alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; content:"Windows NT 9"; nocase; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2015822; rev:3; metadata:created_at 2012_10_19, updated_at 2012_10_19;)

Added 2017-08-07 21:09:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; content:"Windows NT 9"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 9/Hmi"; classtype:trojan-activity; sid:2015822; rev:1;)

Added 2012-10-19 17:25:52 UTC

This can be triggered by a craigslist watch/search app downloaded from the Google store. I have now had two different users that when they saw the packet contents were able to say that that was their own activity and that they were using a smart phone app they downloaded from Google Play. In one case the user was also able to confirm that he had not rooted his phone and was running smartphone based AV software (lookout) so the chance that this is an infection is relatively low.

-- JohnIves - 19 Nov 2012


Topic revision: r2 - 2012-11-19 - JohnIves
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats