EmergingThreats> Main Web>2003492 (2018-08-24, SandorAlma) EditAttach

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"Mozilla/4.0"; depth:11; fast_pattern; nocase; http_user_agent; isdataat:!1,relative; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:30; metadata:created_at 2010_07_30, updated_at 2017_12_01;)

Added 2018-09-13 19:38:51 UTC

Added 2018-09-13 17:53:17 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"Mozilla/4.0"; depth:11; fast_pattern; nocase; http_user_agent; isdataat:!1,relative; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:30; metadata:created_at 2010_07_30, updated_at 2017_12_01;)

Added 2017-12-01 17:37:46 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"Mozilla/4.0"; depth:11; fast_pattern; nocase; http_user_agent; isdataat:!1,relative; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:30; metadata:created_at 2010_07_30, updated_at 2017_12_01;)

Added 2017-12-01 16:43:58 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:29; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

Added 2017-10-27 16:27:01 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28; metadata:created_at 2010_07_30, updated_at 2017_03_06;)

Added 2017-08-07 20:56:45 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28;)

Added 2017-05-05 16:58:49 UTC

FP. Opus software update

PCAP screenshot from Wireshark in attachment

http://www.gpsoft.com.au/program/program.html

-- DenisI - 2017-05-18

gpsoft.com.au and dopus.com should be excluded from rule

-- DenisI - 2017-05-18

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28;)

Added 2017-05-03 17:35:06 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28;)

Added 2017-04-13 16:57:16 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:27;)

Added 2017-04-07 17:03:28 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com "; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:26;)

Added 2017-03-28 17:13:11 UTC

There is mistake in rule. You need to remove the space after mobolize.com "

GET /download/ver/D45FC737-214E-8EB0-3E58-11B8B4114A0F HTTP/1.1 X-mobo-no-alias: yes User-Agent: Mozilla/4.0 X-mobo-client-version: 2.0.0.174 Host: web-sprint.mobolize.com Connection: Keep-Alive Accept-Encoding: gzip

HTTP/1.1 200 OK

-- DenisI - 2017-04-07

Thanks, we'll get this fixed up today!

-- DarienH - 2017-04-07

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:25;)

Added 2017-03-07 18:33:27 UTC

FP with Decked Builder mobile app deckedbuilder.com

PCAP: ET /price/tcglo/417817 HTTP/1.1 User-Agent: Mozilla/4.0 Host: dbpricerails2.deckedbuilder.com Connection: Keep-Alive Accept-Encoding: gzip

-- PhillipPeterson - 2017-03-25

Fixing this today, thanks!

-- DarienH - 2017-03-28

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:24;)

Added 2017-01-12 17:36:21 UTC

Hello. FP for Secure WiFi? mobile application. More about application here: https://play.google.com/store/apps/details?id=com.mobolize.sprint.securewifi&hl=uk

Additional information how Mobolize related to Sprint: http://www.fiercewireless.com/wireless/sprint-partners-mobolize-to-improve-network-performance-for-enterprise-users

Event PCAP:

GET /download/ver/D9637353-0F53-7D2B-E547-38EF6D13B339 HTTP/1.1 X-mobo-no-alias: yes User-Agent: Mozilla/4.0 X-mobo-client-version: 1.1.0.114 Host: web-sprint.mobolize.com Connection: Keep-Alive Accept-Encoding: gzip

HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Date: Thu, 02 Mar 2017 19:47:37 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Content-Length: 9 Connection: keep-alive

1.1.0.114

Please consider rule modification

Thank you Best Regards

-- MaksymParpaley - 2017-03-03

Update Thank you

-- MaksymParpaley - 2017-03-06

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:23;)

Dear ET! One more FP detected. Now signature tripped during normal behavior of Mobolize Secure WiFi? application

PCAP:

GET /download/ver/D9637353-0F53-7D2B-E547-38EF6D13B339 HTTP/1.1

X-mobo-no-alias: yes

User-Agent: Mozilla/4.0

X-mobo-client-version: 1.1.0.108

Host: web-sprint.mobolize.com

Connection: Keep-Alive

Accept-Encoding: gzip

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Mon, 09 Jan 2017 22:39:54 GMT

Server: Apache/2.2.9 (Fedora)

X-Powered-By: PHP/5.2.6

Content-Length: 9

Connection: keep-alive

1.1.0.108

Links to application and docs: http://www.mobolize.com/wp/wp-content/uploads/2016/09/Mobolize-Secure-Wi-Fi-ds-2016.pdf https://play.google.com/store/apps/details?id=com.mobolize.sprint.securewifi&hl=uk http://www.mobolize.com/product/

Regards

UPDATE for DuoMi?:

Looks like DuoMi? is malicious application.

-- MaksymParpaley - 2017-01-12

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:22;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:21;)

Added 2016-05-05 18:22:51 UTC

Hello, I have a false positive alerts on download via smartphone xiaomi redmi 3 pro (MIUI 8 stable china) when enabled options Xunlei download engine in download settings.

-- SergeyMalinkin - 2016-09-15

-- MaksymParpaley - 2016-12-28

We are observing FP for WeChat? application (weixin). Please modify the rule.

POST /cgi-bin/mmsupport-bin/stackreport?version=16050222&filelength=338356&sum=1e05f2cc97f15d5cce3699f3f7c723ed&reporttype=2002&devicetype=iphone_iOS10.1.1&username=XXXXX HTTP/1.1 Host: support.weixin.qq.com Content-Type: application/x-www-form-urlencoded Cookie: pgv_pvid=6641066904 Connection: keep-alive Accept: / User-Agent: Mozilla/4.0 Content-Length: 47928 Accept-Language: en-us Accept-Encoding: gzip, deflate

We suggest to add (modify): content:!"weixin.qq.com"

Please do modification. Looking forward.

-- MaksymParpaley - 2016-12-28

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:19;)

Added 2015-08-21 18:49:12 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:18;)

Added 2015-03-24 19:03:05 UTC

logmein ignore isn't working due to a missing space. I've found the following works in our environment as of today: Host|3a 20|secure|2e|logmein|2e|com|0d 0a|

-- StefanSchwoegler - 2015-08-21

Whoops smile Thanks, I'll get that fixed up!

-- DarienH - 2015-08-21

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:17;)

Added 2015-02-25 15:28:14 UTC

"secure.digitalalchemy.net.au" - False positives generated by this URL. Digital Alchemy is a Australian marketing analytics company.

-- JulianGarthwaite - 2015-03-23

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:16;)

Added 2014-06-16 20:29:07 UTC

This threw a ton of false positives last night for "http://slickdeals.net/" "Mozilla/4.0" and for "http://www.cloudera.com/content/cloudera/en/home.html" "Mozilla/4.0"

-- SamScholten - 2015-02-20

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- DarienH - 2015-02-20

Hmm okay, we can add a negation... Mozilla/4.0 by itself isn't usually used as a real browser's UA, any idea what was making those requests?

-- DarienH - 2015-02-20

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; fast_pattern:5,20; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"PREF|3d|ID|3d|"; nocase; http_cookie; content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:14;)

Added 2013-12-09 19:23:34 UTC

Seems that this rule throws a false positive when the host is: weixin.qq.com. We have a handful of users using WeChat? client.

-- EricVargas - 2014-06-16

We will get this fixed up ASAP.

-- FrancisTrudeau - 2014-06-16

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; fast_pattern:5,20; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"PREF|3d|ID|3d|"; nocase; http_cookie; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:13;)

Added 2012-06-22 00:48:41 UTC

this is a false positive when the host is secure.logmein.com. Would add the following to the rule: content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header;

-- DjThomason - 24 Jul 2012

I am also seeing false positives with logmein.com.

-- MatthewTrent - 2013-12-06

Fixing this up, thanks!

-- MattJonkman - 2013-12-06

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:12;)

Added 2011-12-30 19:58:58 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:12;)

Added 2011-12-30 19:24:07 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:12;)

Added 2011-12-30 18:03:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:11;)

Added 2011-12-15 18:09:17 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:11;)

Added 2011-10-12 19:13:34 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; sid:2003492; rev:11;)

Added 2011-09-14 22:26:33 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003492; rev:10;)

Added 2011-02-04 17:22:30 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003492; rev:8;)

Added 2009-10-19 09:15:43 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003492; rev:8;)

Added 2009-10-19 09:15:43 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003492; rev:6;)

Added 2009-02-09 21:30:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003492; rev:6;)

Added 2009-02-09 21:30:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003492; rev:6;)

Added 2009-02-09 21:29:25 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003492; rev:6;)

Added 2009-02-09 21:29:25 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; sid:2003492; rev:5;)

Added 2008-01-28 17:24:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; sid:2003492; rev:4;)

Added 2008-01-09 17:42:41 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003492; sid:2003492; rev:3;)

Added 2007-04-03 10:56:11 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003492; sid:2003492; rev:2;)

Added 2007-03-16 11:45:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozila/4.0)"; flow:to_server,established; content:"User-Agent\: Mozila/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003492; sid:2003492; rev:1;)

Added 2007-03-16 10:55:22 UTC

Found some of these with Mozilla misspelled Mozila in the spyware listening post logs. Wasn't able to find them in any legitimate logs, so this might be an interesting way to catch some of the spyware trying to be stealthy.

Please report any issues with the sig here, and let us also know about any positive hits.

-- MattJonkman - 16 Mar 2007

  • packet.pcap: Demonstrates the false positive associated with secure.logmein.com

  • packet.pcap: Demonstrates the false positive associated with secure.logmein.com

Edit | Attach | Print version | History: r29 < r28 < r27 < r26 < r25 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r29 - 2018-08-24 - SandorAlma
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats