[Emerging-Sigs] Experimental sig
Matt Jonkman
jonkman at jonkmans.com
Sat Feb 16 00:01:43 EST 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Suspicious User Agent - Possible Playmp3z or other Spyware Related
(Mozilla)"; flow:to_server,established; content:"|0d 0a|User-Agent\:
Mozilla|0d 0a|"; classtype:trojan-activity; sid:2007854; rev:1;)
Saw a couple spyware/adware installers that are using the user agent of
JUST Mozilla. Very unique, but I hope there aren't a bunch of poorly
coded legitimate embedded devices out there doing crud like this.
Please report any falses.
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list