Windows 98 User-Agent

Sig 2007695 is intended primarily to catch spyware and downloaders that are using Windows 98 user agent strings as fakes. The side benefit is that you can catch any old workstations that are still on your network. Just a reminder, Win98 hasn't been supported or patched for YEARS. If you've still got them running you're just a disaster waiting to happen.

-- MattJonkman - 13 Nov 2007

Update: I have tracked those Win98 alerts down to a piece of malware that ships (Free!) with dell computers from 2005-2007. It is part of the Dell online support system. Dell licenced the client code from "Gteko". It may not be easily removable. It does phone home to dell support web site several times a day. It reports hardware configurations and some other data.

Normally we ignore the spyware from Dell machines (they have always had lots of spyware on their boxes), but in this case the GtekClient? contains it's own browser code that for whatever reason emulates a win98 box.

wierd. Throw it on the pile of "Essential Dell Spyware".

13:41:01.224108 IP 10.1.1.66.4501 > 209.136.40.14.80: P 175:426(251) ack 356 win 65180
        0x0000:  4500 0123 7278 4000 8006 8283 0a01 0142  E..#rx@........B
        0x0010:  d188 280e 1195 0050 5187 6820 5ee8 5d84  ..(....PQ.h.^.].
        0x0020:  5018 fe9c 035e 0000 4745 5420 2f6e 6577  P....^..GET./new
        0x0030:  5f64 656c 6c5f 6167 656e 742f 656d 6572  _dell_agent/emer
        0x0040:  6765 6e63 795f 3031 2f75 636c 732f 7665  gency_01/ucls/ve
        0x0050:  7273 696f 6e2e 6366 673f 7261 6e64 3d35  rsion.cfg?rand=5
        0x0060:  3834 4546 3432 3026 6369 643d 3337 3561  84EF420&cid=375a
        0x0070:  3335 3762 2d62 3832 622d 3464 6630 2d38  357b-b82b-4df0-8
        0x0080:  3039 382d 3563 6538 6531 3362 3665 6631  098-5ce8e13b6ef1
        0x0090:  2673 7276 5f74 6167 3d33 504a 5758 4231  &srv_tag=3PJWXB1
        0x00a0:  2048 5454 502f 312e 310d 0a55 7365 722d  .HTTP/1.1..User-
        0x00b0:  4167 656e 743a 204d 6f7a 696c 6c61 2f34  Agent:.Mozilla/4
        0x00c0:  2e30 2028 636f 6d70 6174 6962 6c65 3b20  .0.(compatible;.
        0x00d0:  4d53 4945 2035 2e35 3b20 5769 6e64 6f77  MSIE.5.5;.Window
        0x00e0:  7320 3938 3b20 4774 656b 436c 6965 6e74  s.98;.GtekClient
        0x00f0:  290d 0a48 6f73 743a 2064 732e 6465 6c6c  )..Host:.ds.dell
        0x0100:  6669 782e 636f 6d0d 0a43 6f6e 6e65 6374  fix.com..Connect
        0x0110:  696f 6e3a 204b 6565 702d 416c 6976 650d  ion:.Keep-Alive.

Pepper Jack

Background info:


Nathaniel Richmond Fri Nov 16 18:38:37 UTC 2007

* Previous message: [Bleeding-sigs] RBN Sigs * Next message: [Bleeding-sigs] (no subject) * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It looks like there is a company that sells an agent that has Windows 98 coded into the User-Agent string. I have seen a couple WinXP? systems going to dellfix.com (registrant is Dell) and linksysfix.com (registrant is Microsoft) with the following User-Agent string:

User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; GtekClient?)

A little searching revealed the following about Dell's agent: http://www.dellcommunity.com/supportforums/board/message?board.id=sw_winxp&message.id=145930

It seems like this may be the company that sells the agent: http://www.gteko.co.il/newver/GTagent.html

Nate


MattJonkman

-- MikeHerman - 17 Aug 2012

It appears that this sig is now being triggered by Dells phoning Akamai Technologies IPs.

Specifically IPs in the 23.3.69.0/24 and 72.246.94.0/24 ranges.

The devices triggering the alerts on my network seem to all be Dells, so it may be that the software has changed to phoning Akamai.


  • base_packet_4-1254606.pcap: This signature has incorrectly detected a Windows 7 Enterprise SP1 system as Windows 98 machine. Please refer the pcaps atatched and the payload

  • payload_4-1254606.bin: This signature has incorrectly detected a Windows 7 Enterprise SP1 system as Windows 98 machine. Please refer the pcaps atatched and the payload
Topic attachments
I Attachment Action Size Date Who Comment
Unknown file formatpcap base_packet_4-1254606.pcap manage 0.2 K 2013-10-23 - 05:59 AnshumanDeshmukh This signature has incorrectly detected a Windows 7 Enterprise SP1 system as Windows 98 machine. Please refer the pcaps atatched and the payload
Unknown file formatbin payload_4-1254606.bin manage 0.2 K 2013-10-23 - 05:59 AnshumanDeshmukh This signature has incorrectly detected a Windows 7 Enterprise SP1 system as Windows 98 machine. Please refer the pcaps atatched and the payload
Topic revision: r7 - 2013-10-23 - AnshumanDeshmukh
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats