#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2010_07_30, updated_at 2017_10_12;)

Added 2017-10-13 16:25:25 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2010_07_30, updated_at 2017_10_12;)

Added 2017-10-12 16:20:33 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

Added 2017-08-07 21:01:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:trojan-activity; sid:2008489; rev:7;)

Added 2011-10-12 19:25:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; sid:2008489; rev:7;)

Added 2011-09-14 22:38:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008489; rev:6;)

Added 2011-02-04 17:27:40 UTC

This UAS fires for numerous requests to download.microsoft.com retrieving various installers. No indications that this particular activity is suspicious and with Microsoft's site this is likely legitimate use of this UAS by an authorized agent. We've also recently observed the following, however:

GET /vkits/dlv1/937811/youtubedownloaderToolbar.msi HTTP/1.1
Referer: http://download.mybrowserbar.com/vkits/dlv1/937811/youtubedownloaderToolbar.msi
User-Agent: dwplayer
Host: download.mybrowserbar.com
Connection: Keep-Alive
Cache-Control: no-cache

This seems less-than-desirable; e.g. an AMaDa? listing for the domain: http://amada.abuse.ch/?search=download.mybrowserbar.com

Other uses of the UAS:

http://www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=c701be35969371358ed63c558c6b1f24

http://www.threatexpert.com/report.aspx?md5=02b8260bf2be0df452a75bdcf433db5a

http://www.virustotal.com/file-scan/report.html?id=31c9aa3636678f5d7790dbb1ebb82e7c9e4bf911ee8c353addc18dee82eca399-1250483040

-- DarrenSpruell - 14 Apr 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"|0d 0a|User-Agent\: dwplayer"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008489; rev:4;)

Added 2009-10-19 09:15:44 UTC

Anybody have any hint at what this dwplayer user agent is all about? It crops up on my network from time to time when a local host is pulling safe-looking files from trusted locations. Host, referrer, and file name being fetched all look benign. Maybe some kind of download manager?

-- KevinBranch - 08 Jan 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"|0d 0a|User-Agent\: dwplayer"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008489; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"|0d 0a|User-Agent\: dwplayer"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008489; rev:2;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"|0d 0a|User-Agent\: dwplayer"; classtype:trojan-activity; sid:2008489; rev:1;)

Added 2008-08-01 13:00:22 UTC


Topic revision: r3 - 2011-04-14 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats