2001892 < Main < EmergingThreats

Main Web>2001892 (2009-12-28, MattJonkman) (raw view)
 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

</h2>

Added 2009-02-09 21:30:23 UTC


 

Downloading the WinAmp toolbar (http://www.winamp.com/toolbar) triggers this alert.  Here is an example payload.

GET /winamp/client/bundles/toolbar.exe HTTP/1.0

Host: download.nullsoft.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

-- Main.KevinBranch - 28 Dec 2009


I think this sig has outlived it's usefulness. I'll disable it. Thanks for the report Kevin!

Matt

-- Main.MattJonkman - 28 Dec 2009
%COMMENT{type="threadmode" default="Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps." button="Add to Documentation" }%
 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

</h2>

Added 2009-02-09 21:30:23 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

</h2>

Added 2009-02-09 21:29:24 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

</h2>

Added 2009-02-09 21:29:24 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:6;)

</h2>

Added 2008-01-28 17:24:19 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:6;)

</h2>

Added 2008-01-28 17:24:19 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:5; )

 </h2>
 <hr>
 
 
 <hr>
Topic revision: r3 - 2009-12-28 - MattJonkman
Main
User Reference
ATasteOfTWiki
TextFormattingRules
Signature Reference
WebRss Feed
EmergingFAQ