2003642 < Main

r2 - 21 Dec 2007 - 19:41:55 - RegQuintonYou are here: TWiki >

Main Web > 2003642

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.Affill User Agent Detected (lol)"; flow:established,to_server; content:"User-Agent\: lol"; nocase; classtype:trojan-activity; sid:2003642; rev:1;)

Added 2007-05-03 10:55:23 UTC

This looks like a FP on a symantec liveupdate

12/21-00:45:01.461662 129.97.232.147:54154 -> 72.247.244.35:80 TCP TTL:124 TOS:0x0 ID:23036 IpLen?:20 DgmLen?:285 DF **AP** Seq: 0x215CAB98 Ack: 0x2623576A Win: 0x3FB7 TcpLen?: 20 47 45 54 20 2F 73 79 6D 65 76 65 6E 74 24 32 30 GET /symevent$20 69 6E 73 74 61 6C 6C 65 72 5F 31 32 2E 31 5F 73 installer_12.1_s 79 6D 61 6C 6C 6C 61 6E 67 75 61 67 65 73 5F 6C ymalllanguages_l 69 76 65 74 72 69 2E 7A 69 70 20 48 54 54 50 2F ivetri.zip HTTP/ 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 1.1..Accept: / 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A ..Cache-Control: 20 6D 61 78 2D 61 67 65 3D 30 0D 0A 55 73 65 72 max-age=0..User 2D 41 67 65 6E 74 3A 20 6C 4F 6C 57 33 2F 4C 34 -Agent: lOlW3/L4 ....cut 1 line.... 2F 6A 51 31 6C 4A 72 52 77 41 41 41 41 41 0D 0A /jQ1lJrRwAAAAA.. 48 6F 73 74 3A 20 6C 69 76 65 75 70 64 61 74 65 Host: liveupdate 2E 73 79 6D 61 6E 74 65 63 6C 69 76 65 75 70 64 .symantecliveupd 61 74 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 ate.com..Connect 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D ion: Keep-Alive. 0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 .Pragma: no-cach 65 0D 0A 0D 0A e....

[2:30pm dominic] getent hosts 72.247.244.35 72.247.244.35 a72-247-244-35.deploy.akamaitechnologies.com

-- RegQuinton - 21 Dec 2007

Main

User Reference
ATasteOfTWiki
TextFormattingRules

Signature Reference
CVS View of All Rules
WebRss Feed
BleedingFAQ