[Emerging-Sigs] fakeav sig

Matt Jonkman jonkman at emergingthreats.net
Thu Dec 20 09:30:46 HAST 2012


FP testing this one. The UA is a legit one Pedro found. And /api/test is
surely going to be a legit thing as well.

May have to dig in some more on this one.

Matt


On Thu, Dec 20, 2012 at 2:20 PM, harry.tuttle <harry.tuttle at zoho.com> wrote:

> Yes, sir. Seeing the same here.
>
> ---- On Thu, 20 Dec 2012 11:11:54 -0800 Matt Jonkman<
> jonkman at emergingthreats.net> wrote ----
>
>  > Thanks Harry. Tough one here.
>  >
>  > We have that exact UA for this family only in the db. But as soon as we
> post with this I'm sure something legit will pop up using that UA.
>  >
>  >
>  > But if we go for the first request uri and UA it'd be better.
>  >
>  >
>  > I have this as first request for most samples:
>  >
>  >
>  > /api/test
>  >
>  >
>  >
>  > You seeing the same Harry?
>  >
>  >
>  > Matt
>  >
>  >
>  > On Thu, Dec 20, 2012 at 1:26 PM, harry.tuttle <harry.tuttle at zoho.com>
> wrote:
>  >  This covers a payload that seems to be making the rounds this week.
> I'm not sure how unique that UAS is all on it's own, but, as written, I've
> had no FP after almost 48 hours.
>  >
>  >  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> FakeAV whatever";flow:established,to_server; content:"User-Agent:
> Mozilla/5.0(compatible|3b| MSIE 9.0|3b| Windows NT 7.1|3b| Trident/5.0)|0d
> 0a|Host|3a20|"; depth:83; http_header; content:!"Accept|3a
> 20|";http_header; reference:md5,dd4d18c07e93c34d082dab57a38f1b86;
> reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:trojan-activity;
> sid:nnnnnnn; rev:1;)
>  >
>  >  There is coverage with 2805614 in pro, but, if the first couple of
> http requests are blocked or don't work for whatever reason, then the
> traffic that triggers 2805614 doesn't seem to ever be generated. This rule
> should catch it all.
>  >
>  >  Regards,
>  >  Harry
>  >
>  >  _______________________________________________
>  >  Emerging-sigs mailing list
>  >  Emerging-sigs at lists.emergingthreats.net
>  >  http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>  >
>  >  Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
>  >  The ONLY place to get complete premium rulesets for Snort 2.4.0
> through Current!
>  >
>  >
>  >
>  >
>  >
>  > --
>  >
>  > ----------------------------------------------------
>  > Matt Jonkman
>  > Emerging Threats Pro
>  > Open Information Security Foundation (OISF)
>  > Phone 866-504-2523 x110
>  >  http://www.emergingthreatspro.com
>  > http://www.openinfosecfoundation.org
>  > ----------------------------------------------------
>  >
>  >
>
>


-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121220/cc65c79d/attachment.html>


More information about the Emerging-sigs mailing list