[Emerging-Sigs] kazakaza.php trojan communications

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Oct 13 10:02:09 EDT 2010


  On 10/13/2010 1:46 PM, Joel Esler wrote:
>
> Right.  But these hits weren't that.
>
> Do you have sigs that watch the .bin?  or .db?  That would seem to be more reliable.
>
> J
>
>
> --
> Joel Esler
> 302-223-5974
>
We have deployed ones that looked for the .bin and a test one using only 
the string in http_header but found that the one that didn't care about 
anything in http_uri was very accurate in our environment. Granted its 
only like 80,000 people, but we haven't FP'd once since we deployed it. 
We aren't exactly standardized for all client configurations in this 
environment either.

SIg:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS 
http client library detected"; content:"Accept: */*|0D 0A|Connection: 
Close|0D 0A|User-Agent: "; http_header; classtype:trojan-activity; 
sid:5600169; rev:1;)

Other thing is some of the infected hosts sit there and reach out to 
www.google.com/webhp over and over (like 3000 times over a weekend) 
without ever hitting the CnC for some reason (host domain probably can 
not longer be resolved via DNS I would guess). So this helps us track 
down the infected systems that can't get home and clean them up without 
looking for the .bin or .db.

-- Eoin


More information about the Emerging-sigs mailing list