[Emerging-Sigs] SIMBAR

RPG inittab at jtan.com
Mon Jan 12 08:39:28 EST 2009


We're observing a User-Agent of "SIMBAR" from some systems that are
visiting some dubious websites including some in the RBN.  Is anyone
else seeing this or knows more about it?

Here's one log entry as an example:
10.10.10.1 - - [11/Jan/2009:21:13:40 +0000] "GET
http://interplusclickDOTcom/v/we-content.php?cid=7614&uid=17925987307215260044&rnd=6492
HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TB
Newsbar; SIMBAR={5CD00AFD-B724-4030-967C-7794EF25D5A2}; InfoPath.1; .NET
CLR 2.0.50727)"

I'm not finding too much about SIMBAR on the web.  Unless someone can
tell me that this is of friendly nature I propose adding the following
signature to the emerging-malware.rules.  The "reference" might be a
little weak but it's a starting point.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET MALWARE Simbar User-Agent detected";
flow:established,to_server; content:"|0d 0a|User-Agent\: ";
content:"SIMBAR="; pcre:"/User-Agent\:[^\n]+\;\sSIMBAR=/";
reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805;
threshold:type limit, count 1, seconds 60, track by_src;
classtype:trojan-activity; sid:XXXXXXXXXXXXXXXXXXX; rev:1;)



More information about the Emerging-sigs mailing list