[Emerging-Sigs] Fwd: New Zeus thing?

Packet Hack pckthck at gmail.com
Mon Sep 15 15:04:04 EDT 2014


Meant to send this to the list.

--pckthck

---------- Forwarded message ----------
From: Packet Hack <pckthck at gmail.com>
Date: Mon, Sep 15, 2014 at 3:01 PM
Subject: Re: [Emerging-Sigs] New Zeus thing?
To: Jørgen Bøhnsdalen <jurg at jurg.no>


FWIW, here's the remote IP :

host 92.242.140.2
2.140.242.92.in-addr.arpa domain name pointer unallocated.barefruit.co.uk

This IP also appears to be the endpoint for the Zeus CnC:

POST /gate.php HTTP/1.1
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: pigeonbase.org
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache

At least it seems Zeusy. The Zeus hits are about 15mins after the weird HEAD
requests.

pigeonbase.org returns an NXDOMAIN.

??

--pckthck

On Mon, Sep 15, 2014 at 2:44 PM, Jørgen Bøhnsdalen <jurg at jurg.no> wrote:

> Isn't this just a Chrome HEAD to a non-existing domain to check for ISP
> DNS-hijacking?
>
> https://productforums.google.com/forum/#!topic/chrome/hl0Knv7p4-4
>
> - Jørgen
>
> On 15. sep. 2014 20:38, waldo kitty wrote:
> > On 9/15/2014 10:09 AM, Packet Hack wrote:
> >> HEAD / HTTP/1.1
> >> Host: tdsitmqawom
> >
> > hunh??
> >
> >> Connection: keep-alive
> >> Content-Length: 0
> >> User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML,
> >> like Gecko)
> >> Chrome/37.0.2062.120 Safari/537.36
> >> Accept-Encoding: gzip,deflate
> >>
> >> Seeing this in conjunction with Zeus traffic.
> >
> > without a FQDN, could this thing be attempting to connect over some sort
> > of VPN to other machines in the VPN? would this take the term "botnet"
> > to a new level?
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140915/e35cb3c8/attachment.html>


More information about the Emerging-sigs mailing list