[Emerging-Sigs] FPs on "ET TROJAN W32/Parite CnC Checkin" (sid 2013716)

Jeff Kell jeff-kell at utc.edu
Tue Oct 4 12:56:17 EDT 2011


This signature is being triggered by the MSN "SeaPort" search thing
(http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-August/008763.html).

I have accumulated 359 hits from 17 sources directed to 33 different destinations.  All
of the destination IPs are within Microsoft's space and have reverse lookups of the form
"msnbot-a-b-c-d.search.msn.com" where "a.b.c.d" is the IP address of the host.

The URIs are very long, most are longer than the initial packet, therefore I do not have
complete information regarding the actual Host: or User-Agent directives.  For those
that did fit within a packet, the User-Agent is "SeaPort/2.0" or "SeaPort/3.0", and the
Host name is "g.ceipmsn.com".

Was this just co-incidental traffic that was generated in a sandbox of a "real" Parite
infection?

Parite is nasty (infecting .exe and .scr files), but none of the write-ups mention any
C&C activity.

Is this an "absolutely false positive" ??  Can we possibly exclude this user agent? 

Jeff


More information about the Emerging-sigs mailing list