[Emerging-Sigs] FP? for ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (-) 2007880

Matt Jonkman jonkman at jonkmans.com
Mon Apr 21 20:26:02 EDT 2008 

Is ebuddy legitimate software?

It always amazes me that people go to the trouble to add a UA 
descriptor, but put something meaningless in there. Just leave it off...

Matt

Russell Fulton wrote:
> I'm seeing thousands (literally) of hits on this -- all seem linked to  
> ebuddy which appears to use '-' as a user-agent.   If these are in  
> fact FPs we could add a check on the referrer.
> 
> Referer: http://[^.]+\.ebuddy\.com
> 
> Russell
> 
> 
> META	
> SID	CID	TimeStamp	Signature	Sig ID
> 6	13120160	2008-04-21 09:51:22	ET TROJAN Suspicious User-Agent -  
> Possible Trojan Downloader (-)	2007880
> Sensor Hostname	Sensor Interface
> monitor-dmzo.isec.auckland.ac.nz	dmz sensor
> IP	
> Source Address	Dest Address	Ver	Hdr Len	TOS	length	ID	flags	offset	TTL	 
> chksum
> 130.216.172.168	193.238.163.67	4	5	0	813	23282	2	0	126	2598
> Resolved Source	Resolved Dest
> lb315016168.lbr.auckland.ac.nz 	Could Not Resolve
> TCP	
> Source Port	Dest Port	Seq	Ack	Offset	Reserved	Flags	Window	Checksum	 
> Urgent Ptr
> 3181	80	3917088442	1856875266	5	0	24	64512	44090	0
> Options
> None
> Flags
> RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
> 			X 	X 			
> 
> 
> DATA	
> 
> GET /xml/messages.jsp?hash=2dd20f9a1c226d6fb18807d32b6eee09&
> version=vm075018&time=1208728279748&0.19064333569956115 HTTP
> /1.1..Accept: */*..Accept-Language: en-nz..Referer: http://p
> aris.ebuddy.com/vm075018/main.jsp?hash=2dd20f9a1c226d6fb1880
> 7d32b6eee09&time=3421445834874452..User-Agent: -..Content-Ty
> pe: text/xml..UA-CPU: x86..Accept-Encoding: gzip, deflate..H
> ost: paris.ebuddy.com..Connection: Keep-Alive..Cookie: langu
> age=en-GB; __utma=194563065.612748882.1208727343.1208727343.
> 1208727343.1; __utmb=194563065; __utmc=194563065; __utmz=194
> 563065.1208727343.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd
> =(none); passport=patlorick at hotmail.com; hash=2dd20f9a1c226d
> 6fb18807d32b6eee09; emsn_server=http://paris.ebuddy.com; JSE
> SSIONID=857E343354181D8E7ECD7EB40CF92E3C.jk_paris....
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list