alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; content:"User-Agent|3A 20|toys|3A 3A|file"; http_header; reference:md5,6b712c6dbc3cd87bbaeb955ea1d2d24f; classtype:trojan-activity; sid:2014341; rev:2;)

Added 2014-03-26 17:57:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; content:"User-Agent|3A 20|toys|3A 3A|file"; http_header; reference:md5,22d3165c0e80ba50bc6a42a2e82b2874; classtype:trojan-activity; sid:2014341; rev:1;)

Added 2013-01-08 22:33:56 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent Toys File"; flow:established,to_server; content:"User-Agent|3A 20|toys|3A 3A|file"; http_header; reference:md5,22d3165c0e80ba50bc6a42a2e82b2874; classtype:trojan-activity; sid:2014341; rev:1;)

Added 2012-03-08 18:30:48 UTC

Hits on a legitimate Samsung application - kies - http://www.samsung.com/us/kies/

The update mechanism connects to msupdate.emodio.com using user agent toys::file

Suggest adding content:!"Host|3A|msupdate.emodio.com"; http_header; or similar

-- MattNewham - 08 Jan 2013

Thanks Matt. Looking into it. We may move the sig to policy or info as it seems more common that we hoped.

-- MattJonkman - 08 Jan 2013


Topic revision: r3 - 2013-01-08 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats