More information on the rule - sid:31557

[Irish Settingg <irishsetting () gmail com>]

Signature - BLACKLIST USER-AGENT known malicious user-agent string -
Mozilla/5.0 - Win.Trojan.Upatre.

The previous rule was -

Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
USER-AGENT known malicious user-agent string - Mozilla/5.0 -
Win.Backdoor.Andromeda"; flow:to_server,established; content:"/2507US-1/";
http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20;
nocase; http_header; metadata:policy balanced-ips drop, policy security-ips
drop, service http; reference:url,
www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
classtype:trojan-activity; sid:31557; rev:2; )



The current rule is-



Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
USER-AGENT known malicious user-agent string - Mozilla/5.0 -
Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A|
Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, service http; reference:url,
www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
classtype:trojan-activity; sid:31557; rev:3; )

> > Please tell us the reason of change in Contents-
> > Win.Trojan.Upatre as per multiple websites doesnot do anything wherein
it hides or strips the User-agent (Though I am sure it could have the
option of doing it)
> > Connections observed in the network is from internal machine to -
http://search.msdn.microsoft.com/favicon.ico or

http://download.virtualbox.org/virtualbox/4.3.20/Oracle_VM_VirtualBox_Extension_Pack-4.3.20.vbox-extpack


> > The only part which is suspicious is the user agent -


User-Agent: Mozilla/5.0
I have not seen any browser to strip down the user agent in such a way that
only the Platform is visible.

> > Normal User agents are -

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Packet text -

*Hypertext Transfer Protocol*

  GET /favicon.ico HTTP/1.1

Expert Info (Chat/Sequence): GET /favicon.ico HTTP/1.1\r\n Message: GET
/favicon.ico HTTP/1.1\r\n Severity level: Chat Group: Sequence Request
Method: GET Request URI: /favicon.ico Request Version: HTTP/1.1

*Connection:* Keep-Alive

Accept-Encoding: gzip

accept-language: en,*

User-Agent: Mozilla/5.0

*Host:* search.msdn.microsoft.com

*Full request URI:* http://search.msdn.microsoft.com/favicon.ico

* Packet Text*

GET /favicon.ico HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip
accept-language: en,* User-Agent: Mozilla/5.0 Host:
search.msdn.microsoft.com

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!