alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader User-Agent (Up)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Up|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009523; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2009523; rev:3;)

Added 2009-07-09 18:45:36 UTC

Encountered this with activity involving sbrowser.net:

GET /xml/topbrows/tbrows.php?key=%bc%d6%ba%f1%c4%a1 HTTP/1.1
User-Agent: Up
Host: sbrowser.net

Reports suggest that this site distributes adware. The above request yielded this response which would possibly confirm:

HTTP/1.1 200 OK
Content-Type: text/html
Server: Apache/2.0.58 (Unix) mod_ssl/2.0.58 OpenSSL/0.9.7a PHP/4.4.2
Date: Fri, 30 Oct 2009 21:43:46 GMT
X-Powered-By: PHP/4.4.2
Content-Transfer-Encoding: euc-kr
Content-Length: 569

<BC><D6><BA><F1><C4><A1>***<BD><F2><BA><F1><C4><A1> <C5><D7><B6><F3><C7><C7> <BC><BC><C6><AE><B1><C7>|hXXp://rc25.overture.com/d/sr/?xargs=15KPjg15JSnZamwr
yocL%5FKReCKxFwKgszv%5F8prBpl%5FHt1b9HN7ALxyb6XAnsB%2DSexj7AfGnK%2DZ%2D6AWLPXzkPqJEwuIQ1ONHOP5yt2awIk7MqylUNFEO4UUmefrloROPH8OYGoeSJKzl4r9Edbvbj%2D7z78vvkX
a8PBpwMe%2DxeUZFrnOiQN1qQOAaI1Vv60u9cnGXekPP7Qjea%2Dbl1TkZs0TxoBCoMqkPyIWWSyk42h%2D21mWez1%2Do63TfJEAp7HyjN7MZD9LOALX35gaXOIyvQSX%2DTuHybpTJiyPjKUIx1NXFPap
JHiY3WR06sGb062He40h0XP6GI6KTyOoKUBtLQF8WrW4ZFjfMzBmsii%2DMJhAdd%5F%5FuC6%2DFuDATBBgImM4p961LpdP7gzenzdvKlao|<BD><F2><BA><F1><C4><A1> <B8><B6><B8><A3><C5>
<D7><B6><F3><C7><C7> 5<B8><C5><C0><CC><BF><EB><B1><C7>, <BE><C6><C4><ED><BE><C6><BF><F9><B5><E5><B9><AB><B7><E1><C0><CC><BF><EB> <B0><A2><C1><BE><C7><D2>
<C0><CE><C4><ED><C6><F9><C1><A6><B0><F8>.##

-- DarrenSpruell - 30 Oct 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader User-Agent (Up)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Up|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009523; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2009523; rev:3;)

Added 2009-07-09 18:45:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader User-Agent (Up)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Up|0d 0a|"; nocase; classtype:trojan-activity; sid:2009523; rev:2;)

Added 2009-07-09 13:37:47 UTC


Topic revision: r2 - 2009-10-30 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats