alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"ZCOM"; http_user_agent; depth:4; classtype:policy-violation; sid:2008503; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

Added 2017-08-07 21:01:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent|3a| ZCOM"; http_header; classtype:policy-violation; sid:2008503; rev:9;)

Added 2013-04-26 00:16:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent|3a| ZCOM"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2008503; classtype:trojan-activity; sid:2008503; rev:7;)

Added 2011-10-12 19:25:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent|3a| ZCOM"; http_header; threshold: type limit, count 2, track by_src, seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008503; sid:2008503; rev:7;)

Added 2011-09-14 22:38:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent|3a| ZCOM"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_zcom; sid:2008503; rev:6;)

Added 2011-02-04 17:27:41 UTC

Amerisource publishes an end user application called zcom. It uses the user agent string "ZCOM/3.1.1". Here is the correspondence from amerisource:

This URL allows customers of ours that is using ECHO Software communicate with our servers.  
( ie ... Send an order, check stock status, or get updates) with ECHO on a Network connection you 
must allow persistent connections and allow transmissions to leave and come back to the PC through 
the firewall \ proxy from the following sites:

Primary Communications:
URL = zcom.amerisource.com
IP = 129.33.204.148
Port 80
Secondary Communications:
URL = collector.amerisource.com
IP = 129.33.204.150
Port 80
ECHO Electronic update:
Update service site:
URL = updates.installshield.com
IP = 74.217.78.111
ECHO Receiving Module to Account Review:
URL: ftp01.amerisourcebergen.com
a snippet of the user traffic:
POST /default.asp HTTP/1.1
Host: zcom.amerisource.com
Content-Type: text/plain
User-Agent: ZCOM/3.1.1
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
Cookie: Z02=0; Z03=1; Z04=1
Content-Length: 116

-- JackPepper - 12 Sep 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ZCOM"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_zcom; sid:2008503; rev:4;)

Added 2009-11-25 11:39:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ZCOM"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_zcom; sid:2008503; rev:4;)

Added 2009-11-25 11:39:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ZCOM"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008503; rev:2;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ZCOM"; classtype:trojan-activity; sid:2008503; rev:1;)

Added 2008-08-12 12:00:22 UTC


Topic revision: r4 - 2011-09-13 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats