alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (HTTP)"; flow:to_server,established; content:"User-Agent|3a| HTTP|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:trojan-activity; sid:2007943; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP)"; flow:to_server,established; content:"User-Agent|3a| HTTP|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:trojan-activity; sid:2007943; rev:6;)

Added 2011-12-15 18:09:32 UTC

I had a confirmed online banking client of the Korean Shinhan bank FP on this one. It appears this bank provides their clients with some kind of special security agent that uses a user agent of "HTTP".

GET /shttp/install/7209/dll/SHTTPPublicPKI.31015.dl_ HTTP/1.1

User-Agent: HTTP

Host: img.shinhan.com

Cache-Control: no-cache

Cookie: PCID=XXXXXXXXXXXXXXXXXX

-- KevinBranch - 24 Feb 2012


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (HTTP)"; flow:to_server,established; content:"User-Agent|3a| HTTP|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:trojan-activity; sid:2007943; rev:6;)

Added 2011-10-12 19:24:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (HTTP)"; flow:to_server,established; content:"User-Agent|3a| HTTP|0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; sid:2007943; rev:6;)

Added 2011-09-14 22:37:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (HTTP)"; flow:to_server,established; content:"User-Agent|3a| HTTP|0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007943; rev:6;)

Added 2011-02-04 17:27:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (HTTP)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTP|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007943; rev:4;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (HTTP)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTP|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007943; rev:4;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (HTTP)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTP|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2007943; rev:2;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (HTTP)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTP|0d 0a|"; classtype:trojan-activity; sid:2007943; rev:1;)

Added 2008-03-08 13:45:50 UTC


Topic revision: r2 - 2012-02-24 - KevinBranch
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats