alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WebForm? 1)"; flow:to_server,established; content:"User-Agent|3a| WebForm?"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; classtype:trojan-activity; sid:2008262; rev:7;)

Added 2011-10-12 19:24:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WebForm? 1)"; flow:to_server,established; content:"User-Agent|3a| WebForm?"; http_header; threshold:type limit,count 2,track by_src,seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; sid:2008262; rev:7;)

Added 2011-09-14 22:38:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm? 1)"; flow:to_server,established; content:"User-Agent|3a| WebForm?"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008262; rev:6;)

Added 2011-02-04 17:27:22 UTC

User-Agent known to be used by a variety of branded crapware/spyware/adware and toolbars. Most common and recent examples communicate with www.app-zilla.com. See for reference the following:

Numerous and varied AV detection names, including Trojan/Agent.cwwu, Win32/Agent.FM, Trojan.Win32.Downloader.65536.JE.

Associated "branding" includes garbage such as registry cleaner utilities, iTunes export apps, data mirror software, image convert utilities, etc. Common URI path giveaways include /register_datamirror_z.php and register_datamirror_yz.php (with datamirror substituted with the respective branding). Associated software also described as resisting uninstall and likely monetizing via PPI schemes and/or trojan drops.

We've got additional hits on this also used by eType (etype.com, epyte.com):

GET /CheckBadUpdater.aspx?Test=False&version=1.0.1.387 HTTP/1.1
User-Agent: WebForm 1
Host: newversion.epyte.com
Cache-Control: no-cache

GET /ClientSettings/GetClientSettings.aspx HTTP/1.1
User-Agent: WebForm 1
Host: backofficesite.epyte.com
Cache-Control: no-cache

GET /GetScoreboardData2.aspx?computername=10657542-77e4-6142-a1e5-6adbd3c636a2
HTTP/1.1
User-Agent: WebForm 1
Host: www.epyte.com
Cache-Control: no-cache

-- DarrenSpruell - 16 Aug 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm? 1)"; flow:to_server,established; content:"|0d 0a|User-Agent\: WebForm?"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008262; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm? 1)"; flow:to_server,established; content:"|0d 0a|User-Agent\: WebForm?"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008262; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (WebForm? 1)"; flow:to_server,established; content:"|0d 0a|User-Agent\: WebForm?"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008262; rev:2;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (WebForm? 1)"; flow:to_server,established; content:"|0d 0a|User-Agent\: WebForm?"; classtype:trojan-activity; sid:2008262; rev:1;)

Added 2008-05-24 14:38:23 UTC


Topic revision: r2 - 2011-08-16 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats