[Emerging-Sigs] kazakaza.php trojan communications

Joel Esler jesler at sourcefire.com
Wed Oct 13 11:31:13 EDT 2010


Thanks all.  I really appreciate the feedback.  If I take off my Sourcefire hat for a second, I'm trying to help a friend out with some infection problems he's having, so I'm having him test out different things.  He's having good results with some Sourcefire sigs and a lot of custom stuff, so we are trying one or two different approaches.

J

On Oct 13, 2010, at 11:20 AM, Eoin Miller wrote:

>  On 10/13/2010 2:12 PM, Joel Esler wrote:
>> Thanks.
>> 
>> 
>> Sent from my iPhone
> Example on why not to just look for .bin/.db only just popped up again 
> this morning:
> 
> GET /wetq.img HTTP/1.1..
> Accept: */*..
> Connection: Close..
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; 
> Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 
> 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)..
> Host: iwutyetitw.com..
> Cache-Control: no-cache....
> 
> This sucker isn't even in ZeuS tracker yet.
> 
> -- Eoin
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

--
Joel Esler
302-223-5974



More information about the Emerging-sigs mailing list