[Emerging-Sigs] kazakaza.php trojan communications

Packet Hack pckthck at gmail.com
Wed Oct 6 14:42:03 EDT 2010


On Wed, Oct 6, 2010 at 2:00 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

> On 10/06/2010 12:58 PM, waldo kitty wrote:
> > why limit it to three character extensions? shirley they can bypass that
> by
> > going for zero, one, two, or more than three characters? they are given
> the
> > opportunity to name the config file anything they want IIRC what the kit
> does ;)
> >
>
> Short answer; because they don't...  All I've seen are three extension.


 We've seen ".db" extensions:

        GET /us27/usdase.db HTTP/1.1
        Accept: */*
        Connection: Close
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.2)
        Host: 113.11.194.167
        Cache-Control: no-cache

>From the ZeuS tracker:

  https://zeustracker.abuse.ch/monitor.php?search=.db

--pckthck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101006/5e48cf5f/attachment.html


More information about the Emerging-sigs mailing list