EmergingThreats> Main Web>2007567 (revision 4)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; classtype:trojan-activity; sid:2007567; rev:1;)

Added 2007-08-29 09:46:50 UTC

http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99&tabid=1

-- ShirkDog? - 29 Aug 2007

Possible false alarm. Looks like this is one of my users using RealPlayer?.

000 : 47 45 54 20 2F 72 68 61 70 73 65 72 76 65 72 20 GET /rhapserver 010 : 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 HTTP/1.1..User-A 020 : 67 65 6E 74 3A 20 75 6E 6B 6E 6F 77 6E 0D 0A 48 gent: unknown..H 030 : 6F 73 74 3A 20 72 68 61 70 2D 61 70 70 2D 34 2D ost: rhap-app-4- 040 : 30 2E 72 65 61 6C 2E 63 6F 6D 0D 0A 43 6F 6F 6B 0.real.com..Cook 050 : 69 65 3A 20 72 68 61 70 73 6F 64 79 49 6E 73 74 ie: rhapsodyInst 060 : 61 6C 6C 65 64 3D 34 2E 30 2E 32 2E 31 37 30 3B alled=4.0.2.170; 070 : 20 52 4E 73 69 74 65 73 3D 72 68 61 70 2D 61 70 RNsites=rhap-ap 080 : 70 30 36 38 2E 72 65 61 6C 2E 63 6F 6D 2D 31 31 p068.real.com-11 090 : 39 32 36 32 31 37 31 39 31 31 35 3A 32 39 30 3B 92621719115:290; 0a0 : 20 72 68 61 70 73 6F 64 79 5F 6C 62 3D 31 39 32 rhapsody_lb=192 0b0 : 2E 31 36 38 2E 32 34 30 2E 37 39 3A 38 30 0D 0A .168.240.79:80.. 0c0 : 0D 0A ..

-- CesarDiaz? - 17 Oct 2007



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; classtype:trojan-activity; sid:2007567; rev:1;)

Added 2007-08-15 07:02:20 UTC


Edit | Attach | Print version | History: r9 | r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2007-10-17 - CesarDiaz?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats