[Emerging-Sigs] kazakaza.php trojan communications
jesler at sourcefire.com
Wed Oct 13 11:31:13 EDT 2010
Thanks all. I really appreciate the feedback. If I take off my Sourcefire hat for a second, I'm trying to help a friend out with some infection problems he's having, so I'm having him test out different things. He's having good results with some Sourcefire sigs and a lot of custom stuff, so we are trying one or two different approaches.
On Oct 13, 2010, at 11:20 AM, Eoin Miller wrote:
> On 10/13/2010 2:12 PM, Joel Esler wrote:
>> Sent from my iPhone
> Example on why not to just look for .bin/.db only just popped up again
> this morning:
> GET /wetq.img HTTP/1.1..
> Accept: */*..
> Connection: Close..
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
> Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)..
> Host: iwutyetitw.com..
> Cache-Control: no-cache....
> This sucker isn't even in ZeuS tracker yet.
> -- Eoin
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
More information about the Emerging-sigs