Probable ZBOT Post-Compromise Activity

Found these in a very noisy redkit attack…not totally sure that it’s ZBOT. Corrections welcome…

POST naurg. com/xhobdogfz.db
POST naurg. com/fjgmzzllvqoycbsustahfwbsuytqzhtidcjihpgvtu.rtf
POST naurg. com/issrxrdzlpofezkwhmuhymmorkplnc.7z
POST naurg. com/ixzygseaenf.log
POST ronavo .com/npjvncroe.log
POST ronavo .com/lwtirttzxoevcaztzylqbou.7z
POST ronavo .com/kaaaaaabnqayupqau.rar
POST ronavo .com/bzmqvwtwbrejgqibfkgmjirjcpwoclitfdshtsmftyuhvtwbdsqrkvgpnozym.php3

HTTP Method = POST
Content-Type = “application/x-www-form-urlencoded”
Regex HTTP URI for ^http:\/\/[a-zA-Z0-9-.]+\/[a-z]+\.(db|pif|log|rar|tpl|7z|rtf|tiff|php3|doc|pl|cgi)$

http://kargid. org/c.htm?uvZA8kUIv7AwOZCMqkqhwl7jDZUOEtWFwErdgRUr
http://joshuagsilverman .com/q.htm?tVgNliikvKhhITo2QcV1ooZ6QICtS8
http://homedecorreviews. com/g.htm?Eyl5gRHaELSinXQ9fvb8k3XUOfoOTq
http://heritageclothingcompany .com/w.htm?OomDwn2fWkkW598iEtR5afe
http://solomaquetas. com/l.htm?ZQjpwNPWV1o94aEFkSdd1vYt1ZjKWC4zOr
http://gorgeoregon. com/w.htm?f9QAXSZ4vUh6qvt43YOaauWiEfSqvZKlDjI
http://compstar .us/k.htm?oyQWBuciU6G3qqIu73gpbnxia7m2m8A8baezO51
http://canadabook .ca/y.htm?qELp27uE4QF76X65tsSEitdFC63ymvKqICc16

HTTP Method = GET
Content-Type = “application/octet-stream”
User-Agent = “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Regex HTTP URI for \/[a-z]\.htm\?

Regex HTTP URI for ^[a-zA-Z0-9:/.?-_]{57,64}$ > they all seem to be 57-64 char right now…

Comments are closed.