[Emerging-Sigs] kazakaza.php trojan communications

Joel Esler jesler at sourcefire.com
Tue Oct 12 19:40:38 EDT 2010

On Oct 12, 2010, at 7:32 PM, evilghost at packetmail.net wrote:
> On 10/12/2010 06:17 PM, Matthew Jonkman wrote:
>> Ok, going with this:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeuS http client library detected"; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:1;)
>> If we do http_header as I understand the 0d 0a's will be normalized out.
> I've got some |0d 0a| in some of my local rules confined to http_header,
> I'll have to double-check but AFAIK they're not removed.
>> Look good to all?
> Only thing that got me was |0D 0A| and then |0d 0a| in the same content
> match.  I know, it doesn't affect functionality but it irked me.  :)
> Do we want to pad Accept with 0d 0a?  Do we also want to detect on the
> use of HTTP/1.1 as a way to eliminate potential false positives for
> HTTP/1.0?

|0d 0a| separates http header fields.  It's there between all of them.  No biggie.  I think the main purpose in using it here is to make the string longer to match and thusly more efficient on the engine.  (Which I agree with.)

> Eoin had posted some packet captures;
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009481.html
> Share your thoughts:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> ZeuS http client library detected"; content:"GET "; depth:4;
> content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d
> 0a|User-Agent|3a| "; classtype:trojan-activity;
> sid:2011811; rev:2;)

I think the "GET" content match is superfluous.

Joel Esler

More information about the Emerging-sigs mailing list