[Emerging-Sigs] suspicious UA sig

Matt Jonkman jonkman at emergingthreats.net
Thu Dec 20 07:00:12 HAST 2012


Ya, have loads of those coming through in the last bit. Most being marked
as Buzus or a general dropper.

Will get a sig up for this and the url pattern, pretty consistent pattern
of requests. Some like:

mactj.asp?mac=00xxxxxxxx&uname=xxxxxx
/htc/htc.txt
/bai/qqzx.txt?123
/send/safe.txt

Thanks Harry!

Matt


On Wed, Dec 19, 2012 at 5:19 PM, harry.tuttle <harry.tuttle at zoho.com> wrote:

> **
> Saw this "vb   wininet" (3 spaces) UA in some traffic from a couple of
> weeks ago. I haven't recovered an executable, but you might want to see
> what it turns up in your sandnet.
>
> Regards,
> Harry
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS
> suspicious "vb   wininet" user agent"; flow:established,to_server;
> content:"User-Agent|3a 20|vb|20 20 20|wininet|0d 0a|"; http_header;
> classtype:bad-unknown; sid:nnnnnnn; rev:1;)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>



-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121220/b236347a/attachment.html>


More information about the Emerging-sigs mailing list