#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:10; metadata:created_at 2010_07_30, updated_at 2017_09_13;)

Added 2017-09-13 16:26:13 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:00:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:9;)

Added 2012-09-05 00:42:37 UTC

False positives with bugsense.com

-- DavidSchweikert - 2014-09-06


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:8;)

Added 2011-10-12 19:23:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; sid:2007567; rev:8;)

Added 2011-09-14 22:36:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:8;)

Added 2011-08-20 07:22:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:8;)

Added 2011-08-19 16:53:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:6;)

Added 2011-02-04 17:26:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:4;)

Added 2009-02-13 19:47:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:4;)

Added 2009-02-13 19:47:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:4;)

Added 2009-02-13 19:46:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:4;)

Added 2009-02-13 19:46:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:4;)

Added 2009-02-13 19:45:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zlob; sid:2007567; rev:4;)

Added 2009-02-13 19:45:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; sid:2007567; rev:3;)

Added 2008-01-31 10:12:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; sid:2007567; rev:3;)

Added 2008-01-31 10:12:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; content:!".real.com|0d 0a|"; classtype:trojan-activity; sid:2007567; rev:2;)

Added 2007-10-25 02:32:19 UTC

Please test this version and report any FPs

-- MattJonkman - 25 Oct 2007


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; classtype:trojan-activity; sid:2007567; rev:1;)

Added 2007-08-29 09:46:50 UTC

http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99&tabid=1

-- ShirkDog? - 29 Aug 2007

Possible false alarm. Looks like this is one of my users using RealPlayer?.

000 : 47 45 54 20 2F 72 68 61 70 73 65 72 76 65 72 20   GET /rhapserver 
010 : 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41   HTTP/1.1..User-A
020 : 67 65 6E 74 3A 20 75 6E 6B 6E 6F 77 6E 0D 0A 48   gent: unknown..H
030 : 6F 73 74 3A 20 72 68 61 70 2D 61 70 70 2D 34 2D   ost: rhap-app-4-
040 : 30 2E 72 65 61 6C 2E 63 6F 6D 0D 0A 43 6F 6F 6B   0.real.com..Cook
050 : 69 65 3A 20 72 68 61 70 73 6F 64 79 49 6E 73 74   ie: rhapsodyInst
060 : 61 6C 6C 65 64 3D 34 2E 30 2E 32 2E 31 37 30 3B   alled=4.0.2.170;
070 : 20 52 4E 73 69 74 65 73 3D 72 68 61 70 2D 61 70    RNsites=rhap-ap
080 : 70 30 36 38 2E 72 65 61 6C 2E 63 6F 6D 2D 31 31   p068.real.com-11
090 : 39 32 36 32 31 37 31 39 31 31 35 3A 32 39 30 3B   92621719115:290;
0a0 : 20 72 68 61 70 73 6F 64 79 5F 6C 62 3D 31 39 32    rhapsody_lb=192
0b0 : 2E 31 36 38 2E 32 34 30 2E 37 39 3A 38 30 0D 0A   .168.240.79:80..
0c0 : 0D 0A                                             ..

-- CesarDiaz? - 17 Oct 2007

Interesting... Wonder if this was a fluke, or thats the UA it always uses. Anyone else see hits?

Matt

-- MattJonkman - 18 Oct 2007

I am seeing the same false alarts. Hitting on this:

GET /rhapserver HTTP/1.1..User-Agent: unknown..Host: rhap-app-4-0.real .com..Cookie: rhapsodyInstalled=4.0.2.355; RNsites=home07-055WRq:297; rhapsody_lb=192 .168.224.20:80....

Jeremy

-- JeremyConway - 24 Oct 2007

I'll add a negation for .real.com. That should eliminate these, haven't had reports of any other falses.

Thanks for the reports!

Matt

-- MattJonkman - 25 Oct 2007



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; classtype:trojan-activity; sid:2007567; rev:1;)

Added 2007-08-15 07:02:20 UTC


Topic revision: r9 - 2014-09-06 - DavidSchweikert
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats