[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] seeing lots of hits on ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozil
From: paul.edwards () kindsight ! net (Paul Edwards)
Date: 2009-05-14 13:25:18
Message-ID: FB4A1EE8DA468A4D8C9CF68B0F68F354033FFE48 () mse16be2 ! mse16 ! exchange ! ms
[Download RAW message or body]
Excuse the delay...
I am seeing significant hits on this as well.
For some reason the client is sending an http post back
to: 98.136.113.173 in my case. Seems like an embedded
tool of some sort (like toolbar or vista sidebar gadget).
The thing that's strange is the IP is hardcoded.
Paul
-----Original Message-----
From: emerging-sigs-bounces@emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Matt
Jonkman
Sent: Monday, April 27, 2009 9:15 AM
To: Russell Fulton
Cc: Emerging Threats Signatures
Subject: Re: [Emerging-Sigs] seeing lots of hits on ET MALWARE
Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0) sid: 2009295
Hmmm, as far as I know it's not a valid user-agent as I'm not aware of a
mozilla 5 spec. There's an html 5 spec coming around. perhaps thats what
these folks are intending to signify.
Anyone else seeing similar false positives? if so we'll have to drop the
sig I suspect.
Thanks Russell!
Matt
Russell Fulton wrote:
> Seeing quite a lot of machines triggering this alert when visiting
> 68.180.216.31 vcs1.msg.vip.sp1.yahoo.com or 76.13.14.40
> vcs2.msg.vip.ac4.yahoo.com.
>
> Also saw one machine with 400 odd hits against a local airline booking
> site but nothing else.
>
> Count: 3(300) rows returned Time Window for this screen: Mon
> Apr 27 10:25:45 2009 to Mon Apr 27 10:53:46 2009
> Src Sig name Total Events Proto
> 162.112.18.100 flightbookings.airnewzealand.co.nz ET MALWARE
> Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0) 455
6
> 68.180.216.31 vcs1.msg.vip.sp1.yahoo.com ET MALWARE
Suspicious
> Mozilla User-Agent - Likely Fake (Mozilla/5.0) 24 6
> 76.13.14.40 vcs2.msg.vip.ac4.yahoo.com ET
MALWARE Suspicious
> Mozilla User-Agent - Likely Fake (Mozilla/5.0) 18 6
>
> Some of the machines these alerts come from I know to be very well
> managed and looked after.
>
> So it would appear that some legit things use this user-agent string.
>
> Russell
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: post.JPG
Type: image/jpeg
Size: 16860 bytes
Desc: post.JPG
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090514/695bafff/post-0001.jpe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic