[Emerging-Sigs] kazakaza.php trojan communications

evilghost@packetmail.net evilghost at packetmail.net
Wed Oct 6 12:15:35 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, what about this one, top-posting for giggles.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET_CURRENT
ZeuS-like http client library detected downloading file"; content:"GET";
nocase; http_method; content:"Accept: */*|0D 0A|Connection: Close|0D
0A|User-Agent: "; http_header; pcre:"/\.[a-z]{3}$/Ui";
classtype:trojan-activity; sid:2010xxx; rev:2;)

HTTP GET method isolated, PCRE constrained to URI to ensure a
3-character extension is downloaded from this HTTP library.

I think this will leverage the power of the "catch-all" signature by
reducing false positive.  We'll test here since ET ruleset is frozen for
a few days then update.  Eoin I'd like your thoughts too.

- -evilghost

On 10/06/2010 11:07 AM, evilghost at packetmail.net wrote:
> 
> 
> On 10/06/2010 10:28 AM, Eoin Miller wrote:
>> Matt,
> 
>> you guys will probably want to go with this version of the signature 
>> when you get around to pushing the updates:
> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS 
>> http client library detected"; content:"Accept: */*|0D 0A|Connection: 
>> Close|0D 0A|User-Agent: "; http_header; classtype:trojan-activity; 
>> sid:5600169; rev:1;)
> 
> +1, it's common for ZeuS to use configuration files not with a ".bin"
> extension, for example it's common to see .cfg, .jpg, .gif, and many others.
> 
> If we use Eoin's signature I recommend we isolate HTTP GET as the
> http_method so that we don't false with odd HTTP POST behavior by weird
> applications.  The ZeuS configuration will be fetched via HTTP GET.
> 
> -evilghost

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMrKCnAAoJENgimYXu6xOHiCcP/3r0dWtQmHg3WMQ6zuhJqrJD
l9Xn78bLqGHPyqgXBTIrUlqFhbs4y6/mXO3Ze1FqwuWhNRFbwBc8HAhFHxqSde5x
4ieHklDvFJYLoIf0tiBkxvb4PBcnSRmUeRQgzMbbr503k5Lt1oFDrff3MNPIoyWC
jfotJQoCOClPM9pQK93lo3WojLANR2civTGNmYhzLPlmCFIqGfWMoRr1Wgias1a5
NJ76rP7djUuXmf6YYJaWEK8OsizwhVCA42K4c+HTHSUazTww8mdJnhhjhyz0TU6v
Nb0fxlVdu4zZD66SQgcCF8SmU75DrHRKVg62CliScptxSKxqkOwIqswCrEsIb60M
v/yCajqYfD7JvJsQJXI81B7jQ5pf7WX71oHKZe/31H2geZeTtLInrgycomJPXNIZ
kh+DCOE7knOI2T8lgSMu1PaOkHhx/og26tyLKvWZa7n1BnhZoQRga9VsREbQyHdw
1+2X194C1uyXJkmBsqZNKCUACrYZhoCoFrlPPMZbTJHUtwNMcvBjVy92w1j+zmim
YAzOqwttNqBFRRhtIW6fwdfL/ZtvtmscmdWqLl/wS8/ScGscQwNfcBaoU8zltK0I
cAxpLjT3I3fnIncSoKWm7hC21iXptcZw64cFTdtsupBqnHUuks9Oo2nVej5CULbH
HSomEuULYpD29ElEjsWi
=9aSp
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list