alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003470; classtype:trojan-activity; sid:2003470; rev:8;)

Added 2011-12-16 18:53:17 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003470; classtype:trojan-activity; sid:2003470; rev:8;)

Added 2011-10-12 19:13:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater|0d 0a|"; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003470; sid:2003470; rev:8;)

Added 2011-09-14 22:26:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater|0d 0a|"; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winfix; sid:2003470; rev:8;)

Added 2011-02-04 17:22:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winfix; sid:2003470; rev:6;)

Added 2009-11-25 11:39:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winfix; sid:2003470; rev:6;)

Added 2009-11-25 11:39:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003470; rev:4;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003470; rev:4;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003470; rev:4;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003470; rev:4;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; sid:2003470; rev:3;)

Added 2008-01-28 17:24:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; sid:2003470; rev:3;)

Added 2008-01-28 17:24:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; sid:2003470; rev:2;)

Added 2007-03-12 15:45:25 UTC

Changed to a static string. The real one we're looking for is static. No chance of other strings before it.

-- MattJonkman - 12 Mar 2007


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Updater/i"; classtype:trojan-activity; sid:2003470; rev:1;)

Added 2007-03-09 10:36:06 UTC

Url's look like this:

GET /?proto=3&rc=UVB-0001-8882-7773&v=99.1.0.56&abbr UVB&platform=nt&os_version=5.1.2600.1.0&ac=4ABE CCFD-9DAF-4DA2-87DC-1A3C14F81927&appid=UWA7P&em HTTP/1.1

User-Agent: Updater

-- MattJonkman - 09 Mar 2007


Topic revision: r2 - 2007-03-12 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats