[Emerging-Sigs] Are these FPs or not?

Christopher Granger chrisgrangerx at gmail.com
Wed Dec 12 12:01:02 HAST 2012


Russell,

In my past observations of Ponmocup, I was able to validate compromises by
observing HTTP requests out from suspected infections that were known
unrelated to C&C beaconing. The UA tokens were only altered on requests to
suspected C&C servers, proving the presence of malicious logic that was
writing it's own C&C requests.

-Chris

On Wed, Dec 12, 2012 at 4:29 PM, Russell Fulton <r.fulton at auckland.ac.nz>wrote:

>
> ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup     2012801
>
> WE have one machine on our wireless network which is repeatedly triggering
> this alert on what are clearly legitimate queries including things like
> this:
>
> GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
> Connection: close
> Host: suggestqueries.google.com
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
>
> On an infected machine does the useragent string get used on traffic
> generated by the malware or does the default UA get changed?
>
> Russell
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/5af548b4/attachment.html>


More information about the Emerging-sigs mailing list