857mTOOqUGL9UzZ0X+YVBTY5LkPkCb91UygRzpnLuH
PvisruOLSWMGVEB02w/kz326RX6rpCtfrC1GA8LJAG2coXjhgE7A+dnb9faihKlD
F08xFfBaXptgv1Nv8J6+GxMEer8uvc/JB/sknTKLwuzVzbzJNXuT1wzvUAw2h0Y2
K4CnJvwk2W7ktOAY3mXYxOfrjRINxjYNF1+QHGUF85A0iYSXXVOsjfX4y3ZeTD7r
uxlD/TRML6769bSmob4b
=J+Fs
-----END PGP SIGNATURE-----


More information about the Emerging-sigs mailing list