[Emerging-Sigs] kazakaza.php trojan communications

Joel Esler jesler at sourcefire.com
Wed Oct 13 10:12:22 EDT 2010


Thanks. 


Sent from my iPhone

On Oct 13, 2010, at 10:02 AM, Eoin Miller <eoin.miller at trojanedbinaries.com> wrote:

> On 10/13/2010 1:46 PM, Joel Esler wrote:
>> 
>> Right.  But these hits weren't that.
>> 
>> Do you have sigs that watch the .bin?  or .db?  That would seem to be more reliable.
>> 
>> J
>> 
>> 
>> --
>> Joel Esler
>> 302-223-5974
>> 
> We have deployed ones that looked for the .bin and a test one using only the string in http_header but found that the one that didn't care about anything in http_uri was very accurate in our environment. Granted its only like 80,000 people, but we haven't FP'd once since we deployed it. We aren't exactly standardized for all client configurations in this environment either.
> 
> SIg:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS http client library detected"; content:"Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: "; http_header; classtype:trojan-activity; sid:5600169; rev:1;)
> 
> Other thing is some of the infected hosts sit there and reach out to www.google.com/webhp over and over (like 3000 times over a weekend) without ever hitting the CnC for some reason (host domain probably can not longer be resolved via DNS I would guess). So this helps us track down the infected systems that can't get home and clean them up without looking for the .bin or .db.
> 
> -- Eoin


More information about the Emerging-sigs mailing list