[Emerging-Sigs] Unknown Trojan, Possible ZeuS?
eoin.miller at trojanedbinaries.com
Wed Oct 20 15:30:42 EDT 2010
On 10/20/2010 6:34 PM, Blake Hartstein wrote:
> The message.php?.... URI looks like its part of an exploit kit, and not
> part of the malware (or dropper) itself. Are you sure this didn't come
> from visiting a malicious URL and the exploit kit sent you there?
> That seems like the most likely scenario to me, usually requests like
> these return MZ executable files.
> On 10/20/2010 2:06 PM, Eoin Miller wrote:
>> Don't know the name/type of dropper for this though, and the reports
>> seem to have various names for it.
Box was infected previously with ZeuS based on the sigs, could have
hitten a drive by after getting infected already or something. I am
running the sig currently and will also inspect the traffic around that
time that we saw it triggering. I don't think it was a drive by though
necessarily, because the server it was trying to hit was a parked domain
and the client tried to do the reporting over 180 times in the space of
two minutes. Also the http client library appears to be abnormal as it
is only having the URI/Host/User-Agent fields. Not 100% on this though.
More information about the Emerging-sigs