[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST with data (outbound)

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 26 17:24:07 EDT 2010


The first and second I think we can call bad, you should be investigating those. The third looks legit. 

Anyone know what google wants with that request?

Matt

On Oct 26, 2010, at 9:10 AM, Jose Vila wrote:

> Here some examples (with some stuff masked by XXXXXX):
> 
> 
> POST /gateway/gateway.dll?Action=poll&SessionID=XXXXXXXXX.XXXXXXXXXX HTTP/1.1
> [2 non-ASCII characters]
> Accept: */*
> [2 non-ASCII characters]
> Content-Length: 0
> [2 non-ASCII characters]
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; WinuE
> v6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
> CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3;
> OfficeLivePatch.0.0; WinuE v6; WinuE v6; Windows Live Messenger
> 14.0.8089.0726)
> [2 non-ASCII characters]
> Host: 65.54.61.180
> [2 non-ASCII characters]
> Connection: Keep-Alive
> [2 non-ASCII characters]
> Cache-Control: no-cache
> [3 non-ASCII characters]
> 
> 
> POST /tmm/screen/sesXXXXXXXXXX/ret0/cmd2/fooXXXXXXXX/modtmm.axrq HTTP/1.1
> [2 non-ASCII characters]
> Accept: */*
> [2 non-ASCII characters]
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32; Auralog)
> [2 non-ASCII characters]
> Host: h38.e-tmm.com
> [2 non-ASCII characters]
> Content-Length: 0
> [2 non-ASCII characters]
> Connection: Keep-Alive
> [2 non-ASCII characters]
> Cache-Control: no-cache
> [3 non-ASCII characters]
> 
> 
> M3WEJ6WriLyKQP9M&fri
> [2 non-ASCII characters]
> Content-Type: application/x-www-form-urlencoded;charset=utf-8
> [2 non-ASCII characters]
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
> [2 non-ASCII characters]
> Host: mail.google.com
> [2 non-ASCII characters]
> Accept: */*
> [2 non-ASCII characters]
> Accept-Language: es
> [2 non-ASCII characters]
> x-same-domain: 1
> [2 non-ASCII characters]
> UA-CPU: x86
> [2 non-ASCII characters]
> Pragma: no-cache
> [2 non-ASCII characters]
> Connection: Keep-Alive
> [2 non-ASCII characters]
> Content-Length: 0
> [3 non-ASCII characters]
> 
> 
> 
> On Tue, Oct 26, 2010 at 14:54, Matthew Jonkman
> <jonkman at emergingthreatspro.com> wrote:
>> What kinds of packets are you seeing this on?
>> 
>> Very unusual to see it that often...
>> 
>> Matt
>> 
>> On Oct 26, 2010, at 8:38 AM, Jose Vila wrote:
>> 
>>> Hello,
>>> It's nice to meet all of you !
>>> I've built an IDS few weeks ago and I'm getting full of false
>>> positives of this rule.
>>> The destination of most of the alerts generated go to Microsoft ranges
>>> (mainly 65.52.0.0/14) and says that it's Live Messenger and other M$
>>> apps, and there are also some GMail requests, and others ...
>>> 
>>> Have anyone also had false positives?
>>> 
>>> Thank you in advance !
>>> Jose.
>>> 
>>> The rule:
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>>> Zero Content-Length HTTP POST with data (outbound)";
>>> flow:established,to_server; content:"POST"; nocase; http_method;
>>> content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|";
>>> distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819;
>>> rev:1;)
>>> 
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> 
>> 
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 765-807-8630
>> Fax 312-264-0205
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> 
>> 
>> 
>> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Emerging-sigs mailing list