[Emerging-Sigs] 2013782/ET TROJAN W32.Duqu User-Agent

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 21 14:04:50 EDT 2011


Thanks, looks like that UA wasn't as unique as hoped.

Dropping this sig in favor of the more specific one for now. More research ongoing!

Matt



On Oct 21, 2011, at 1:55 PM, Packet Hack wrote:

> Getting a lot of what appear to be normal requests on this one:
> 
> GET /hprofile-ak-snc4/273553_501076216_1129476137_q.jpg HTTP/1.1
> Host: profile.ak.fbcdn.net
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
> rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)
> Accept: image/png,image/*;q=0.8,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 115
> Connection: keep-alive
> Referer: http://www.facebook.com/
> 
> POST /ajax/feed/ticker/multi_story?__a=1 HTTP/1.1
> Host: www.facebook.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
> rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 115
> Connection: keep-alive
> X-SVN-Rev: 461249
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Referer: http://www.facebook.com/
> Content-Length: 2524
> Cookie: [...]
> Pragma: no-cache
> Cache-Control: no-cache
> 
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list