alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; content:!".kugou.com"; http_host; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:bad-unknown; sid:2003626; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
Added 2020-08-31 18:09:16 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; content:!".kugou.com"; http_host; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:bad-unknown; sid:2003626; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_13;)
Added 2020-08-05 19:01:54 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; content:!".kugou.com"; http_host; metadata: former_category ADWARE_PUP; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:bad-unknown; sid:2003626; rev:16; metadata:created_at 2010_07_30, updated_at 2019_08_13;)
Added 2019-12-31 19:14:18 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; content:!".kugou.com"; http_host; metadata: former_category ADWARE_PUP; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:16; metadata:created_at 2010_07_30, updated_at 2019_08_13;)
Added 2019-09-26 19:54:55 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; content:!".kugou.com"; http_host; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:16; metadata:created_at 2010_07_30, updated_at 2019_08_13;)
Added 2019-08-15 20:32:54 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; content:!".kugou.com"; http_host; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:15; metadata:created_at 2010_07_30, updated_at 2019_08_13;)
Added 2019-08-13 19:54:22 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:14; metadata:created_at 2010_07_30, updated_at 2017_11_27;)
Added 2018-09-13 19:38:56 UTC
Added 2018-09-13 17:53:20 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:14; metadata:created_at 2010_07_30, updated_at 2017_11_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com|3a|80"; http_host; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:13; metadata:created_at 2010_07_30, updated_at 2017_11_27;)
Added 2017-11-27 16:30:27 UTC
Alert firing after LG tv startup - unsure why since rev:13 includes "content:!".lge.com|3a|80" - this string is found in the packet but the rule still triggers. When I edit the rule to "content:!".lge.com" the alert does not fire.
--
KiaMatthews - 2018-09-01
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; content:!"User-Agent|3A|
SogouMobileTool?"; nocase; http_header; content:!".lge.com|3a|80|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 20:56:51 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; content:!"User-Agent|3A|
SogouMobileTool?"; nocase; http_header; content:!".lge.com|3a|80|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:12;)
Added 2016-12-20 18:01:30 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; content:!"User-Agent|3A|
SogouMobileTool?"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:9;)
Added 2014-04-14 19:22:49 UTC
Please modify the rule:
Reason:
- Every time the LG TV starts up, within 30 seconds, it calls home (looks like update check):
POST /CheckSWAutoUpdate.laf HTTP/1.1
Accept:
/
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: snu.lge.com:80
Connection: Keep-Alive
Content-type: application/x-www-form-urlencoded
Content-Length: 572
DATA
HTTP/1.1 200 OK
Date: Wed, 16 Nov 2016 08:23:56 GMT
Content-length: 508
Content-type: application/octet-stream;charset=UTF-8
Pragma: no-cache;
Expires: -1;
Content-Transfer-Encoding: binary;
DATA
After decoding (Base64 format) we see that it is really "call home" and "update check" network activity
--
MaksymParpaley - 2016-12-20
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:8;)
Added 2011-12-15 18:09:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:8;)
Added 2011-10-12 19:13:48 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; sid:2003626; rev:8;)
Added 2011-09-14 22:26:48 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003626; rev:8;)
Added 2011-02-04 17:22:35 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003626; rev:5;)
Added 2009-10-19 09:15:43 UTC
Noticed what appears to be a false positive.
There was a Double User Agent in what looks like traffic to the Giants football team website. Here is the payload below that triggered it (what is weird was I wasn't able to duplicate the alert by going to the url in the payload (www.giants.com/gameday/SeatingChart.asp)
GET /gameday/SeatingChart.asp HTTP/1.1
Accept:
/
Accept-Encoding: gzip
X-moz: prefetch
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
InfoPath?.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: www.giants.com
Connection: Keep-Alive
--
JaredB - 09 Dec 2009
Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.
--
JaredB - 09 Dec 2009
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003626; rev:5;)
Added 2009-10-19 09:15:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003626; rev:3;)
Added 2009-02-09 21:30:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003626; rev:3;)
Added 2009-02-09 21:30:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003626; rev:3;)
Added 2009-02-09 21:29:25 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003626; rev:3;)
Added 2009-02-09 21:29:25 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; sid:2003626; rev:2;)
Added 2008-01-28 17:24:21 UTC
We are finding a high correlation between this rule and users running Google Desktop.
--
MikeWazowski - 04 Feb 2009
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; sid:2003626; rev:2;)
Added 2008-01-28 17:24:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; sid:2003626; rev:1;)
Added 2007-04-30 09:45:18 UTC