[Emerging-Sigs] kazakaza.php trojan communications

Joel Esler jesler at sourcefire.com
Wed Oct 13 08:51:37 EDT 2010


I had a friend place this rule on his sensors, I figured it would either false positive like crazy, or it would help him find a ton of infected hosts, which we know exist. 

All we've had so far is false positives. I told him to let it run for a bit and see what we get, if we get anything that looks not normal. (normal web browsers going to Google is what we are getting amongst other alerts). 

Will report back later. 


Sent from my iPhone

On Oct 12, 2010, at 7:43 PM, Matthew Jonkman <jonkman at emergingthreatspro.com> wrote:

> 
> On Oct 12, 2010, at 7:40 PM, Joel Esler wrote:
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> ZeuS http client library detected"; content:"GET "; depth:4;
>>> content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d
>>> 0a|User-Agent|3a| "; classtype:trojan-activity;
>>> sid:2011811; rev:2;)
>> 
>> I think the "GET" content match is superfluous.
>> 
> 
> We need to exclude POST is why.
> 
> Thanks
> 
> Matt
> 
> 
>> --
>> Joel Esler
>> 302-223-5974
>> 
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> 
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 


More information about the Emerging-sigs mailing list