EmergingThreats> Main Web>2003626 (revision 4)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; content:!"User-Agent|3A| SogouMobileTool?"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:9;)

Added 2014-04-14 19:22:49 UTC

Please modify the rule:

Reason: - Every time the LG TV starts up, within 30 seconds, it calls home (looks like update check):

POST /CheckSWAutoUpdate.laf HTTP/1.1 Accept: / User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: snu.lge.com:80 Connection: Keep-Alive Content-type: application/x-www-form-urlencoded Content-Length: 572

PFJFUVVFU1Q?+CjxQUk9EVUNUX05NPndlYk9TVFYgMy4wPC9QUk9EVUNUX05NPgo8TU9ERUxfTk0+SEVfRFRWX1cxNlBfQUZBREFUQUE8L01PREVMX05NPgo8U1dfVFlQRT5GSVJNV0FSRTwvU1dfVFlQRT4KPE1BSk9SX1ZFUj4wMzwvTUFKT1JfVkVSPgo8TUlOT1JfVkVSPjIwLjQ1PC9NSU5PUl9WRVI+CjxDT1VOVFJZPlVTMjwvQ09VTlRSWT4KPENPVU5UUllfR1JPVVA+VVM8L0NPVU5UUllfR1JPVVA+CjxERVZJQ0VfSUQ+MTQ6Yzk6MTM6NTA6OWY6ZmQ8L0RFVklDRV9JRD4KPEFVVEhfRkxBRz5OPC9BVVRIX0ZMQUc+CjxJR05PUkVfRElTQUJMRT5OPC9JR05PUkVfRElTQUJMRT4KPEVDT19JTkZPPjAxPC9FQ09fSU5GTz4KPENPTkZJR19LRVk+MDA8L0NPTkZJR19LRVk+CjxMQU5HVUFHRV9DT0RFPmVuLVVTPC9MQU5HVUFHRV9DT0RFPjwvUkVRVUVTVD4K

HTTP/1.1 200 OK Date: Wed, 16 Nov 2016 08:23:56 GMT Content-length: 508 Content-type: application/octet-stream;charset=UTF-8 Pragma: no-cache; Expires: -1; Content-Transfer-Encoding: binary;

PFJFU1BPTlNFPjxSRVNVTFRfQ0Q?+OTAwPC9SRVNVTFRfQ0Q+PE1TRz5TdWNjZXNzPC9NU0c+PFJFUV9JRD4wMDAwMDAwMDAwODcyOTE5MDEzNjwvUkVRX0lEPjxJTUFHRV9VUkw+PC9JTUFHRV9VUkw+PElNQUdFX1NJWkU+PC9JTUFHRV9TSVpFPjxJTUFHRV9OQU1FPjwvSU1BR0VfTkFNRT48VVBEQVRFX01BSk9SX1ZFUj48L1VQREFURV9NQUpPUl9WRVI+PFVQREFURV9NSU5PUl9WRVI+PC9VUERBVEVfTUlOT1JfVkVSPjxGT1JDRV9GTEFHPjwvRk9SQ0VfRkxBRz48S0U+PC9LRT48R01UPjE2IE5vdiAyMDE2IDA4OjIzOjU2IEdNVDwvR01UPjxFQ09fSU5GTz4wMTwvRUNPX0lORk8+PENETl9VUkw+PC9DRE5fVVJMPjxDT05URU5UUz48L0NPTlRFTlRTPjwvUkVTUE9OU0U+

After decoding (Base64 format) we see that it is really "call home" and "update check" network activity

-- MaksymParpaley - 2016-12-20


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:8;)

Added 2011-12-15 18:09:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:8;)

Added 2011-10-12 19:13:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; sid:2003626; rev:8;)

Added 2011-09-14 22:26:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003626; rev:8;)

Added 2011-02-04 17:22:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003626; rev:5;)

Added 2009-10-19 09:15:43 UTC

Noticed what appears to be a false positive.

There was a Double User Agent in what looks like traffic to the Giants football team website. Here is the payload below that triggered it (what is weird was I wasn't able to duplicate the alert by going to the url in the payload (www.giants.com/gameday/SeatingChart.asp)

GET /gameday/SeatingChart.asp HTTP/1.1

Accept: /

Accept-Encoding: gzip

X-moz: prefetch

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath?.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Host: www.giants.com

Connection: Keep-Alive

-- JaredB - 09 Dec 2009

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- JaredB - 09 Dec 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003626; rev:5;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003626; rev:3;)

Added 2009-02-09 21:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003626; rev:3;)

Added 2009-02-09 21:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003626; rev:3;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003626; rev:3;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; sid:2003626; rev:2;)

Added 2008-01-28 17:24:21 UTC

We are finding a high correlation between this rule and users running Google Desktop.

-- MikeWazowski - 04 Feb 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; sid:2003626; rev:2;)

Added 2008-01-28 17:24:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; sid:2003626; rev:1;)

Added 2007-04-30 09:45:18 UTC


Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2016-12-20 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats