ZeroAccess Rootkit C2 / Post-Install

This will locate hosts infected with ZA rootkit.

HTTP Request Method = POST
HTTP URI = “/posting.php?mode=*&f=*&sid5=*”

Also look for

HTTP Request Method = GET
HTTP URI = “promos.fling.com/geo/txt/city.php”

Also look for

User Agent of “NSIS Inetc (Mozilla)”

Comments are closed.