[Emerging-Sigs] FP? for ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (-) 2007880
Russell Fulton
r.fulton at auckland.ac.nz
Mon Apr 21 18:03:22 EDT 2008
I'm seeing thousands (literally) of hits on this -- all seem linked to
ebuddy which appears to use '-' as a user-agent. If these are in
fact FPs we could add a check on the referrer.
Referer: http://[^.]+\.ebuddy\.com
Russell
META
SID CID TimeStamp Signature Sig ID
6 13120160 2008-04-21 09:51:22 ET TROJAN Suspicious User-Agent -
Possible Trojan Downloader (-) 2007880
Sensor Hostname Sensor Interface
monitor-dmzo.isec.auckland.ac.nz dmz sensor
IP
Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL
chksum
130.216.172.168 193.238.163.67 4 5 0 813 23282 2 0 126 2598
Resolved Source Resolved Dest
lb315016168.lbr.auckland.ac.nz Could Not Resolve
TCP
Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum
Urgent Ptr
3181 80 3917088442 1856875266 5 0 24 64512 44090 0
Options
None
Flags
RB 1 RB 0 URG ACK PSH RST SYN FIN
X X
DATA
GET /xml/messages.jsp?hash=2dd20f9a1c226d6fb18807d32b6eee09&
version=vm075018&time=1208728279748&0.19064333569956115 HTTP
/1.1..Accept: */*..Accept-Language: en-nz..Referer: http://p
aris.ebuddy.com/vm075018/main.jsp?hash=2dd20f9a1c226d6fb1880
7d32b6eee09&time=3421445834874452..User-Agent: -..Content-Ty
pe: text/xml..UA-CPU: x86..Accept-Encoding: gzip, deflate..H
ost: paris.ebuddy.com..Connection: Keep-Alive..Cookie: langu
age=en-GB; __utma=194563065.612748882.1208727343.1208727343.
1208727343.1; __utmb=194563065; __utmc=194563065; __utmz=194
563065.1208727343.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd
=(none); passport=patlorick at hotmail.com; hash=2dd20f9a1c226d
6fb18807d32b6eee09; emsn_server=http://paris.ebuddy.com; JSE
SSIONID=857E343354181D8E7ECD7EB40CF92E3C.jk_paris....
More information about the Emerging-sigs
mailing list