[Emerging-Sigs] FP ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1) -- 2009486

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 24 12:03:56 EDT 2011


On Oct 23, 2011, at 3:05 AM, Russell Fulton wrote:

> I have 5 systems tickling this sig. The packet captures look kosher - different browsers, and many different sites...
> 
> Couple of examples:
> 
> GET /css/vivid_module.css? HTTP/1.1
> Accept: */*
> Referer: http://www.allmusic.com/search/song/big+jetplane
> Accept-Language: en-nz
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
> Accept-Encoding: gzip, deflate
> If-Modified-Since: Thu, 14 Oct 2010 19:32:08 GMT; length=1686
> Host: www.allmusic.com
> Connection: Keep-Alive
> 
> 
> GET /log.php?id=1039&r=64392 HTTP/1.1
> Host: stat.adlesse.com
> Connection: keep-alive
> User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.102 Safari/535.2
> Accept: */*
> Referer: http://dispatch.lite.adlesse.com/?size=300x250&loc=lite&rnd=0.7143454265315086&aduid=adlesse_widget_0.9313804337289184&this_is_adlesse_widget=true
> 
> Each local IP is throwing hits on lots of different sites.

I don't see how these are hitting…. There isn't a + in there. 

If we had +'s in the packet and not the sig I'd suspect normalization. But it's the other way around, and I'm not aware of any of the engines normalizing the string to match…

Which rev of the sig are you seeing these with? Which engine if you can say?


> 
> Russell (who should go and watch the Rugby soon -- RWC final, NZ vs France -- being played less than a mile from our house, no I did not pay $1000 for a ticket -- I'll watch on TV and leave the windows open for the <delayed> cheering from the stadium :)
> 

Congrats on the win!!!

Matt

> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list