Showing results for 
Search instead for 
Did you mean: 

Are there any signatures for Asprox/Kulouz botnet?

I have customers requesting IDS signatures for this and I don't see any available. Is there anything in the works for this?

1 Reply
Level 7
Report Inappropriate Content
Message 2 of 2

Re: Are there any signatures for Asprox/Kulouz botnet?

I second this.  Last year i observed an earlier variant of Asprox/Kulouz on my network which went undetected by IPS.  I opened a ticket with McAfee regarding the false negative and tried to draft my own custom signature.  I ran into issues due to the tunneled traffic over port 443/8080. 

Last week I observed the latest variant go undetected, with the exception of the informational alert:  HTTP Protocol Discovered on a Non-Standard Port. 

The outbound traffic was a HTTP POST over TCP 443.  The traffic was cleartext therefore should not be difficult to detect.  However I have not observed an accurate signature in over a year.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center