alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; content:"Windows NT 9"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 9/Hmi"; classtype:trojan-activity; sid:2015822; rev:1;)
Added 2012-10-19 17:25:52 UTC
This can be triggered by a craigslist watch/search app downloaded from the Google store. I have now had two different users that when they saw the packet contents were able to say that that was their own activity and that they were using a smart phone app they downloaded from Google Play. In one case the user was also able to confirm that he had not rooted his phone and was running smartphone based AV software (lookout) so the chance that this is an infection is relatively low.
- 19 Nov 2012