[Emerging-Sigs] Are these FPs or not?

Christopher Granger chrisgrangerx at gmail.com
Wed Dec 12 12:02:48 HAST 2012


This was dealing w/ Ponmocup variants around more than a year ago, however.
I haven't been following this malware too closely since.

On Wed, Dec 12, 2012 at 5:01 PM, Christopher Granger <
chrisgrangerx at gmail.com> wrote:

> Russell,
>
> In my past observations of Ponmocup, I was able to validate compromises by
> observing HTTP requests out from suspected infections that were known
> unrelated to C&C beaconing. The UA tokens were only altered on requests to
> suspected C&C servers, proving the presence of malicious logic that was
> writing it's own C&C requests.
>
> -Chris
>
>
> On Wed, Dec 12, 2012 at 4:29 PM, Russell Fulton <r.fulton at auckland.ac.nz>wrote:
>
>>
>> ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup     2012801
>>
>> WE have one machine on our wireless network which is repeatedly
>> triggering this alert on what are clearly legitimate queries including
>> things like this:
>>
>> GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
>> Connection: close
>> Host: suggestqueries.google.com
>> User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
>>
>> On an infected machine does the useragent string get used on traffic
>> generated by the malware or does the default UA get changed?
>>
>> Russell
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/ce14e518/attachment.html>


More information about the Emerging-sigs mailing list