[Emerging-Sigs] kazakaza.php trojan communications
eoin.miller at trojanedbinaries.com
Wed Oct 13 14:38:03 EDT 2010
Wrote this and have been running it for a little bit (after some
slight tweaks) and it seems to be *pretty* good and low on the FP's:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS
POST to CnC"; content:"POST"; http_method; content:"HTTP/1.1|0D
0A|Accept: */*|0D 0A|User-Agent:"; content:!"Content-Type: ";
content:"Content-Length: "; content:"Connection: Keep-Alive|0D
0A|Cache-Control: no-cache|0D 0A 0D 0A|"; classtype:trojan-activity;
Example CnC communication:
POST /qwe/wert.php HTTP/1.1..
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)..
Stuff that was FP'ing before I did some tweaking:
POST /incrediappserver.dll HTTP/1.1..
User-Agent: IncrediMail 5.0..
Accept-Encoding: gzip, deflate..
The HTTP client library seems to be pretty close to some others that
exist, however the others seem to include other entries within the
header (such as content-type,accept-language, accept-encoding and more).
So if we check for not those in addition to the order in which it places
the elements within the http client header, we should be able to detect
this stuff with good certainty. If anyone else can load it up and give
it a shot and let me know of and see the packets causing the FP's, that
would be awesome.
More information about the Emerging-sigs