[Emerging-Sigs] kazakaza.php trojan communications
kevross33 at googlemail.com
Mon Oct 4 15:23:13 EDT 2010
I was referring to this:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN
> ZeuS CnC request for .bin"; content:".bin"; http_uri;
> pcre:"/\.bin(\x3F|$)/Ui"; content:"GET"; http_method; content:"Accept:
> */*|0D 0A|Connection: Close|0D 0A|User-Agent: "; http_header;
> classtype:trojan-activity; sid:5600168; rev:1;)
the .bin in the http_uri has no nocase and yet the pcre has an /i. Now I
don't believe that nocase has absolutely no effect on performance, I just
think it is that tiny that it won't be noticeable for a while. I actually
wonder if in a test enviroment you removed nocase from all sigs if there
would be a noticeable cumulative improvement.
However, I do believe in cases where it is not case sensitive (i.e the URI
and other things) that nocase should be always used to avoid simple
evasions. I am also all for putting it on the http_method (i.e GET and POST
etc) not because it doesn't match the large percentage of the time but just
to avoid an evasions there. Really I would be interested to see cumulative
performance tests where common yet possibly unneeded keywords like nocase
were removed and run to see.
On 4 October 2010 17:06, evilghost at packetmail.net
<evilghost at packetmail.net>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 10/04/2010 10:59 AM, Eoin Miller wrote:
> > On 10/4/2010 3:17 PM, Kevin Ross wrote:
> >> They look fine but a nocase is needed on the uricontent requests so it
> >> cannot be evaded by case and also the colon in User-Agent needs a |3A|
> >> or escaped. Thanks again for your great research. Kind Regards, Kevin
> > Well, not really. The http client library in its current form is not
> > randomizing the cases of the headers in the requests it is creating and
> > the http_inspect preprocessor normalizes traffic so you do not need to
> > use rawbyte or escape for that matter any colon's in a content:"foo";
> > http_header;. The signature has been actively tested and is actively
> > firing on requests from infected systems within our network.
> +1, the last thing we need is more superfluous nocase when not needed.
> Nice signature Eoin, thanks.
> Infected systems for this ZeuS infection will pull kazkkkkaz.bin,
> kakakakz.bin, kazakakzka.bin, kazkakakzkk1.bin, and/or kazkkkkaz.bin
> from 184.108.40.206, webhqadmin.com, webdealport.com, and wordborn.com.
> Looks like the injection script is also coming from aeheix.ru
> > -- Eoin
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs