[Emerging-Sigs] Fwd: New Zeus thing?
pckthck at gmail.com
Mon Sep 15 15:04:04 EDT 2014
Meant to send this to the list.
---------- Forwarded message ----------
From: Packet Hack <pckthck at gmail.com>
Date: Mon, Sep 15, 2014 at 3:01 PM
Subject: Re: [Emerging-Sigs] New Zeus thing?
To: Jørgen Bøhnsdalen <jurg at jurg.no>
FWIW, here's the remote IP :
22.214.171.124.in-addr.arpa domain name pointer unallocated.barefruit.co.uk
This IP also appears to be the endpoint for the Zeus CnC:
POST /gate.php HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
At least it seems Zeusy. The Zeus hits are about 15mins after the weird HEAD
pigeonbase.org returns an NXDOMAIN.
On Mon, Sep 15, 2014 at 2:44 PM, Jørgen Bøhnsdalen <jurg at jurg.no> wrote:
> Isn't this just a Chrome HEAD to a non-existing domain to check for ISP
> - Jørgen
> On 15. sep. 2014 20:38, waldo kitty wrote:
> > On 9/15/2014 10:09 AM, Packet Hack wrote:
> >> HEAD / HTTP/1.1
> >> Host: tdsitmqawom
> > hunh??
> >> Connection: keep-alive
> >> Content-Length: 0
> >> User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML,
> >> like Gecko)
> >> Chrome/37.0.2062.120 Safari/537.36
> >> Accept-Encoding: gzip,deflate
> >> Seeing this in conjunction with Zeus traffic.
> > without a FQDN, could this thing be attempting to connect over some sort
> > of VPN to other machines in the VPN? would this take the term "botnet"
> > to a new level?
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs