cancel
Showing results for 
Search instead for 
Did you mean: 

Are there any signatures for Asprox/Kulouz botnet?

I have customers requesting IDS signatures for this and I don't see any available. Is there anything in the works for this?

1 Reply
dt1
Level 7
Report Inappropriate Content
Message 2 of 2

Re: Are there any signatures for Asprox/Kulouz botnet?

I second this.  Last year i observed an earlier variant of Asprox/Kulouz on my network which went undetected by IPS.  I opened a ticket with McAfee regarding the false negative and tried to draft my own custom signature.  I ran into issues due to the tunneled traffic over port 443/8080. 

Last week I observed the latest variant go undetected, with the exception of the informational alert:  HTTP Protocol Discovered on a Non-Standard Port. 

The outbound traffic was a HTTP POST over TCP 443.  The traffic was cleartext therefore should not be difficult to detect.  However I have not observed an accurate signature in over a year.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community