EmergingThreats> Main Web>2008276 (2011-06-06, DarrenSpruell) EditAttach

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

Added 2019-10-09 19:08:42 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

Added 2017-10-30 18:17:32 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

Added 2017-10-30 16:39:40 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

Added 2017-08-07 21:01:27 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (contains loader)"; flow:to_server,established; content:" loader"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:13;)

Added 2011-10-12 19:24:48 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (contains loader)"; flow:to_server,established; content:" loader"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; sid:2008276; rev:13;)

Added 2011-09-14 22:38:15 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:" loader"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+loader/iH"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008276; rev:12;)

Added 2011-02-04 17:27:23 UTC

This rule fires on traffic appearing to be related to iolo technologies, LLC (www.iolo.com) products: 

POST /__svc/hints/newshintsxml.aspx HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
Host: svc.iolo.com
Accept: text/html, */*
User-Agent: iolo Hints Loader

These requests are directed to 216.246.97.29 (svc.iolo.com) which falls in 216.246.97.0/27: 

Server Central Network SCN-5 (NET-216-246-0-0-1) 216.246.0.0 - 216.246.127.255
IOLO Technologies SCNET-216-246-97-0-27 (NET-216-246-97-0-1) 216.246.97.0 - 216.246.97.31

One option for dealing with this is a suppression for this rule firing against that destination CIDR.

-- DarrenSpruell - 06 Jun 2011

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008276; rev:8;)

Added 2009-10-19 09:15:44 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008276; rev:8;)

Added 2009-10-19 09:15:44 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008276; rev:6;)

Added 2009-02-09 22:22:08 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:5;)

Added 2008-09-19 12:45:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:5;)

Added 2008-09-19 12:45:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:4;)

Added 2008-09-10 13:15:20 UTC

False positives on "Adobe Flash Player Downloader"

SRC: GET /get/flashplayer/current/gtb/install_flash.foo.s HTTP/1.1 SRC: User-Agent: Adobe Flash Player Downloader SRC: Host: fpdownload2.macromedia.com

-- MikeWazowski - 19 Sep 2008

Adding a leading space to the loader content match. That should eliminat that FP. Thanks Mike!

-- MattJonkman - 19 Sep 2008

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:4;)

Added 2008-09-10 13:15:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:3;)

Added 2008-05-30 13:10:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:3;)

Added 2008-05-30 13:10:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]loader/"; classtype:trojan-activity; sid:2008276; rev:2;)

Added 2008-05-30 12:43:58 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]loader/"; classtype:trojan-activity; sid:2008276; rev:2;)

Added 2008-05-30 12:43:58 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow: to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:80; pcre:"/User-Agent\:[^\n] loader/i"; classtype:trojan-activity; sid:2008276; rev:1;)

Added 2008-05-30 12:24:55 UTC

Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2011-06-06 - DarrenSpruell
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats