[Emerging-Sigs] kazakaza.php trojan communications

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Oct 13 14:38:03 EDT 2010

  Wrote this and have been running it for a little bit (after some 
slight tweaks) and it seems to be *pretty* good and low on the FP's:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS 
POST to CnC"; content:"POST"; http_method; content:"HTTP/1.1|0D 
0A|Accept: */*|0D 0A|User-Agent:"; content:!"Content-Type: "; 
content:"Content-Length: "; content:"Connection: Keep-Alive|0D 
0A|Cache-Control: no-cache|0D 0A 0D 0A|"; classtype:trojan-activity; 
sid:5600177; rev:2;)

Example CnC communication:

POST /qwe/wert.php HTTP/1.1..
Accept: */*..
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; 
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 
3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)..
Host: iejtuqutqe.com..
Content-Length: 14812..
Connection: Keep-Alive..
Cache-Control: no-cache....

Stuff that was FP'ing before I did some tweaking:

POST /incrediappserver.dll HTTP/1.1..
Accept: */*..
User-Agent: IncrediMail 5.0..
Content-Type: application/x-www-form-urlencoded..
Accept-Language: en-us..
UA-CPU: x86..
Accept-Encoding: gzip, deflate..
Host: www.incredibarvuz1.com..
Content-Length: 1466..
Connection: Keep-Alive..
Cache-Control: no-cache...

The HTTP client library seems to be pretty close to some others that 
exist, however the others seem to include other entries within the 
header (such as content-type,accept-language, accept-encoding and more). 
So if we check for not those in addition to the order in which it places 
the elements within the http client header, we should be able to detect 
this stuff with good certainty. If anyone else can load it up and give 
it a shot and let me know of and see the packets causing the FP's, that 
would be awesome.

-- Eoin

More information about the Emerging-sigs mailing list