#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:trojan-activity; sid:2009785; rev:9;)

Added 2016-09-29 19:19:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:trojan-activity; sid:2009785; rev:8;)

Added 2011-12-15 18:09:41 UTC

Alerting on "QVODTerminal" user agent. QvodTerminal? is part of QvodPlayer?, which is a software developed by Zhenzhen QVOD Technolog Co., Ltd., which owns the IP and hostname that the traffic is destined to. Legit software, but there have been instances of trojaned versions of the software that are downloaded. The trojaned versions tend to come from URLs not associated with the developers, so the fact that these are going to the expected URLs means it's probably false positives. Rule looks to be a little vague.

-- HunterMorrell - 2016-09-29


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:trojan-activity; sid:2009785; rev:8;)

Added 2011-10-12 19:28:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; sid:2009785; rev:8;)

Added 2011-09-14 22:41:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_QVOD; sid:2009785; rev:8;)

Added 2011-02-04 17:29:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Qvod"; nocase; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_QVOD; sid:2009785; rev:5;)

Added 2010-01-17 23:59:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Qvod"; nocase; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_QVOD; sid:2009785; rev:5;)

Added 2010-01-17 23:59:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QVOD Related Spyware/Malware User-Agent (QvodDown?) - GET"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: QvodDown?|0d 0a|"; nocase; within:300; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_QVOD; sid:2009785; rev:4;)

Added 2009-11-25 11:39:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QVOD Related Spyware/Malware User-Agent (QvodDown?) - GET"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: QvodDown?|0d 0a|"; nocase; within:300; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_QVOD; sid:2009785; rev:4;)

Added 2009-11-25 11:39:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown?) - GET"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: QvodDown?|0d 0a|"; nocase; within:300; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2009785; rev:2;)

Added 2009-08-31 16:38:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown?) - GET"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: QvodDown?|0d 0a|"; nocase; within:300; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2009785; rev:2;)

Added 2009-08-31 16:38:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE QVOD Related Spyware/Malware User-Agent (QvodDown?) - GET"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: QvodDown?|0d 0a|"; nocase; within:300; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; sid:2009785; rev:1;)

Added 2009-08-26 10:45:36 UTC


Topic revision: r2 - 2016-09-29 - HunterMorrell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats