Showing results for 
Search instead for 
Did you mean: 

Are there any signatures for Asprox/Kulouz botnet?

I have customers requesting IDS signatures for this and I don't see any available. Is there anything in the works for this?

1 Reply
Level 7
Report Inappropriate Content
Message 2 of 2

Re: Are there any signatures for Asprox/Kulouz botnet?

I second this.  Last year i observed an earlier variant of Asprox/Kulouz on my network which went undetected by IPS.  I opened a ticket with McAfee regarding the false negative and tried to draft my own custom signature.  I ran into issues due to the tunneled traffic over port 443/8080. 

Last week I observed the latest variant go undetected, with the exception of the informational alert:  HTTP Protocol Discovered on a Non-Standard Port. 

The outbound traffic was a HTTP POST over TCP 443.  The traffic was cleartext therefore should not be difficult to detect.  However I have not observed an accurate signature in over a year.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator