Interesting Nulprot trojan. It's reply from an http get has
a header
field called Encryption:. That's a new one:
0000 48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d
HTTP/1.0 200 OK.
0010 0a 45 6e 63 72 79 70 74 69 6f 6e 3a 20 6f 6e 0d
.Encryption: on.
0020 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a
.Content-Length:
0030 20 34 30 0d 0a 0d 0a a4 30 30 6a a0 e0 00 20 52
40.....00j... R
0040 a8 00 b8 60 d0 f8 38 c0 e0 08 18 f0 e8 30 d0 e2
...`..8......0..
0050 18 79 39 e0 d9 49 3a 30 30 73 7b f0 5a e8 e8
.y9..I:00s{.Z..
2007669 is out to catch this. Please let me know about false
positives.
This isn't a legitimate header field, but might be in use
against rfc
somewhere.
Matt
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------
PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|