EmergingThreats> Main Web>2003380 (2010-06-28, RussellFulton) EditAttach

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

Added 2017-10-30 18:17:25 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

Added 2017-10-30 16:39:34 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

Added 2017-08-07 20:56:40 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:11;)

Added 2017-05-12 14:59:42 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:10;)

Added 2012-07-16 19:40:05 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:9;)

Added 2011-10-12 19:13:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; sid:2003380; rev:9;)

Added 2011-09-14 22:26:19 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:9;)

Added 2011-02-04 17:22:26 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:250; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:6;)

Added 2010-05-07 15:01:04 UTC

Reference: http://www.threatexpert.com/report.aspx?md5=81f97ba5517e0a2b7d1336d7233bb0ea

matches observed url exactly....

-- RussellFulton - 28 Jun 2010

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:250; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:6;)

Added 2010-05-07 15:01:04 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:250; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:6;)

Added 2010-05-07 14:59:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:250; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:6;)

Added 2010-05-07 14:59:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:100; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:5;)

Added 2010-03-08 23:15:50 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:100; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:5;)

Added 2010-03-08 23:15:50 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:4;)

Added 2009-02-12 18:21:15 UTC 

08:25:34.680965 IP 192.168.1.111.1260 > 195.2.253.233.80: P 3305639177:3305639395(218) ack 1394353960 win 17640
        0x0000:  4500 0102 295f 4000 8006 4d93 c0a8 016f  E...)_@...M....o
        0x0010:  c302 fde9 04ec 0050 c508 0d09 531c 2728  .......P....S.'(
        0x0020:  5018 44e8 4239 0000 4745 5420 2f70 726f  P.D.B9..GET./pro
        0x0030:  6773 2f72 6f79 796c 2f66 6370 7064 646d  gs/royyl/fcppddm
        0x0040:  612e 7068 703f 6164 763d 6164 7634 3738  a.php?adv=adv478
        0x0050:  2048 5454 502f 312e 310d 0a55 7365 722d  .HTTP/1.1..User-
        0x0060:  4167 656e 743a 204d 6f7a 696c 6c61 2f34  Agent:.Mozilla/4
        0x0070:  2e30 2028 636f 6d70 6174 6962 6c65 3b20  .0.(compatible;.
        0x0080:  4d53 4945 2037 2e30 3b20 5769 6e64 6f77  MSIE.7.0;.Window
        0x0090:  7320 4e54 2035 2e31 3b20 2e4e 4554 2043  s.NT.5.1;..NET.C
        0x00a0:  4c52 2031 2e31 2e34 3332 323b 202e 4e45  LR.1.1.4322;..NE
        0x00b0:  5420 434c 5220 322e 302e 3530 3732 373b  T.CLR.2.0.50727;
        0x00c0:  202e 4e45 5420 434c 5220 332e 302e 3034  ..NET.CLR.3.0.04
        0x00d0:  3530 362e 3330 3b20 496e 666f 5061 7468  506.30;.InfoPath
        0x00e0:  2e32 2976 6572 3333 0d0a 486f 7374 3a20  .2)ver33..Host:.
        0x00f0:  6162 6b7a 6664 696c 6b6f 2e63 6f6d 0d0a  abkzfdilko.com..
        0x0100:  0d0a                                     ..

-- JackPepper - 11 May 2009 

08:25:36.676987 00:18:de:d5:29:9a > 00:17:95:14:4c:e5, ethertype IPv4 (0x0800), length 261: 192.168.1.111.1263 > 195.2.253.237.80: P 2462767555:2462767762(207) ack 1431489453 win 17640
   0x0000:  4500 00f7 2978 4000 8006 4d81 c0a8 016f  E...)x@...M....o
   0x0010:  c302 fded 04ef 0050 92ca d9c3 5552 cbad  .......P....UR..
   0x0020:  5018 44e8 ace6 0000 4745 5420 2f70 726f  P.D.....GET./pro
   0x0030:  6773 2f72 6f79 796c 2f67 6763 7171 6464  gs/royyl/ggcqqdd
   0x0040:  652e 7068 7020 4854 5450 2f31 2e31 0d0a  e.php.HTTP/1.1..
   0x0050:  5573 6572 2d41 6765 6e74 3a20 4d6f 7a69  User-Agent:.Mozi
   0x0060:  6c6c 612f 342e 3020 2863 6f6d 7061 7469  lla/4.0.(compati
   0x0070:  626c 653b 204d 5349 4520 372e 303b 2057  ble;.MSIE.7.0;.W
   0x0080:  696e 646f 7773 204e 5420 352e 313b 202e  indows.NT.5.1;..
   0x0090:  4e45 5420 434c 5220 312e 312e 3433 3232  NET.CLR.1.1.4322
   0x00a0:  3b20 2e4e 4554 2043 4c52 2032 2e30 2e35  ;..NET.CLR.2.0.5
   0x00b0:  3037 3237 3b20 2e4e 4554 2043 4c52 2033  0727;..NET.CLR.3
   0x00c0:  2e30 2e30 3435 3036 2e33 303b 2049 6e66  .0.04506.30;.Inf
   0x00d0:  6f50 6174 682e 3229 7665 7233 330d 0a48  oPath.2)ver33..H
   0x00e0:  6f73 743a 2062 6261 747a 6b76 6668 612e  ost:.bbatzkvfha.
   0x00f0:  6e65 740d 0a0d 0a                        net....
08:25:37.840344 00:18:de:d5:29:9a > 00:17:95:14:4c:e5, ethertype IPv4 (0x0800), length 258: 192.168.1.111.1264 > 195.2.253.237.80: P 2773256035:2773256239(204) ack 2866380504 win 17640
   0x0000:  4500 00f4 2987 4000 8006 4d75 c0a8 016f  E...).@...Mu...o
   0x0010:  c302 fded 04f0 0050 a54c 8763 aad9 7ed8  .......P.L.c..~.
   0x0020:  5018 44e8 210b 0000 4745 5420 2f70 726f  P.D.!...GET./pro
   0x0030:  6773 2f72 6f79 796c 2f6b 7164 646a 2e70  gs/royyl/kqddj.p
   0x0040:  6870 2048 5454 502f 312e 310d 0a55 7365  hp.HTTP/1.1..Use
   0x0050:  722d 4167 656e 743a 204d 6f7a 696c 6c61  r-Agent:.Mozilla
   0x0060:  2f34 2e30 2028 636f 6d70 6174 6962 6c65  /4.0.(compatible
   0x0070:  3b20 4d53 4945 2037 2e30 3b20 5769 6e64  ;.MSIE.7.0;.Wind
   0x0080:  6f77 7320 4e54 2035 2e31 3b20 2e4e 4554  ows.NT.5.1;..NET
   0x0090:  2043 4c52 2031 2e31 2e34 3332 323b 202e  .CLR.1.1.4322;..
   0x00a0:  4e45 5420 434c 5220 322e 302e 3530 3732  NET.CLR.2.0.5072
   0x00b0:  373b 202e 4e45 5420 434c 5220 332e 302e  7;..NET.CLR.3.0.
   0x00c0:  3034 3530 362e 3330 3b20 496e 666f 5061  04506.30;.InfoPa
   0x00d0:  7468 2e32 2976 6572 3333 0d0a 486f 7374  th.2)ver33..Host
   0x00e0:  3a20 6262 6174 7a6b 7666 6861 2e6e 6574  :.bbatzkvfha.net
   0x00f0:  0d0a 0d0a                                ....

-- JackPepper - 11 May 2009

In each of the above cases, the victim host downloaded a packed exe.

-- JackPepper - 11 May 2009

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:4;)

Added 2009-02-12 18:21:15 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:3;)

Added 2008-01-31 10:12:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:3;)

Added 2008-01-31 10:12:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:2;)

Added 2007-05-21 09:15:26 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:1;)

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2010-06-28 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats