[Emerging-Sigs] kazakaza.php trojan communications

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Oct 13 09:36:44 EDT 2010

  On 10/13/2010 12:51 PM, Joel Esler wrote:
> I had a friend place this rule on his sensors, I figured it would either false positive like crazy, or it would help him find a ton of infected hosts, which we know exist.
> All we've had so far is false positives. I told him to let it run for a bit and see what we get, if we get anything that looks not normal. (normal web browsers going to Google is what we are getting amongst other alerts).
> Will report back later.
> Sent from my iPhone
That is the heartbeat which has been verified by others on this list as 
well. It hits www.google.com/webhp, sometimes thousands of times before 
it reaches out to pull down the .bin or .db file from the CnC. I've got 
the alerts to prove it.

-- Eoin

More information about the Emerging-sigs mailing list