[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    Re: [Bleeding-sigs] Downloader.VB.TX false positives
From:       Matt Jonkman <jonkman () bleedingthreats ! net>
Date:       2007-05-08 20:18:55
Message-ID: 4640DB2F.3040706 () bleedingthreats ! net
[Download RAW message or body]

Ahh, thanks for the report. I wasn't aware that was a legit UA, or in
much use.

I agree, I'll disable the sig and schedule it for deletion.


Thanks again for the report!

matt

David J. Bianco wrote:
> Ok, I just updated this morning and I see that sid 2003646 is giving a lot
> of false positives.  For reference, this is:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
> TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)";
> flow:established,to_server; content:"User-Agent\: Microsoft URL Control -";
> nocase; classtype:trojan-activity; sid:2003646; rev:1;)
> 
> The problem is that it's looking for "User-Agent: Microsoft URL Control -" in
> the request, which is apparently a perfectly legitimate UA, though an
> uncommon one.  For example, see this page:
> 
> http://forums.seochat.com/search-engine-spiders-27/microsoft-url-control-6-00-8169t-3968.html
> 
> According to this posting, the UA is actually from a standard VB control,
> and anything written to use the control will have the same agent string.
> This explains what I see on my own network.  So far none of the alerts have
> actually been virus activity.
> 
> I recommend disabling this rule, since it isn't really specific to a
> virus or trojan.
> 
> 	David
> 
> 
> 	David
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic