[Emerging-Sigs] Are these FPs or not?
chrisgrangerx at gmail.com
Wed Dec 12 12:02:48 HAST 2012
This was dealing w/ Ponmocup variants around more than a year ago, however.
I haven't been following this malware too closely since.
On Wed, Dec 12, 2012 at 5:01 PM, Christopher Granger <
chrisgrangerx at gmail.com> wrote:
> In my past observations of Ponmocup, I was able to validate compromises by
> observing HTTP requests out from suspected infections that were known
> unrelated to C&C beaconing. The UA tokens were only altered on requests to
> suspected C&C servers, proving the presence of malicious logic that was
> writing it's own C&C requests.
> On Wed, Dec 12, 2012 at 4:29 PM, Russell Fulton <r.fulton at auckland.ac.nz>wrote:
>> ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup 2012801
>> WE have one machine on our wireless network which is repeatedly
>> triggering this alert on what are clearly legitimate queries including
>> things like this:
>> GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
>> Connection: close
>> Host: suggestqueries.google.com
>> User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
>> On an infected machine does the useragent string get used on traffic
>> generated by the malware or does the default UA get changed?
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs