[Emerging-Sigs] kazakaza.php trojan communications

evilghost@packetmail.net evilghost at packetmail.net
Tue Oct 12 19:32:31 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2010 06:17 PM, Matthew Jonkman wrote:
> Ok, going with this:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeuS http client library detected"; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:1;)
> 
> If we do http_header as I understand the 0d 0a's will be normalized out.

I've got some |0d 0a| in some of my local rules confined to http_header,
I'll have to double-check but AFAIK they're not removed.

> Look good to all?

Only thing that got me was |0D 0A| and then |0d 0a| in the same content
match.  I know, it doesn't affect functionality but it irked me.  :)

Do we want to pad Accept with 0d 0a?  Do we also want to detect on the
use of HTTP/1.1 as a way to eliminate potential false positives for
HTTP/1.0?

Eoin had posted some packet captures;
http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009481.html

Share your thoughts:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
ZeuS http client library detected"; content:"GET "; depth:4;
content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d
0a|User-Agent|3a| "; classtype:trojan-activity;
sid:2011811; rev:2;)

> Matt

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMtPAPAAoJENgimYXu6xOH2uQP/3IZJe3DMwV0Gx4lfzSUCvwQ
M6DuhBAPEjLrMYrIrtvZ4YqZEEULb4osP4d4lpllANeI2MBri/CuKuaaBGqZ4yUr
uCNFoxCXQr0OmiD4+50vQ5ELqN2V/URBsOKR5lQYQlp4Ap8qASgHn5U2P6MT7lug
evgvTv4ELKPEnDZnhaUoLenNX8HuUeEC0Qf7kIzhCc7vQdHdhGU9obgqfKkFy2h3
1oXJfm1Pg5bZiW8ZirBl+MsTdOm+aN87VS/JwBHgdsE239GpqtxJYIgYmMTlWsu0
V10ZeNjdwgGi51h2h65TOTg6c7mUbxnYk6IencBYuglIW2zJa5pC7/7B582iWHDo
Yox1jImrbXYzh2CcyjbU5+/qpy7enLkNuqHwFBHWjSYabTW399N+xKbRrgTX5Zca
po+R5cu6Bce7nZ8KKXXCYfbAHmMwwhHArVPti9YDvcMwfoUd22TS55RVj1X9afwj
/PcO0vToaJsyxrL7nULxkr9bdBU/24KbFXtvb9P4cg5dhqhZwfj9ll+D04dTQmuH
TzqtLbNGJEyiG5bYTy9ebVjlSjICi9+gAjtJDAJfnLSaq+mcXsso79aNXn969qJE
cQ1kMgVF5xuRMErvP1apiAifcxfLKSFiNNS6AqjO/f2CcIwu+J5IiM6gVqtp3Th0
jcSYS631ifPAhMIgyVG7
=+QUF
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list