[Emerging-Sigs] Win98 alerts on 2007695

[CunningPike]

Trend-Micro's agent triggers this sig also:

Count:218 Event#4.401878 2008-03-21 05:00:15
ET POLICY Windows 98 User-Agent Detected - Possible Malware or 
Non-Updated System
a.b.c.d -> e.f.g.h
IPVer=4 hlen=5 tos=0 dlen=336 ID=9202 flags=2 offset=0 ttl=127 chksum=9479
Protocol: 6 sport=2942 -> dport=80

Seq=1655741684 Ack=2129909095 Off=5 Res=0 Flags=***AP*** Win=65535 
urp=28673 chksum=0
Payload:
47 45 54 20 2F 61 63 74 69 76 65 75 70 64 61 74 GET /activeupdat
65 2F 69 6E 69 5F 78 6D 6C 2E 7A 69 70 20 48 54 e/ini_xml.zip HT
54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 69 6D TP/1.1..Host: im
73 73 2D 70 2E 61 63 74 69 76 65 75 70 64 61 74 ss-p.activeupdat
65 2E 74 72 65 6E 64 6D 69 63 72 6F 2E 63 6F 6D e.trendmicro.com
3A 38 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A :80..User-Agent:
20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F  Mozilla/4.0 (co
6D 70 61 74 69 62 6C 65 3B 4D 53 49 45 20 35 2E mpatible;MSIE 5.
30 3B 20 57 69 6E 64 6F 77 73 20 39 38 29 0D 0A 0; Windows 98)..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 50 72 61 Accept: */*..Pra
67 6D 61 3A 20 4E 6F 2D 43 61 63 68 65 0D 0A 43 gma: No-Cache..C
61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F ache-Control: no
2D 73 74 6F 72 65 2C 20 6E 6F 2D 63 61 63 68 65 -store, no-cache
0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E 65 63 74 69 ..Proxy-Connecti
6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep-Alive..
43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 Connection: Clos
65 0D 0A 58 2D 54 72 65 6E 64 2D 41 63 74 69 76 e..X-Trend-Activ
65 55 70 64 61 74 65 3A 20 32 2E 36 31 2E 30 2E eUpdate: 2.61.0.
31 30 33 38 0D 0A 0D 0A                         1038....

CP

Matt Jonkman wrote:
> That is a good idea Jack. I'll get it implemented momentarily in cvs!
> 
> Thanks for the reminder of the reference too Nate. Added it to the wiki 
> entry.
> 
> Matt
> 
> Nathaniel Richmond wrote:
>> Jack,
>>
>> Good solution.
>>
>> It's not just Dell that uses the agent.
>> http://lists.bleedingthreats.net/pipermail/bleeding-sigs/2007-November/003154.html
>>
>> Nate
>>
>> Jack Pepper wrote:
>>> the 2007695 rule for detecting win98 boxes was getting some bogus
>>> hits
>>> on a piece of Dell Spyware.  I have split it into two separate
>>> rules:
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>>> Gteko User-Agent Detected - Dell Remote Access";
>>> flow:established,to_server; content:"|0d 0a|User-Agent\: ";
>>> content:"Windows 98"; within:50; content:"GtekClient";
>>> within:50;pcre:"/User-Agent\:[^\n]+Windows 98[^\n]+GtekClient/i";
>>> classtype:dell-spyware;
>>> reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA;
>>> sid:1007696; rev:7;)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>>> Windows 98 User-Agent Detected - Possible Malware or Non-Updated
>>> System";
>>> flow:established,to_server; content:"|0d 0a|User-Agent\: ";
>>> content:"Windows 98"; within:200; content: !"GtekClient"; within:50;
>>> pcre:"/User-Agent\:[^\n]+Windows 98/i";
>>> classtype:policy-violation;
>>> reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA;
>>> sid:2007695; rev:8;)
>>>
>>> And I decided to create a new classification to go with it, since we
>>> can't do anything about it on the students' machines:
>>>
>>> config classification: dell-spyware,A built-in backdoor was
>>> detected, 3
>>>
>>> There is packet data in the wiki to describe this finding.
>>>
>>> jp
>>>
>>> --
>>>
>>> Framework?  I don't need no stinking framework!
>>>
>>> ----------------------------------------------------------------
>>> @fferent Security Labs:  Isolate/Insulate/Innovate
>>> http://www.afferentsecurity.com
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>