[Emerging-Sigs] kazakaza.php trojan communications
eoin.miller at trojanedbinaries.com
Wed Oct 13 09:36:44 EDT 2010
On 10/13/2010 12:51 PM, Joel Esler wrote:
> I had a friend place this rule on his sensors, I figured it would either false positive like crazy, or it would help him find a ton of infected hosts, which we know exist.
> All we've had so far is false positives. I told him to let it run for a bit and see what we get, if we get anything that looks not normal. (normal web browsers going to Google is what we are getting amongst other alerts).
> Will report back later.
> Sent from my iPhone
That is the heartbeat which has been verified by others on this list as
well. It hits www.google.com/webhp, sometimes thousands of times before
it reaches out to pull down the .bin or .db file from the CnC. I've got
the alerts to prove it.
More information about the Emerging-sigs