[Emerging-Sigs] 2010157/ET USER_AGENTS TROJAN Nanspy User-Agent (XXX)

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 24 14:23:15 EDT 2011


This sig is (summarized)

alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; content:"User-Agent|3a| XXX"; http_header;)

So shouldn't hit on the UAs below. We ought to get some coverage on those for policy though perhaps. 

As for the nanspy…. I'd look into that. If it's non Nanspy, it's something of interest I'd say. Perhaps something hitting Sony as a connectivity check?

The Nanspy's we have are just the XXX as in the sig, but we left it open ended to catch other interesting things, which this is certainly one of.

Any other interesting UAs from the host?

Matt

On Oct 24, 2011, at 1:52 PM, Martin Holste wrote:

> There's a version of Safari with:
> 
> Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us)
> AppleWebKit/X.X (KHTML, like Gecko) Version/X.X Mobile/XXXX Safari/X.X
> 
> Obviously not a match, but maybe whatever plugin the iPhone is using
> "Mobile/XXXX" is a common component that's being used standalone
> elsewhere by Sony in an updater util.
> 
> On Mon, Oct 24, 2011 at 12:39 PM, Packet Hack <pckthck at gmail.com> wrote:
>> Seeing this trip the above sig:
>> 
>>  GET / HTTP/1.1
>>  User-Agent: XXXX
>>  Host: www.sony.net
>>  Cache-Control: no-cache
>> 
>> Is this Nanspy? If not, anyone know what it is?
>> 
>> -- pckthck
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list