[Emerging-Sigs] ZeuS CnC Check In's Sig

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Oct 13 14:57:06 EDT 2010


  Latest and greatest with tweaked to stop FP'ing on MSN toolbar 
generated POST's:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS 
POST to CnC"; content:"POST"; http_method; content:"HTTP/1.1|0D 
0A|Accept: */*|0D 0A|User-Agent:"; content:!"Content-Type: "; 
content:"Content-Length: "; content:!"0"; distance:0; depth:1; 
content:"Connection: Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 
0A|"; classtype:trojan-activity; sid:5600177; rev:3;)

This will detect the POST's of that binary data back to the CnC's. 
Working great on detecting the very few infections we have here.

-- Eoin


More information about the Emerging-sigs mailing list