[Emerging-Sigs] FPs on "ET TROJAN W32/Parite CnC Checkin" (sid 2013716)
jeff-kell at utc.edu
Tue Oct 4 12:56:17 EDT 2011
This signature is being triggered by the MSN "SeaPort" search thing
I have accumulated 359 hits from 17 sources directed to 33 different destinations. All
of the destination IPs are within Microsoft's space and have reverse lookups of the form
"msnbot-a-b-c-d.search.msn.com" where "a.b.c.d" is the IP address of the host.
The URIs are very long, most are longer than the initial packet, therefore I do not have
complete information regarding the actual Host: or User-Agent directives. For those
that did fit within a packet, the User-Agent is "SeaPort/2.0" or "SeaPort/3.0", and the
Host name is "g.ceipmsn.com".
Was this just co-incidental traffic that was generated in a sandbox of a "real" Parite
Parite is nasty (infecting .exe and .scr files), but none of the write-ups mention any
Is this an "absolutely false positive" ?? Can we possibly exclude this user agent?
More information about the Emerging-sigs