EP_X0FF wrote:leeno wrote:m55: 3aacd24db6804515b992147924ed3811
Hi ,
sample of the Backdoor:MacOS_X/SabPab.A is attached . if any body can help me with the pcap as i lack mac vm/systemSabPab.rar
What exactly you interested? It generates requests encrypted by something primitive (see _encode_buf_internal)
rtx556.onedumb.com is down.
Thanks Man for the information It tries following http header request but i need pcap for snort sig generation . How did you find the rtx556.onedumb.com domain
POST /update.aspx HTTP/1.1
Accept: */*
Referer: %s
Content-Type: multipart/form-data; boundary=---------------------
------%x
Accept-Encoding: base64,gzip
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3
Host: %s
Content-Length: %d
Connection: Keep-Alive
Cache-Control: no-cache