[Emerging-Sigs] ZeuS CnC Check In's Sig

Eoin Miller eoin.miller at trojanedbinaries.com
Mon Oct 18 16:26:32 EDT 2010

  On 10/18/2010 8:09 PM, Robert Kerr wrote:
> On Thu, 2010-10-14 at 22:54 +0000, Eoin Miller wrote:
>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS
>> POST to CnC"; content:"POST"; http_method; content:".php"; http_uri;
>> nocase; content:"Accept: */*|0D 0A|User-Agent:"; depth:25; http_header;
>> content:!"Content-Type: "; http_header; content:"Content-Length: ";
>> http_header; content:!"0"; distance:0; http_header; content:"Connection:
>> Keep-Alive|0D 0A|Cache-Control: no-cache"; http_header; content:"|0D 0A
>> 0D 0A|"; distance:0; classtype:trojan-activity; sid:5600177; rev:4;)
>> I haven't given it a shot on our sensors here yet for FP detection, but
>> if anyone else can help out, that would be awesome. It does trigger on
>> the infected sample PCAP's that we have acquired.
> Eoin,
> For this:
>   content:"Content-Length: "; http_header; content:!"0"; distance:0;
> http_header;
> Don't you mean something more like:
>   content:"Content-Length: "; http_header; content:!"Content-Length: 0|0d
> 0a|"; http_header;
> Because otherwise any Content-Length header with a 0 in it (eg
> Content-Length: 100) is going to slip through...
This is meant to get rid of some FP's we were seeing with MSN based 
toolbars that were POST'ing with a content length of zero bytes. We are 
specifically *not* alerting on requests that contain the following:

"Content-Length: 0";

But we need to keep the "Content-Length: " content match that we are 
doing in the signature to match the order in which the http client 
library that the ZeuS bot is using and how it forumlates its requests.

-- Eoin

More information about the Emerging-sigs mailing list