[Emerging-Sigs] Unknown Trojan, Possible ZeuS?

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Oct 20 15:30:42 EDT 2010

  On 10/20/2010 6:34 PM, Blake Hartstein wrote:
> Eoin,
> The message.php?.... URI looks like its part of an exploit kit, and not
> part of the malware (or dropper) itself. Are you sure this didn't come
> from visiting a malicious URL and the exploit kit sent you there?
> That seems like the most likely scenario to me, usually requests like
> these return MZ executable files.
> Blake
> On 10/20/2010 2:06 PM, Eoin Miller wrote:
>> Don't know the name/type of dropper for this though, and the reports
>> seem to have various names for it.
Box was infected previously with ZeuS based on the sigs, could have 
hitten a drive by after getting infected already or something. I am 
running the sig currently and will also inspect the traffic around that 
time that we saw it triggering. I don't think it was a drive by though 
necessarily, because the server it was trying to hit was a parked domain 
and the client tried to do the reporting over 180 times in the space of 
two minutes. Also the http client library appears to be abnormal as it 
is only having the URI/Host/User-Agent fields. Not 100% on this though.

-- Eoin

More information about the Emerging-sigs mailing list