Re: Are there any signatures for Asprox/Kulouz botnet?
I second this. Last year i observed an earlier variant of Asprox/Kulouz on my network which went undetected by IPS. I opened a ticket with McAfee regarding the false negative and tried to draft my own custom signature. I ran into issues due to the tunneled traffic over port 443/8080.
Last week I observed the latest variant go undetected, with the exception of the informational alert: HTTP Protocol Discovered on a Non-Standard Port.
The outbound traffic was a HTTP POST over TCP 443. The traffic was cleartext therefore should not be difficult to detect. However I have not observed an accurate signature in over a year.