alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)

Added 2009-02-09 21:29:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)

Added 2009-02-09 21:29:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; sid: 2002153; rev:8;)

Added 2008-05-09 17:01:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; sid: 2002153; rev:8;)

Added 2008-05-09 17:01:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:7;)

Added 2008-02-01 14:32:22 UTC

False positives on legit software updates to: http://home.exetel.com.au/oliverburn/ AKA http://www.puppycrawl.com/ with:

User-Agent: Java/1.6.0_03
Host: home.exetel.com.au 

and Quest Software's SQL DB Products: http://www.quest.com/ with:

User-Agent: QINS.EXE
Host: www.quest.com
and:
User-Agent: QINS.EXE
Host: check-for-update.inside.quest.com 

Added exclusions:

suppress gen_id 1, sig_id 2002153, track by_dst, ip 220.233.0.13
suppress gen_id 1, sig_id 2002153, track by_dst, ip 12.106.87.32
suppress gen_id 1, sig_id 2002153, track by_dst, ip 12.106.87.43
-- MikeSchroll - 29 Feb 2008


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:7;)

Added 2008-02-01 14:32:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:6;)

Added 2008-01-28 17:24:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:6;)

Added 2008-01-28 17:24:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EXE as User Agent - Potential Spyware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:20; nocase; classtype: trojan-activity; sid: 2002153; rev:5;)



Topic revision: r2 - 2008-02-29 - MikeSchroll
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats