[Emerging-Sigs] FP ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1) -- 2009486

Russell Fulton r.fulton at auckland.ac.nz
Tue Oct 25 23:02:56 EDT 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1)"; flow:established,to_server; content:"Windows+NT+5"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2009486; classtype:trojan-activity; sid:2009486; rev:11;)

Ah!  I see it is up to 13!  

Russell (who is now trying to figure out how that happened!)

PS. Promise to check my updates before posting about FPs in future!


On 25/10/2011, at 5:03 AM, Matthew Jonkman wrote:

> On Oct 23, 2011, at 3:05 AM, Russell Fulton wrote:
> 
>> I have 5 systems tickling this sig. The packet captures look kosher - different browsers, and many different sites...
>> 
>> Couple of examples:
>> 
>> GET /css/vivid_module.css? HTTP/1.1
>> Accept: */*
>> Referer: http://www.allmusic.com/search/song/big+jetplane
>> Accept-Language: en-nz
>> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
>> Accept-Encoding: gzip, deflate
>> If-Modified-Since: Thu, 14 Oct 2010 19:32:08 GMT; length=1686
>> Host: www.allmusic.com
>> Connection: Keep-Alive
>> 
>> 
>> GET /log.php?id=1039&r=64392 HTTP/1.1
>> Host: stat.adlesse.com
>> Connection: keep-alive
>> User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.102 Safari/535.2
>> Accept: */*
>> Referer: http://dispatch.lite.adlesse.com/?size=300x250&loc=lite&rnd=0.7143454265315086&aduid=adlesse_widget_0.9313804337289184&this_is_adlesse_widget=true
>> 
>> Each local IP is throwing hits on lots of different sites.
> 
> I don't see how these are hitting…. There isn't a + in there. 
> 
> If we had +'s in the packet and not the sig I'd suspect normalization. But it's the other way around, and I'm not aware of any of the engines normalizing the string to match…
> 
> Which rev of the sig are you seeing these with? Which engine if you can say?
> 
> 
>> 
>> Russell (who should go and watch the Rugby soon -- RWC final, NZ vs France -- being played less than a mile from our house, no I did not pay $1000 for a ticket -- I'll watch on TV and leave the windows open for the <delayed> cheering from the stadium :)
>> 
> 
> Congrats on the win!!!
> 
> Matt
> 
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> 
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111026/c4297a89/signature.bin


More information about the Emerging-sigs mailing list