[Emerging-Sigs] suspicious UA sig

Matt Jonkman jonkman at emergingthreats.net
Thu Dec 20 07:00:12 HAST 2012

Ya, have loads of those coming through in the last bit. Most being marked
as Buzus or a general dropper.

Will get a sig up for this and the url pattern, pretty consistent pattern
of requests. Some like:


Thanks Harry!


On Wed, Dec 19, 2012 at 5:19 PM, harry.tuttle <harry.tuttle at zoho.com> wrote:

> **
> Saw this "vb   wininet" (3 spaces) UA in some traffic from a couple of
> weeks ago. I haven't recovered an executable, but you might want to see
> what it turns up in your sandnet.
> Regards,
> Harry
> suspicious "vb   wininet" user agent"; flow:established,to_server;
> content:"User-Agent|3a 20|vb|20 20 20|wininet|0d 0a|"; http_header;
> classtype:bad-unknown; sid:nnnnnnn; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!


Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121220/b236347a/attachment.html>

More information about the Emerging-sigs mailing list