EmergingThreats> Main Web>2001892 (2009-12-28, MattJonkman) EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

Added 2009-02-09 21:30:23 UTC

Downloading the WinAmp? toolbar (http://www.winamp.com/toolbar) triggers this alert. Here is an example payload.

GET /winamp/client/bundles/toolbar.exe HTTP/1.0

Host: download.nullsoft.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: /

-- KevinBranch - 28 Dec 2009

I think this sig has outlived it's usefulness. I'll disable it. Thanks for the report Kevin!

Matt

-- MattJonkman - 28 Dec 2009

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

Added 2009-02-09 21:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

Added 2009-02-09 21:29:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

Added 2009-02-09 21:29:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:6;)

Added 2008-01-28 17:24:19 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:6;)

Added 2008-01-28 17:24:19 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:5; )

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2009-12-28 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats