alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:".doubleclick.net"; http_header; content:".pingstart.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:17;)

Added 2017-04-12 18:51:09 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:16;)

Added 2017-04-06 17:20:38 UTC

Two FP detected.

THE FIRST ONE IS - (addition to ping-start.com need to add content negation for pingstart.com without hyphen) <<<< http://pingstart.com/ >>>>

GET /v1/apps? .......... HTTP/1.1

User-Agent:

Host: api.pingstart.com

Connection: Keep-Alive

Accept-Encoding: gzip

HTTP/1.1 302 Found

THE SECOND ONE IS - doubleclick.net <<<< https://www.doubleclickbygoogle.com/ >>>>

GET /gampad/adx?iu=/16825456/playdots_twodots_supersonic_mobile/Android_.............. HTTP/1.1

User-Agent:

Host: pubads.g.doubleclick.net

Connection: Keep-Alive

Accept-Encoding: gzip

-- DenisI - 2017-04-12

Thanks, will get these fixed up today!

-- DarienH - 2017-04-12


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:15;)

Added 2017-03-28 17:13:11 UTC

FP for Oracle BlueKai? Marketplace.

About Oracle BlueKai? Marketplace Data as a Service (DaaS?) provides a robust toolset on the Oracle BlueKai? Marketplace platform, which enables you to create audiences across hundreds of data sources, so you can unlock the value in that data and activate it on any channel, including display, social, and mobile, to speak to customers.

GET /site/20635?limit=0&phint=id%3D38979F28-BA8C-4EA3-B68A-C62F7628DBAE&phint=idfa%3D38979F28-BA8C-4EA3-B68A-C62F7628DBAE&phint=AdID%3D HTTP/1.1 Host: tags.bluekai.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent:

HTTP/1.1 302 Found Date: Tue, 28 Mar 2017 19:07:51 GMT P3P?: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Set-Cookie: bkdc=wdc; expires=Sun, 24-Sep-2017 19:07:51 GMT; path=/; domain=.bluekai.com Set-Cookie: bku=ZN999/K6tkQzGGrU; expires=Sun, 24-Sep-2017 19:07:51 GMT; path=/; domain=.bluekai.com Location: http://tags.bluekai.com/site/20635?dt=0&r=142033989&sig=1058448020&bkca=KJpn0zpBnnWNDYF/01ygLzN1DEPt1qSyBn561fnx5Uv6zBRNzUD6N7D0LleD5ERpzM1l1fJyzUJ6CS+wu0HBCtmvoy+xOyY7OhdV Content-Length: 0 BK-Server: d86a Content-Type: text/html Cneonction: close

GET /site/20635?dt=0&r=142033989&sig=1058448020&bkca=KJpn0zpBnnWNDYF/01ygLzN1DEPt1qSyBn561fnx5Uv6zBRNzUD6N7D0LleD5ERpzM1l1fJyzUJ6CS+wu0HBCtmvoy+xOyY7OhdV HTTP/1.1 Host: tags.bluekai.com Accept: / Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent:

HTTP/1.1 200 OK Date: Tue, 28 Mar 2017 19:07:51 GMT P3P?: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Content-Length: 62 BK-Server: fbe8 Content-Type: image/gif Cneonction: close

GIF89a.............!..NETSCAPE2.0.....!.. ....,...........L..;

1) What is Oracle BlueKai? Marketplace

https://docs.oracle.com/en/cloud/saas/data-cloud/dsmkt/using-oracle-data-cloud.pdf

2) Oracle acquire BlueKai?

https://www.oracle.com/corporate/acquisitions/bluekai/index.html

3) What is BlueKai?

https://www.youtube.com/watch?v=UBmgkZdWGLw

4) Oracle DaaS?

https://www.youtube.com/watch?v=KiQEyEi_tNc

Please, modify rule for bluekai.com

Thank you.

-- MaksymParpaley - 2017-03-29

Dear ET I have couple more FP. Please give any feedback related previous request. Thank you!

-- MaksymParpaley - 2017-03-30

FP for Stocks Tracker application for IOs:

GET /logEvent?action=detailview HTTP/1.1 Host: www.stockstracker.com User-Agent: Connection: keep-alive Accept-Encoding: gzip

HTTP/1.1 200 OK

-- DenisI - 2017-04-06

Thanks Denisl and Maksym, these will be added today!

-- DarienH - 2017-04-06


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:14;)

Added 2017-03-01 16:50:34 UTC

Hello. One more FP for now application sketchup in use. Please consider rule modification

More about app is here: https://www.sketchup.com/products/sketchup-pro

PCAP:

GET /en/updates/su2016/supmac HTTP/1.1 Host: help.sketchup.com Accept: / Cookie: _ga=....... User-Agent: Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive

HTTP/1.1 200 OK Accept-Ranges: bytes Age: 723 Cache-Control: public, max-age=86400 Content-Encoding: gzip Content-Language: en Content-Type: text/plain;charset=UTF-8 Date: Thu, 02 Mar 2017 18:26:55 GMT Etag: "1488473631-0" Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Thu, 02 Mar 2017 16:53:51 GMT Link: </en/node/6201>; rel="shortlink",</en/updates/su2016/supmac>; rel="canonical" Server: nginx Vary: Cookie,Accept-Encoding Via: 1.1 varnish X-AH-Environment: prod X-Cache: HIT X-Cache-Hits: 10 X-Drupal-Cache: HIT X-Frame-Options: SAMEORIGIN X-Generator: Drupal 7 (http://drupal.org) X-Request-ID: v-21438c62-ff74-11e6-95eb-22000bdde467 X-Varnish: 124145036 124048606 Content-Length: 79 Connection: keep-alive

...........DATA.........

Thank you, BR

-- MaksymParpaley - 2017-03-06

FP from yieldmo.com a mobile advertising firm.

PCAP: Host: ads.yieldmo.com Accept: / Content-Type: application/x-www-form-urlencoded Connection: keep-alive Cookie: yieldmo_id=gd12bddab47d14c20cf0%7C1490185731709%7C1646916380831188839%7C1437728892220980040 User-Agent: Accept-Language: en-us Accept-Encoding: gzip, deflate Content-Length: 638

-- PhillipPeterson - 2017-03-25

FP for api.ping-start.com - http://www.pingstart.com/. Application monetization

yieldmo.com and pingstart.com should be exclude from the rule Such network activity is not good and is not bad, just monetization tricks. ET please eliminate FP

-- MaksymParpaley - 2017-03-28

When user download application with advertisement google play warns about advertisement presence if using for free. That is why this is not malicious activity

-- MaksymParpaley - 2017-03-28

Fixing these today, thanks!

-- DarienH - 2017-03-28


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:13;)

Added 2017-02-21 19:53:14 UTC

Hello. FP for ESET Internet Security and NOD32 Antivirus. Please consider rule modification.

Rule tripped during update of ESET Internet Security and NOD32 Antivirus.

Information about product: http://www.eset.co.uk/Beta/V10

We have no full PCAP, but some information below:

src_ip: 192.1682.xx.xx dst_ip: 91.228.166.14

Host: update.eset.com

url: http://update.eset.com/eset_upd/v10/dll/update.ver

HTTP Request:

HEAD /eset_upd/v10/dll/update.ver HTTP/1.1 Accept: / User-Agent: Host: update.eset.com Accept-Encoding: gzip, deflate Connection: Keep-Alive X-NOD32-Mode: passive Pragma: no-cache Cache-Control: no-cache, no-store Eset-Spread-Control: yes; domain=production X-ESET-UpdateID:EAV-0189989284 If-Modified-Since: Wed, 01 Mar 2017 11:12:43 GMT If-None-Match:"58b6acab-2203"

Thank you, Best Regards

-- MaksymParpaley - 2017-03-01


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:12;)

Added 2017-01-12 17:36:21 UTC

Hello. FP for <Stocks Tracker> application. Please consider rule modification:

Information about application: https://itunes.apple.com/us/app/stocks-tracker-real-time-stock/id517166254?mt=8

Pcap:

GET /usage?cmd=ads&deviceType=iPhone&token=XXXXXXXXXXXXXX&p=StockTracker&v=7.0.2&f=0&brk=(null)&por=0 HTTP/1.1 Host: www.dajax.com User-Agent: Connection: keep-alive Accept-Encoding: gzip

HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Transfer-Encoding: chunked Date: Tue, 21 Feb 2017 14:48:32 GMT

2000 {"eTradeApiURL":"http://ws2.stocktrackeralert.com/etradeApi","maxAskReview":"2","SHOW_FB_ON_LIST":"true","RequireFullVersionForTrade":"NO","MAX_CHART_PERDAY":"5","TradeItUrl":"https://ems.tradingticket.com/universalTradingTicket","chartDataUrl":.....................................................

Thank you BR Maksym

-- MaksymParpaley - 2017-02-21

We're adding a negation for dajax[.]com, however not for tbliab[.]net (looks like some sort of tracking which often falls under the 'MALWARE' category, which in our case are PUP/PUA applications)

-- DarienH - 2017-02-21


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:11;)

Added 2016-03-23 18:08:02 UTC

Hello. Can you please add an exception for metrics.tbliab.net.

Rule triggers during nor,al behavior of android game CastleStorm?_-_Free_to_Siege. Please look at https://apkscan.nviso.be/report/show/c13c753c8e4f075cbf527527a88318dc (we did sacan for that game). This game need this - http://metrics.tbliab.net/apptrak?eses

PCAP:

GET /apptrak?eses=A2B053...........................data......................... HTTP/1.1 User-Agent: Host: metrics.tbliab.net Connection: Keep-Alive Accept-Encoding: gzip

HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Transfer-Encoding: chunked Content-Type: text/plain; charset=utf-8 Content-Encoding: gzip Expires: -1 Vary: Accept-Encoding Server: Microsoft-IIS/8.5 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 05 Jan 2017 20:40:46 GMT

{ "Result": "Success", "SessionID": "A2B0....data....." }

Thanks!

-- MaksymParpaley - 2017-01-06

Dear ET Any Ideas about http://metrics.tbliab.net/apptrak?eses Are you planning to add negation ?

Regards

-- MaksymParpaley - 2017-01-11


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:10;)

Added 2016-02-16 22:39:50 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:10;)

Added 2016-02-16 17:47:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:8;)

Added 2012-07-23 21:19:16 UTC

False positive, it's a mobile connection from the Android App Deezer

GET./mobile/1/1d2d4646768803d040c62ac7f445d0de0d1515914afcee08e07dbf04dcf1196deb366e22ed6691d4a560e6096b7586094399bf09f2339c0a4d2f7533c8f9a8267faf245b02f937ac87e012fdeb292ffe.HTTP/1.1 .User-Agent:. .Range:.bytes=16252928-16777215 .Host:.e-cdn-proxy-d.deezer.com .Accept-Encoding:.gzip .Cookie:.sid=fr48cb80faefb5136c7f9803625a1cec9911fd12 .Via:.1.1.localhost.(squid/3.4.10) .X-Forwarded-For:.172.16.128.68 .Cache-Control:.max-age=259200 .Connection:.keep-alive

-- BryceSIMON - 2016-02-16


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:7;)

Added 2011-12-15 18:09:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:7;)

Added 2011-10-12 19:24:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; sid:2007994; rev:7;)

Added 2011-09-14 22:37:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:7;)

Added 2011-02-04 17:27:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\:|20 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)

Added 2010-07-28 16:15:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\:|20 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)

Added 2010-07-28 16:15:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2007994; rev:2;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; sid:2007994; rev:1;)

Added 2008-03-13 16:59:10 UTC


Topic revision: r17 - 2017-04-12 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats