1 Reply Latest reply on Jul 24, 2014 9:29 AM by dt1

    Are there any signatures for Asprox/Kulouz botnet?

    20569598

      I have customers requesting IDS signatures for this and I don't see any available. Is there anything in the works for this?

        • 1. Re: Are there any signatures for Asprox/Kulouz botnet?
          dt1

          I second this.  Last year i observed an earlier variant of Asprox/Kulouz on my network which went undetected by IPS.  I opened a ticket with McAfee regarding the false negative and tried to draft my own custom signature.  I ran into issues due to the tunneled traffic over port 443/8080. 

           

          Last week I observed the latest variant go undetected, with the exception of the informational alert:  HTTP Protocol Discovered on a Non-Standard Port. 

           

          The outbound traffic was a HTTP POST over TCP 443.  The traffic was cleartext therefore should not be difficult to detect.  However I have not observed an accurate signature in over a year.