[Emerging-Sigs] SIMBAR

Matt Jonkman jonkman at jonkmans.com
Mon Jan 12 10:05:46 EST 2009

Wow, interesting. Simbar was a spyware package from way back. If I
recall right it was dying out when we FIRST started writing spyware
signatures. Hence no rule for it. That's been 6 years, I wonder why the
sudden revival?

Anyway, your sig looks good. I have another reference to add and will
post it.



RPG wrote:
> We're observing a User-Agent of "SIMBAR" from some systems that are
> visiting some dubious websites including some in the RBN.  Is anyone
> else seeing this or knows more about it?
> Here's one log entry as an example:
> - - [11/Jan/2009:21:13:40 +0000] "GET
> http://interplusclickDOTcom/v/we-content.php?cid=7614&uid=17925987307215260044&rnd=6492
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TB
> Newsbar; SIMBAR={5CD00AFD-B724-4030-967C-7794EF25D5A2}; InfoPath.1; .NET
> CLR 2.0.50727)"
> I'm not finding too much about SIMBAR on the web.  Unless someone can
> tell me that this is of friendly nature I propose adding the following
> signature to the emerging-malware.rules.  The "reference" might be a
> little weak but it's a starting point.
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET MALWARE Simbar User-Agent detected";
> flow:established,to_server; content:"|0d 0a|User-Agent\: ";
> content:"SIMBAR="; pcre:"/User-Agent\:[^\n]+\;\sSIMBAR=/";
> reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805;
> threshold:type limit, count 1, seconds 60, track by_src;
> classtype:trojan-activity; sid:XXXXXXXXXXXXXXXXXXX; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list