EmergingThreats> Main Web>2002153 (2008-02-29, MikeSchroll) EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)

Added 2009-02-09 21:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)

Added 2009-02-09 21:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)

Added 2009-02-09 21:29:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)

Added 2009-02-09 21:29:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; sid: 2002153; rev:8;)

Added 2008-05-09 17:01:40 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; sid: 2002153; rev:8;)

Added 2008-05-09 17:01:40 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:7;)

Added 2008-02-01 14:32:22 UTC

False positives on legit software updates to: http://home.exetel.com.au/oliverburn/ AKA http://www.puppycrawl.com/ with: 

User-Agent: Java/1.6.0_03
Host: home.exetel.com.au

and Quest Software's SQL DB Products: http://www.quest.com/ with: 

User-Agent: QINS.EXE
Host: www.quest.com
and:
User-Agent: QINS.EXE
Host: check-for-update.inside.quest.com

Added exclusions: 

suppress gen_id 1, sig_id 2002153, track by_dst, ip 220.233.0.13
suppress gen_id 1, sig_id 2002153, track by_dst, ip 12.106.87.32
suppress gen_id 1, sig_id 2002153, track by_dst, ip 12.106.87.43
-- MikeSchroll - 29 Feb 2008

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:7;)

Added 2008-02-01 14:32:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:6;)

Added 2008-01-28 17:24:19 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:6;)

Added 2008-01-28 17:24:19 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EXE as User Agent - Potential Spyware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:20; nocase; classtype: trojan-activity; sid: 2002153; rev:5;)

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2008-02-29 - MikeSchroll
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats