EmergingThreats> Main Web>2003513 (2007-03-21, MarkTombaugh?) EditAttach

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:56:46 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:10;)

Added 2011-12-16 18:53:17 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:10;)

Added 2011-12-15 18:09:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| MOzilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:9;)

Added 2011-10-12 19:13:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| MOzilla/"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:9;)

Added 2011-09-14 22:26:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| MOzilla/"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003513; rev:9;)

Added 2011-02-04 17:22:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003513; rev:7;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003513; rev:7;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003513; rev:5;)

Added 2009-02-09 21:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003513; rev:5;)

Added 2009-02-09 21:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003513; rev:5;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003513; rev:5;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:4;)

Added 2008-01-28 17:24:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:4;)

Added 2008-01-28 17:24:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

Added 2008-01-09 17:42:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

Added 2008-01-09 17:42:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

Added 2008-01-09 15:15:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

Added 2008-01-09 15:15:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

Added 2008-01-08 20:25:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

Added 2008-01-08 20:25:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003513; sid:2003513; rev:2;)

Added 2007-04-03 10:56:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003513; sid:2003513; rev:1;)

Added 2007-03-21 10:45:21 UTC

This UA appears when this adware, unknown to me, posts banner rotation data to /bc/123kah.php on the ad rotation server.

  POST /bc/123kah.php HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpe
  g, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, ap
  plication/vnd.ms-powerpoint, application/msword, */*..Accept-Language: en-u
  s..Content-Type: application/x-www-form-urlencoded..User-Agent: M0zilla/4.0
   (compatible)..---------------: ----- -------..Host: almightyads.com..Conte
  nt-Length: 230..Connection: Keep-Alive..Cache-Control: no-cache..Cookie: fl
  ashInstalled=9.0....showed=&clicked=&version=1.0.5.5&rnd=4730&id=ac30e27a18
  138d0a5d449ff4bff8cf05f3edb2d1&exceed=563,564,565,566,571,572,574,575,576,5
  78,579,580,581,582,595,596,598,599,600,601,603,604,605,623,626,627,628,629,
  638,639,640&tail=f5416643

It looks like this has been around for a while, since at least November of 2006, and, fwict, lives on several domains, including bannercpm.com, cpmadz.com, mediarevolver.com, and almightyads.com.

Another way to catch this is to look for the posts, which might change at any time. For example:

flow:to_server, established; content:"POST"; depth:4; nocase; uricontent:"/bc/123kah.php"; nocase; 

Since I'm not really sure what this is, other than pervasive adware, I don't have any refs. You can see some complaints about it at google.

-- MarkTombaugh? - 21 Mar 2007


Topic revision: r2 - 2007-03-21 - MarkTombaugh?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats