Re: Are there any signatures for Asprox/Kulouz botnet?
I second this. Last year i observed an earlier variant of Asprox/Kulouz on my network which went undetected by IPS. I opened a ticket with McAfee regarding the false negative and tried to draft my own custom signature. I ran into issues due to the tunneled traffic over port 443/8080.
Last week I observed the latest variant go undetected, with the exception of the informational alert: HTTP Protocol Discovered on a Non-Standard Port.
The outbound traffic was a HTTP POST over TCP 443. The traffic was cleartext therefore should not be difficult to detect. However I have not observed an accurate signature in over a year.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.