EmergingThreats> Main Web>2007567 (revision 7)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; classtype:trojan-activity; sid:2007567; rev:1;)

Added 2007-08-29 09:46:50 UTC

http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99&tabid=1

-- ShirkDog? - 29 Aug 2007

Possible false alarm. Looks like this is one of my users using RealPlayer?.

000 : 47 45 54 20 2F 72 68 61 70 73 65 72 76 65 72 20   GET /rhapserver 
010 : 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41   HTTP/1.1..User-A
020 : 67 65 6E 74 3A 20 75 6E 6B 6E 6F 77 6E 0D 0A 48   gent: unknown..H
030 : 6F 73 74 3A 20 72 68 61 70 2D 61 70 70 2D 34 2D   ost: rhap-app-4-
040 : 30 2E 72 65 61 6C 2E 63 6F 6D 0D 0A 43 6F 6F 6B   0.real.com..Cook
050 : 69 65 3A 20 72 68 61 70 73 6F 64 79 49 6E 73 74   ie: rhapsodyInst
060 : 61 6C 6C 65 64 3D 34 2E 30 2E 32 2E 31 37 30 3B   alled=4.0.2.170;
070 : 20 52 4E 73 69 74 65 73 3D 72 68 61 70 2D 61 70    RNsites=rhap-ap
080 : 70 30 36 38 2E 72 65 61 6C 2E 63 6F 6D 2D 31 31   p068.real.com-11
090 : 39 32 36 32 31 37 31 39 31 31 35 3A 32 39 30 3B   92621719115:290;
0a0 : 20 72 68 61 70 73 6F 64 79 5F 6C 62 3D 31 39 32    rhapsody_lb=192
0b0 : 2E 31 36 38 2E 32 34 30 2E 37 39 3A 38 30 0D 0A   .168.240.79:80..
0c0 : 0D 0A                                             ..

-- CesarDiaz? - 17 Oct 2007

Interesting... Wonder if this was a fluke, or thats the UA it always uses. Anyone else see hits?

Matt

-- MattJonkman - 18 Oct 2007

I am seeing the same false alarts. Hitting on this:

GET /rhapserver HTTP/1.1..User-Agent: unknown..Host: rhap-app-4-0.real .com..Cookie: rhapsodyInstalled=4.0.2.355; RNsites=home07-055WRq:297; rhapsody_lb=192 .168.224.20:80....

Jeremy

-- JeremyConway - 24 Oct 2007

I'll add a negation for .real.com. That should eliminate these, haven't had reports of any other falses.

Thanks for the reports!

Matt

-- MattJonkman - 25 Oct 2007



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\: unknown"; classtype:trojan-activity; sid:2007567; rev:1;)

Added 2007-08-15 07:02:20 UTC


Edit | Attach | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r7 - 2007-10-25 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats