#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

Added 2017-08-07 20:56:47 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11;)

Added 2012-07-13 21:15:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:10;)

Added 2011-11-16 19:57:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:9;)

Added 2011-10-12 19:13:40 UTC

Looks like BitDefender? 2012 auto-update traffic trips this one frequently. Here is an example. The GET line varies quite a bit but the User-Agent string remains constant.

GET /v2/locations/0001/0003/0006/00010003000600010002000600060001/versions.id HTTP/1.1

Connection: Keep-Alive

Host: upgrade.bitdefender.com

User-Agent: downloader 1.0.30.245;Bitdefender2012 (WSLib 1.4 [1, 0, 138, 0])

-- KevinBranch - 15 Nov 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader"; http_header; threshold: type limit, count 3, seconds 300, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; sid:2003546; rev:9;)

Added 2011-09-14 22:26:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader"; http_header; threshold: type limit, count 3, seconds 300, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003546; rev:9;)

Added 2011-05-25 19:28:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003546; rev:7;)

Added 2011-02-04 17:22:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003546; rev:5;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003546; rev:5;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003546; rev:3;)

Added 2009-02-09 21:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003546; rev:3;)

Added 2009-02-09 21:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003546; rev:3;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003546; rev:3;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; sid:2003546; rev:2;)

Added 2008-01-28 17:24:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; sid:2003546; rev:2;)

Added 2008-01-28 17:24:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; sid:2003546; rev:1;)

Added 2007-04-11 23:45:19 UTC



This topic: Main > 2003546
Topic revision: r2 - 2011-11-15 - KevinBranch
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats