Gzip'd POSTS

This is an experimental signature. Many malware packages are now using a gzip'd HTTP POST in order to hide parameters and such from realtime IDS.

Gzipping is a legal POST encoding, but it's very rarely used on a post, moreso on downloads. Generally the post-er has little idea of what the server will accept, and thus generally doesn't do so. And most POSTs aren't large enough to get much benefit from gzip'ing.

2008045 is up to test this theory. It's been initially tested on a smalelr scale. Please report false positives!

-- MattJonkman - 22 Mar 2008

This topic: Main > WebHome > MalwareDocs > GzipdPOST
Topic revision: r2 - 2009-02-16 - MattJonkman
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats