[Emerging-Sigs] SpyEye false positive...

Jeff Kell jeff-kell at utc.edu
Wed Oct 27 15:34:31 EDT 2010


ET sig "ET TROJAN SpyEye style HTTP Header GET structure"

It appears to be firing on AVG updates...  (at least they look like legit updates...)

GET /softw/90free/update/x8xplsc_382d380d0.bin HTTP/1.0
User-Agent: AVGINET9-WVSHX86 90FREE AVI=271.1.1/3221 BUILD=864 LOC=1033 LIC=9AVFREE-VKPCB-6BWFM-TRLQR-BRUHP-CP86G DIAG=1310 OPF=0 PCA=
Host: af.avg.com
Accept: */*
Accept-Encoding: identity,deflate,gzip
Pragma: no-cache
Cache-Control: no-cache
x-avg-id:77-88201763-XL+1-T5-FP9+6-TB9+2-FL+9-F9M+1
X-ofap: ver=20,35
X-onap: ver=36 uri= dta=1

The signature already has a content negating the Host "update.nai.com", appears we may need another negated content (not sure if "af" only matches the free version or not, will have to check some more data)

Jeff






More information about the Emerging-sigs mailing list