[Emerging-Sigs] kazakaza.php trojan communications

Kevin Ross kevross33 at googlemail.com
Mon Oct 4 15:23:13 EDT 2010


I was referring to this:

> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN
> ZeuS CnC request for .bin"; content:".bin"; http_uri;
> pcre:"/\.bin(\x3F|$)/Ui"; content:"GET"; http_method; content:"Accept:
> */*|0D 0A|Connection: Close|0D 0A|User-Agent: "; http_header;
> classtype:trojan-activity; sid:5600168; rev:1;)

the .bin in the http_uri has no nocase and yet the pcre has an /i. Now I
don't believe that nocase has absolutely no effect on performance, I just
think it is that tiny that it won't be noticeable for a while. I actually
wonder if in a test enviroment you removed nocase from all sigs if there
would be a noticeable cumulative improvement.

However, I do believe in cases where it is not case sensitive (i.e the URI
and other things) that nocase should be always used to avoid simple
evasions. I am also all for putting it on the http_method (i.e GET and POST
etc) not because it doesn't match the large percentage of the time but just
to avoid an evasions there. Really I would be interested to see cumulative
performance tests where common yet possibly unneeded keywords like nocase
were removed and run to see.

On 4 October 2010 17:06, evilghost at packetmail.net
<evilghost at packetmail.net>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 10/04/2010 10:59 AM, Eoin Miller wrote:
> >   On 10/4/2010 3:17 PM, Kevin Ross wrote:
> >> They look fine but a nocase is needed on the uricontent requests so it
> >> cannot be evaded by case and also the colon in User-Agent needs a |3A|
> >> or escaped. Thanks again for your great research. Kind Regards, Kevin
> >>
> > Well, not really. The http client library in its current form is not
> > randomizing the cases of the headers in the requests it is creating and
> > the http_inspect preprocessor normalizes traffic so you do not need to
> > use rawbyte or escape for that matter any colon's in a content:"foo";
> > http_header;. The signature has been actively tested and is actively
> > firing on requests from infected systems within our network.
>
> +1, the last thing we need is more superfluous nocase when not needed.
> Nice signature Eoin, thanks.
>
> Infected systems for this ZeuS infection will pull kazkkkkaz.bin,
> kakakakz.bin, kazakakzka.bin, kazkakakzkk1.bin, and/or kazkkkkaz.bin
> from 193.41.38.222, webhqadmin.com, webdealport.com, and wordborn.com.
>
> Looks like the injection script is also coming from aeheix.ru
>
> > -- Eoin
>
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBAgAGBQJMqftwAAoJENgimYXu6xOH/i8QAJC0IgpNZBiMB/Wmb9LpNetN
> 0jZfzAZw4hScssVAcbV0kKtJ70YPoJoVevCdBwGCuVJ3jV4kAYsFvNhpGovKkiau
> CKwZNDGZIhX4cSmibL+9eSKnZce6hoT82b2ZarIJTb773fXDeaAfh3qYtDkdBROs
> j0sLuCtl88fmo17EMQxkAX6uRBX0xEmZ473vl0UCo2C0drsG+hZs6M8emIT2mkZ2
> I4qgZgYsXAvGSORF3Eqbu7YYLIiveNiJdJfWsSwSPoH0R5a+Gxc9YLCl4I9PAbbn
> pZlRL4Yl9k6hglKTYmj8vquBsIrL+OUFN0h6lSZauMTKlHz3vjuee3SBWPYgV+ZQ
> nyUoS6uyh2Iw6XBGw6a0+EzCwAgkmqQYj1Rm793Z/N/aVgtAB5N5JmxudVIVN49o
> xPtic9rV2IBXeZRw6fIv5m857mTOOqUGL9UzZ0X+YVBTY5LkPkCb91UygRzpnLuH
> PvisruOLSWMGVEB02w/kz326RX6rpCtfrC1GA8LJAG2coXjhgE7A+dnb9faihKlD
> F08xFfBaXptgv1Nv8J6+GxMEer8uvc/JB/sknTKLwuzVzbzJNXuT1wzvUAw2h0Y2
> K4CnJvwk2W7ktOAY3mXYxOfrjRINxjYNF1+QHGUF85A0iYSXXVOsjfX4y3ZeTD7r
> uxlD/TRML6769bSmob4b
> =J+Fs
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101004/2276fe96/attachment.html


More information about the Emerging-sigs mailing list