EmergingThreats> Main Web>2001892 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

Added 2009-02-09 21:30:23 UTC

Downloading the WinAmp? toolbar (http://www.winamp.com/toolbar) triggers this alert. Here is an example payload.

GET /winamp/client/bundles/toolbar.exe HTTP/1.0

Host: download.nullsoft.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: /

-- KevinBranch - 28 Dec 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

Added 2009-02-09 21:29:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)

Added 2009-02-09 21:29:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:6;)

Added 2008-01-28 17:24:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:6;)

Added 2008-01-28 17:24:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner? Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:5; )



Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2009-12-28 - KevinBranch
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats