[Emerging-Sigs] ZeuS CnC Check In's Sig

Robert Kerr rob at rkerr.co.uk
Mon Oct 18 16:40:30 EDT 2010

On Mon, 2010-10-18 at 20:26 +0000, Eoin Miller wrote:
> On 10/18/2010 8:09 PM, Robert Kerr wrote:

> > For this:

> >   content:"Content-Length: "; http_header; content:!"0"; distance:0;
> > http_header;

> > Don't you mean something more like:

> >   content:"Content-Length: "; http_header; content:!"Content-Length: 0|0d
> > 0a|"; http_header;

> > Because otherwise any Content-Length header with a 0 in it (eg
> > Content-Length: 100) is going to slip through...

> This is meant to get rid of some FP's we were seeing with MSN based 
> toolbars that were POST'ing with a content length of zero bytes. We are 
> specifically *not* alerting on requests that contain the following:

> "Content-Length: 0";

> But we need to keep the "Content-Length: " content match that we are 
> doing in the signature to match the order in which the http client 
> library that the ZeuS bot is using and how it forumlates its requests.

No arguments there - my point was the content:!"0" is saying there can
be no 0s anywhere after the Content-Length header:

 "Content-Length: 10"

For example contains a 0 after the Content-Length header. If this was an
un-negated match I'd suggest within:1 - but being negated and being
http_header makes all sorts of odd rules apply.

 content:!"Content-Length: 0|0d 0a|"; http_header;

Seems more likely to work (though if you give Will a pcap I'm sure he'll
come up with some magic).

 Robert Kerr

More information about the Emerging-sigs mailing list