EmergingThreats> Main Web>2014341 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent Toys File"; flow:established,to_server; content:"User-Agent|3A 20|toys|3A 3A|file"; http_header; reference:md5,22d3165c0e80ba50bc6a42a2e82b2874; classtype:trojan-activity; sid:2014341; rev:1;)

Added 2012-03-08 18:30:48 UTC

Hits on a legitimate Samsung application - kies - http://www.samsung.com/us/kies/

The update mechanism connects to msupdate.emodio.com using user agent toys::file

Suggest adding content:!"Host|3A|msupdate.emodio.com"; http_header; or similar

-- MattNewham - 08 Jan 2013

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2013-01-08 - MattNewham
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats