alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:15;)

Added 2017-03-28 17:13:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:14;)

Added 2017-03-01 16:50:34 UTC

Hello. One more FP for now application sketchup in use. Please consider rule modification

More about app is here: https://www.sketchup.com/products/sketchup-pro

PCAP:

GET /en/updates/su2016/supmac HTTP/1.1 Host: help.sketchup.com Accept: / Cookie: _ga=....... User-Agent: Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive

HTTP/1.1 200 OK Accept-Ranges: bytes Age: 723 Cache-Control: public, max-age=86400 Content-Encoding: gzip Content-Language: en Content-Type: text/plain;charset=UTF-8 Date: Thu, 02 Mar 2017 18:26:55 GMT Etag: "1488473631-0" Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Thu, 02 Mar 2017 16:53:51 GMT Link: </en/node/6201>; rel="shortlink",</en/updates/su2016/supmac>; rel="canonical" Server: nginx Vary: Cookie,Accept-Encoding Via: 1.1 varnish X-AH-Environment: prod X-Cache: HIT X-Cache-Hits: 10 X-Drupal-Cache: HIT X-Frame-Options: SAMEORIGIN X-Generator: Drupal 7 (http://drupal.org) X-Request-ID: v-21438c62-ff74-11e6-95eb-22000bdde467 X-Varnish: 124145036 124048606 Content-Length: 79 Connection: keep-alive

...........DATA.........

Thank you, BR

-- MaksymParpaley - 2017-03-06

FP from yieldmo.com a mobile advertising firm.

PCAP: Host: ads.yieldmo.com Accept: / Content-Type: application/x-www-form-urlencoded Connection: keep-alive Cookie: yieldmo_id=gd12bddab47d14c20cf0%7C1490185731709%7C1646916380831188839%7C1437728892220980040 User-Agent: Accept-Language: en-us Accept-Encoding: gzip, deflate Content-Length: 638

-- PhillipPeterson - 2017-03-25

FP for api.ping-start.com - http://www.pingstart.com/. Application monetization

yieldmo.com and pingstart.com should be exclude from the rule Such network activity is not good and is not bad, just monetization tricks. ET please eliminate FP

-- MaksymParpaley - 2017-03-28

When user download application with advertisement google play warns about advertisement presence if using for free. That is why this is not malicious activity

-- MaksymParpaley - 2017-03-28

Fixing these today, thanks!

-- DarienH - 2017-03-28


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:13;)

Added 2017-02-21 19:53:14 UTC

Hello. FP for ESET Internet Security and NOD32 Antivirus. Please consider rule modification.

Rule tripped during update of ESET Internet Security and NOD32 Antivirus.

Information about product: http://www.eset.co.uk/Beta/V10

We have no full PCAP, but some information below:

src_ip: 192.1682.xx.xx dst_ip: 91.228.166.14

Host: update.eset.com

url: http://update.eset.com/eset_upd/v10/dll/update.ver

HTTP Request:

HEAD /eset_upd/v10/dll/update.ver HTTP/1.1 Accept: / User-Agent: Host: update.eset.com Accept-Encoding: gzip, deflate Connection: Keep-Alive X-NOD32-Mode: passive Pragma: no-cache Cache-Control: no-cache, no-store Eset-Spread-Control: yes; domain=production X-ESET-UpdateID:EAV-0189989284 If-Modified-Since: Wed, 01 Mar 2017 11:12:43 GMT If-None-Match:"58b6acab-2203"

Thank you, Best Regards

-- MaksymParpaley - 2017-03-01


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:12;)

Added 2017-01-12 17:36:21 UTC

Hello. FP for <Stocks Tracker> application. Please consider rule modification:

Information about application: https://itunes.apple.com/us/app/stocks-tracker-real-time-stock/id517166254?mt=8

Pcap:

GET /usage?cmd=ads&deviceType=iPhone&token=XXXXXXXXXXXXXX&p=StockTracker&v=7.0.2&f=0&brk=(null)&por=0 HTTP/1.1 Host: www.dajax.com User-Agent: Connection: keep-alive Accept-Encoding: gzip

HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Transfer-Encoding: chunked Date: Tue, 21 Feb 2017 14:48:32 GMT

2000 {"eTradeApiURL":"http://ws2.stocktrackeralert.com/etradeApi","maxAskReview":"2","SHOW_FB_ON_LIST":"true","RequireFullVersionForTrade":"NO","MAX_CHART_PERDAY":"5","TradeItUrl":"https://ems.tradingticket.com/universalTradingTicket","chartDataUrl":.....................................................

Thank you BR Maksym

-- MaksymParpaley - 2017-02-21

We're adding a negation for dajax[.]com, however not for tbliab[.]net (looks like some sort of tracking which often falls under the 'MALWARE' category, which in our case are PUP/PUA applications)

-- DarienH - 2017-02-21


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:11;)

Added 2016-03-23 18:08:02 UTC

Hello. Can you please add an exception for metrics.tbliab.net.

Rule triggers during nor,al behavior of android game CastleStorm?_-_Free_to_Siege. Please look at https://apkscan.nviso.be/report/show/c13c753c8e4f075cbf527527a88318dc (we did sacan for that game). This game need this - http://metrics.tbliab.net/apptrak?eses

PCAP:

GET /apptrak?eses=A2B053...........................data......................... HTTP/1.1 User-Agent: Host: metrics.tbliab.net Connection: Keep-Alive Accept-Encoding: gzip

HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Transfer-Encoding: chunked Content-Type: text/plain; charset=utf-8 Content-Encoding: gzip Expires: -1 Vary: Accept-Encoding Server: Microsoft-IIS/8.5 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 05 Jan 2017 20:40:46 GMT

{ "Result": "Success", "SessionID": "A2B0....data....." }

Thanks!

-- MaksymParpaley - 2017-01-06

Dear ET Any Ideas about http://metrics.tbliab.net/apptrak?eses Are you planning to add negation ?

Regards

-- MaksymParpaley - 2017-01-11


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:10;)

Added 2016-02-16 22:39:50 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:10;)

Added 2016-02-16 17:47:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:8;)

Added 2012-07-23 21:19:16 UTC

False positive, it's a mobile connection from the Android App Deezer

GET./mobile/1/1d2d4646768803d040c62ac7f445d0de0d1515914afcee08e07dbf04dcf1196deb366e22ed6691d4a560e6096b7586094399bf09f2339c0a4d2f7533c8f9a8267faf245b02f937ac87e012fdeb292ffe.HTTP/1.1 .User-Agent:. .Range:.bytes=16252928-16777215 .Host:.e-cdn-proxy-d.deezer.com .Accept-Encoding:.gzip .Cookie:.sid=fr48cb80faefb5136c7f9803625a1cec9911fd12 .Via:.1.1.localhost.(squid/3.4.10) .X-Forwarded-For:.172.16.128.68 .Cache-Control:.max-age=259200 .Connection:.keep-alive

-- BryceSIMON - 2016-02-16


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:7;)

Added 2011-12-15 18:09:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:7;)

Added 2011-10-12 19:24:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; sid:2007994; rev:7;)

Added 2011-09-14 22:37:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:7;)

Added 2011-02-04 17:27:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\:|20 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)

Added 2010-07-28 16:15:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\:|20 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)

Added 2010-07-28 16:15:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2007994; rev:2;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; sid:2007994; rev:1;)

Added 2008-03-13 16:59:10 UTC


Topic revision: r11 - 2017-03-28 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats