alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible)|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; content:!".hddstatus.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

Added 2017-08-07 21:02:59 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible)|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; content:!".hddstatus.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:7;)

Added 2017-01-27 17:01:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible)|0d 0a|"; http_header; fast_pattern:18,20; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:7;)

Added 2011-10-12 19:28:26 UTC

Hello. We observing FP during normal behavior of SpeedFun? software. Please consider rule modification.

Basic information about SpeedFun?:

http://www.almico.com/sfarticle.php?id=5 https://speedfan.en.softonic.com/

From the PCAP we see that software is communicated with URL hddstatus.com

What is hddstatus.com?: http://www.hddstatus.com/index.php

How SpeedFun? related with hddstatus.com?:

Information from www.hddstatus.com: HddStatus? checks the S.M.A.R.T. information reported by your hard disks and, thanks to an advanced proprietary technology (based on crowd knowledge and statistical modeling), can inform you when your data needs attention with expert-like advice. This technology is already partially available in SpeedFan? (just perform an "in-depth online analysis"). HddStatus? exploits the power of that technology and makes it available on most Linux/Unix systems. This makes it an invaluable tool for system administrators.

http://www.hddstatus.com/hdrepanalysis.php Details hddSTATUS + SpeedFun?

PCAP from network flow:

POST /hdrepsend.php HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/3.0 (compatible) Host: www.hddstatus.com Content-Length: 2222

HTTP/1.1 200 OK Date: Thu, 26 Jan 2017 21:50:27 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-Powered-By: PHP/5.4.16 Vary: Accept-Encoding Cache-Control: max-age=86400 Expires: Fri, 27 Jan 2017 21:50:27 GMT X-Content-Type-Options: nosniff x-xss-protection: 1; mode=block Content-Length: 418 Connection: close Content-Type: text/html; charset=ISO-8859-1

Properly connected to the REPORTS' database<br> Properly connected to the DATA database<br> There are 3333 hard disk models in the current statistics database<br> This is the answer to your request<br> Software=SpeedFan 4.51<br> Data version=1<br> Checksum=xxxxxxxxxxxxxxxxxxxxx<br> Computed checksum=xxxxxxxxxxxxxxxxxxxxxxxx<br> ANSWER=0<br> ReportCode?=xxxxxxxxxxxxxxx<br> ReportVerification?=xxxxxxxxxxxxxxx<br>

Regards Thanks!

-- MaksymParpaley - 2017-01-27


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible)|0d 0a|"; http_header; fast_pattern:18,20; threshold: type limit, count 2, track by_src, seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009867; sid:2009867; rev:7;)

Added 2011-09-14 22:41:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible)|0d 0a|"; http_header; fast_pattern:18,20; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009867; rev:6;)

Added 2011-02-04 17:29:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009867; rev:3;)

Added 2009-10-19 09:15:44 UTC

This was a false positive for me; it detected traffic of TD Ameritrade's StrategyDesk?, which connects to IP's 38.111.144.154:80 and 66.112.151.76:80 and uses the same user agent.

-- GeobioBoo - 01 Nov 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009867; rev:3;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2009867; rev:1;)

Added 2009-09-04 11:15:36 UTC


Topic revision: r4 - 2017-01-27 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats