[Emerging-Sigs] ET TROJAN HTTP Post with Double Accept header; sid 2008975

Matt Jonkman jonkman at jonkmans.com
Fri Jan 9 10:13:52 EST 2009


My fault. I stripped a pcre victor had in there originally to generalize
it more. Still strange though that even an MS product would have the
double accept header. That's definitely not a common mistake to make.

Posting this in it's place:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Malformed
Accept header - Likely Trojan-PWS.Win32.QQPass";
flow:established,to_server; content:"POST "; depth:5; content:"|0d
0a|Accept\: Accept\: ";
pcre:"/^Accept\x3A\sAccept\x3A[^\r\n]*\d+,\s/[A-z0-9\.]+,\s[A-z0-9\.]+/smi";
classtype:trojan-activity; sid:2008975; rev:1;)

Matt


Jeff Kell wrote:
> Nathaniel Richmond wrote:
>> FYI,
>>
>> With regard to this alert, in at least some instances it seems to be
>> associated with DRM. I've seen it trigger because of double accept
>> headers going to drm.cbtnuggets.com, get.zune.net and
>> wmdrm.windowsmedia.com. The User-Agent has been Windows-Media-DRM of
>> one version or another, e.g. "Windows-Media-DRM/11.0.5721.5145".
> 
> Ditto here.
> 
> Jeff
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list