[Emerging-Sigs] kazakaza.php trojan communications

Joel Esler jesler at sourcefire.com
Wed Oct 13 09:46:54 EDT 2010


On Oct 13, 2010, at 9:36 AM, Eoin Miller wrote:
> On 10/13/2010 12:51 PM, Joel Esler wrote:
>> I had a friend place this rule on his sensors, I figured it would either false positive like crazy, or it would help him find a ton of infected hosts, which we know exist.
>> 
>> All we've had so far is false positives. I told him to let it run for a bit and see what we get, if we get anything that looks not normal. (normal web browsers going to Google is what we are getting amongst other alerts).
>> 
>> Will report back later.
>> 
>> 
>> Sent from my iPhone
>> 
> That is the heartbeat which has been verified by others on this list as well. It hits www.google.com/webhp, sometimes thousands of times before it reaches out to pull down the .bin or .db file from the CnC. I've got the alerts to prove it.


Right.  But these hits weren't that.

Do you have sigs that watch the .bin?  or .db?  That would seem to be more reliable.

J


--
Joel Esler
302-223-5974



More information about the Emerging-sigs mailing list