[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST with data (outbound)

Jose Vila jovimon at gmail.com
Tue Oct 26 09:10:28 EDT 2010


Here some examples (with some stuff masked by XXXXXX):


POST /gateway/gateway.dll?Action=poll&SessionID=XXXXXXXXX.XXXXXXXXXX HTTP/1.1
[2 non-ASCII characters]
Accept: */*
[2 non-ASCII characters]
Content-Length: 0
[2 non-ASCII characters]
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; WinuE
v6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3;
OfficeLivePatch.0.0; WinuE v6; WinuE v6; Windows Live Messenger
14.0.8089.0726)
[2 non-ASCII characters]
Host: 65.54.61.180
[2 non-ASCII characters]
Connection: Keep-Alive
[2 non-ASCII characters]
Cache-Control: no-cache
[3 non-ASCII characters]


POST /tmm/screen/sesXXXXXXXXXX/ret0/cmd2/fooXXXXXXXX/modtmm.axrq HTTP/1.1
[2 non-ASCII characters]
Accept: */*
[2 non-ASCII characters]
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32; Auralog)
[2 non-ASCII characters]
Host: h38.e-tmm.com
[2 non-ASCII characters]
Content-Length: 0
[2 non-ASCII characters]
Connection: Keep-Alive
[2 non-ASCII characters]
Cache-Control: no-cache
[3 non-ASCII characters]


M3WEJ6WriLyKQP9M&fri
[2 non-ASCII characters]
Content-Type: application/x-www-form-urlencoded;charset=utf-8
[2 non-ASCII characters]
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
[2 non-ASCII characters]
Host: mail.google.com
[2 non-ASCII characters]
Accept: */*
[2 non-ASCII characters]
Accept-Language: es
[2 non-ASCII characters]
x-same-domain: 1
[2 non-ASCII characters]
UA-CPU: x86
[2 non-ASCII characters]
Pragma: no-cache
[2 non-ASCII characters]
Connection: Keep-Alive
[2 non-ASCII characters]
Content-Length: 0
[3 non-ASCII characters]



On Tue, Oct 26, 2010 at 14:54, Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote:
> What kinds of packets are you seeing this on?
>
> Very unusual to see it that often...
>
> Matt
>
> On Oct 26, 2010, at 8:38 AM, Jose Vila wrote:
>
>> Hello,
>> It's nice to meet all of you !
>> I've built an IDS few weeks ago and I'm getting full of false
>> positives of this rule.
>> The destination of most of the alerts generated go to Microsoft ranges
>> (mainly 65.52.0.0/14) and says that it's Live Messenger and other M$
>> apps, and there are also some GMail requests, and others ...
>>
>> Have anyone also had false positives?
>>
>> Thank you in advance !
>> Jose.
>>
>> The rule:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>> Zero Content-Length HTTP POST with data (outbound)";
>> flow:established,to_server; content:"POST"; nocase; http_method;
>> content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|";
>> distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819;
>> rev:1;)
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>


More information about the Emerging-sigs mailing list