[Emerging-Sigs] ZeuS CnC Check In's Sig

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 14 05:22:46 EDT 2010


Like so:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC"; content:"POST"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; distance:0; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:trojan-activity; sid:2800825; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus GET Request to CnC"; content:"GET"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; distance:0; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:trojan-activity; sid:2800826; rev:1;)

Matt

On Oct 13, 2010, at 2:57 PM, Eoin Miller wrote:

>  Latest and greatest with tweaked to stop FP'ing on MSN toolbar 
> generated POST's:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS 
> POST to CnC"; content:"POST"; http_method; content:"HTTP/1.1|0D 
> 0A|Accept: */*|0D 0A|User-Agent:"; content:!"Content-Type: "; 
> content:"Content-Length: "; content:!"0"; distance:0; depth:1; 
> content:"Connection: Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 
> 0A|"; classtype:trojan-activity; sid:5600177; rev:3;)
> 
> This will detect the POST's of that binary data back to the CnC's. 
> Working great on detecting the very few infections we have here.
> 
> -- Eoin
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list