2003513 < Main < EmergingThreats

Main Web>2003513 (2007-03-21, MarkTombaugh?) (raw view)
 <h2>
 

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)

</h2>

Added 2020-08-05 19:01:52 UTC


 %COMMENT{type="threadmode" default="Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps." button="Add to Documentation" }%
 
 <hr>
 


 <h2>
 

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

</h2>

Added 2019-10-09 19:08:39 UTC


 
 <hr>
 


 <h2>
 

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

</h2>

Added 2018-09-13 19:38:51 UTC


 
 <hr>
 


 <h2>
 


</h2>

Added 2018-09-13 17:53:17 UTC


 
 <hr>
 


 <h2>
 

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

</h2>

Added 2017-10-27 16:27:01 UTC


 
 <hr>
 


 <h2>
 

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

</h2>

Added 2017-08-07 20:56:46 UTC


 
 <hr>
 


 <h2>
 

##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:10;)

</h2>

Added 2011-12-16 18:53:17 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:10;)

</h2>

Added 2011-12-15 18:09:19 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| MOzilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:9;)

</h2>

Added 2011-10-12 19:13:36 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| MOzilla/"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:9;)

</h2>

Added 2011-09-14 22:26:35 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| MOzilla/"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003513; rev:9;)

</h2>

Added 2011-02-04 17:22:31 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003513; rev:7;)

</h2>

Added 2009-10-19 09:15:43 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003513; rev:7;)

</h2>

Added 2009-10-19 09:15:43 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003513; rev:5;)

</h2>

Added 2009-02-09 21:30:24 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003513; rev:5;)

</h2>

Added 2009-02-09 21:30:24 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003513; rev:5;)

</h2>

Added 2009-02-09 21:29:25 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003513; rev:5;)

</h2>

Added 2009-02-09 21:29:25 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:4;)

</h2>

Added 2008-01-28 17:24:21 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:4;)

</h2>

Added 2008-01-28 17:24:21 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

</h2>

Added 2008-01-09 17:42:41 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

</h2>

Added 2008-01-09 17:42:41 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

</h2>

Added 2008-01-09 15:15:19 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

</h2>

Added 2008-01-09 15:15:19 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

</h2>

Added 2008-01-08 20:25:19 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; sid:2003513; rev:3;)

</h2>

Added 2008-01-08 20:25:19 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003513; sid:2003513; rev:2;)

</h2>

Added 2007-04-03 10:56:11 UTC


 
 
 <hr>
 
 
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003513; sid:2003513; rev:1;)

</h2>

Added 2007-03-21 10:45:21 UTC


 
 

This UA appears when this adware, unknown to me, posts banner rotation data to /bc/123kah.php on the ad rotation server. 

<verbatim>  POST /bc/123kah.php HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpe
  g, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, ap
  plication/vnd.ms-powerpoint, application/msword, */*..Accept-Language: en-u
  s..Content-Type: application/x-www-form-urlencoded..User-Agent: M0zilla/4.0
   (compatible)..---------------: ----- -------..Host: almightyads.com..Conte
  nt-Length: 230..Connection: Keep-Alive..Cache-Control: no-cache..Cookie: fl
  ashInstalled=9.0....showed=&clicked=&version=1.0.5.5&rnd=4730&id=ac30e27a18
  138d0a5d449ff4bff8cf05f3edb2d1&exceed=563,564,565,566,571,572,574,575,576,5
  78,579,580,581,582,595,596,598,599,600,601,603,604,605,623,626,627,628,629,
  638,639,640&tail=f5416643</verbatim>

It looks like this has been around for a while, since at least November of 2006, and, fwict, lives on several domains, including bannercpm.com, cpmadz.com, mediarevolver.com, and almightyads.com.

Another way to catch this is to look for the posts, which might change at any time.  For example:
<verbatim>flow:to_server, established; content:"POST"; depth:4; nocase; uricontent:"/bc/123kah.php"; nocase; </verbatim>

Since I'm not really sure what this is, other than pervasive adware, I don't have any refs. You can see some complaints about it at [[http://www.google.com/search?q=123kah.php][google]]. 

-- Main.MarkTombaugh - 21 Mar 2007
 
 <hr>
Topic revision: r2 - 2007-03-21 - MarkTombaugh?
Main
User Reference
ATasteOfTWiki
TextFormattingRules
Signature Reference
WebRss Feed
EmergingFAQ