[Emerging-Sigs] VB WinHTTP User Agent alerts

Joel Esler joel.esler at sourcefire.com
Thu May 8 09:29:44 EDT 2008 

This is why you should wipe all computers you receive with a fresh  
copy of your OS.

J

On May 8, 2008, at 8:52 AM, Jack Pepper wrote:

> sid=2002970
>
> 192.168.10.154	 MALWARE VB WinHTTP User Agent - Possible Malware
>
>
> That WinHTTP alert is cause by some new software that DELL is
> preloading on their computers.   It appears to be uploading hardware
> configuration data once per day.
>
>
> 12:21:50.345343 IP 192.168.10.154.1330 > 12.129.31.109.80: P
> 1584357475:1584357908(433) ack 1809964304 win 64860
> 0x0000   4500 01d9 48b8 4000 8006 b936 c0a8 0a9a        E...H. at .... 
> 6....
> 0x0010   0c81 1f6d 0532 0050 5e6f 6063 6be1 dd10        ...m. 
> 2.P^o`ck...
> 0x0020   5018 fd5c 0a83 0000 504f 5354 202f 7364        P.. 
> \....POST./sd
> 0x0030   6378 7573 6572 2f61 7370 2f64 656c 6c70        cxuser/asp/ 
> dellp
> 0x0040   726f 6669 6c65 696e 666f 2e61 7370 2048         
> rofileinfo.asp.H
> 0x0050   5454 502f 312e 310d 0a43 6f6e 7465 6e74        TTP/ 
> 1.1..Content
> 0x0060   2d74 7970 653a 2061 7070 6c69 6361 7469        - 
> type:.applicati
> 0x0070   6f6e 2f78 2d77 7777 2d66 6f72 6d2d 7572        on/x-www- 
> form-ur
> 0x0080   6c65 6e63 6f64 6564 0d0a 436f 6e74 656e         
> lencoded..Conten
> 0x0090   742d 4c65 6e67 7468 3a20 3137 310d 0a41        t-Length:. 
> 171..A
> 0x00a0   6363 6570 743a 202a 2f2a 0d0a 5573 6572        ccept:.*/ 
> *..User
> 0x00b0   2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f        - 
> Agent:.Mozilla/
> 0x00c0   342e 3020 2863 6f6d 7061 7469 626c 653b        4.0. 
> (compatible;
> 0x00d0   2057 696e 3332 3b20 5769 6e48 7474  
> 702e        .Win32;.WinHttp.
> 0x00e0   5769 6e48 7474 7052 6571 7565 7374 2e35         
> WinHttpRequest.5
> 0x00f0   290d 0a48 6f73 743a 2077 7777 2e64  
> 656c        )..Host:.www.del
> 0x0100   6c73 7570 706f 7274 6365 6e74 6572 2e63         
> lsupportcenter.c
> 0x0110   6f6d 0d0a 436f 6e6e 6563 7469 6f6e 3a20         
> om..Connection:.
> 0x0120   4b65 6570 2d41 6c69 7665 0d0a 0d0a 636c        Keep- 
> Alive....cl
> 0x0130   6965 6e74 5f67 7569 643d 3433 3833 6664         
> ient_guid=4383fd
> 0x0140   6433 2d30 3732 382d 3437 3364 2d61 3635        d3-0728-473d- 
> a65
> 0x0150   352d 3031 6664 6435 3936 3930 6130 2673         
> 5-01fdd59690a0&s
> 0x0160   6572 7669 6365 5f74 6167 3d34 5651 5351         
> ervice_tag=4VQSQ
> 0x0170   4231 266d 6f64 656c 3d58 5053 204d 3132         
> B1&model=XPS.M12
> 0x0180   3130 266c 6f62 3d58 5053 2673 6567 6d65         
> 10&lob=XPS&segme
> 0x0190   6e74 3d32 3926 636f 756e 7472 793d 7573         
> nt=29&country=us
> 0x01a0   2672 6567 696f 6e3d 5553 2663 6c69 656e         
> &region=US&clien
> 0x01b0   745f 6c61 6e67 7561 6765 3d65 6e26 7761         
> t_language=en&wa
> 0x01c0   7272 616e 7479 5f65 7870 5f64 6174 653d         
> rranty_exp_date=
> 0x01d0   392f 3130 2f32 3030 39                         9/10/2009
>
> -- 
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>


--
Joel Esler  joel.esler at sourcefire.com

More information about the Emerging-sigs mailing list