[Emerging-Sigs] Suspect Digital Alpha UA...

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 1 16:51:38 EDT 2010


Posting, these will be fun :)

Matt

On Sep 29, 2010, at 3:09 AM, Eric Romang wrote:

> Hello Waldo Kitty,
>  
> As you describe in your analysis, the activities are around web forum.
>  
> Is the targeted web forum "Invasion Power Board" ?
>  
> Regards
> 
> 2010/9/15 waldo kitty <wkitty42 at windstream.net>
> 
> so, what's the likelihood of this UA actually and validly being used today?
> 
> Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT;
> Powered By 64-Bit Alpha Processor)
> 
> 
> my research (see following urls and comments) brings me to the opinion that it
> is not very likely that this UA would be being used by valid browsers today...
> so, with that in mind, i propose the following two rules...
> 
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"LOCAL.RULES Suspect
> Inbound AlphaServer UA"; flow:to_server,established; content:"|0d
> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 4.01\; Digital AlphaServer 1000A
> 4/233\; Windows NT\; Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase;
> classtype:trojan-activity; sid:1005004; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL.RULES Suspect
> Outbound AlphaServer UA"; flow:to_server,established; content:"|0d
> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 4.01\; Digital AlphaServer 1000A
> 4/233\; Windows NT\; Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase;
> classtype:trojan-activity; sid:1006004; rev:1;)
> 
> 
> 
> http://en.wikipedia.org/wiki/AlphaServer shows the named Alpha unit to be a
> single 233 mhz CPU with up to 1Gig of RAM... the first of the Digital Norikate
> family... really? i seriously doubt that IF any of these are running today that
> they are 1. housed in a colo (CSSGROUP in Latvia) 2. serving web pages 3.
> visiting only forum pages 4. always failing to pass forum registration 5. living
> on a cable tv connection in panama doing the exact same things as the one in
> Latvia... i think i'll stop there if you know what i mean ;)
> 
> 
> http://www.zytrax.com/tech/web/msie-history.html shows the following quote...
> 
> Explanation: MSIE 4.1 on NT 4.0 on an AlphaServer (wow). We think this is the
> stock browser that ships with the NT 4.0 release and last time we could not use
> this browser to update this browser if you get our meaning. String from Jonathan
> McCormack - thanks.
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101001/1353fded/attachment-0001.html


More information about the Emerging-sigs mailing list