[Emerging-Sigs] kazakaza.php trojan communications

Packet Hack pckthck at gmail.com
Wed Oct 6 14:42:03 EDT 2010

On Wed, Oct 6, 2010 at 2:00 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

> On 10/06/2010 12:58 PM, waldo kitty wrote:
> > why limit it to three character extensions? shirley they can bypass that
> by
> > going for zero, one, two, or more than three characters? they are given
> the
> > opportunity to name the config file anything they want IIRC what the kit
> does ;)
> >
> Short answer; because they don't...  All I've seen are three extension.

 We've seen ".db" extensions:

        GET /us27/usdase.db HTTP/1.1
        Accept: */*
        Connection: Close
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
        Cache-Control: no-cache

>From the ZeuS tracker:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101006/5e48cf5f/attachment.html

More information about the Emerging-sigs mailing list