Results 1 to 4 of 4

Thread: Spyware hitting my web servers?

  1. May 23rd, 2006, 03:57 AM #1
    ric-o
    ric-o is offline
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    486

    Spyware hitting my web servers?

    Does anyone know why I would be seeing lots of snort alerts for spyware hitting my web servers? Doesn't make any sense to me.

    See examples: (x.x.x.x = Internet addr; y.y.y.y = internal web server)
    Apr 13 00:09:58 internet-ids snort: [1:2001855:12] BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} x.x.x.x:2647 -> y.y.y.y:80

    Apr 13 00:14:35 internet-ids snort: [1:2001043:7] BLEEDING-EDGE Malware Fun Web Products MyWay Agent Traffic [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} x.x.x.x:60773 -> y.y.y.y:80

    Apr 13 00:14:35 internet-ids snort: [1:2001855:12] BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} x.x.x.x:60773 -> y.y.y.y:80

    Apr 13 00:14:43 internet-ids snort: [1:2001034:13] BLEEDING-EDGE Malware Fun Web Products Agent Traffic [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} x.x.x.x:50074 -> y.y.y.y:80
    Reply With Quote Reply With Quote
  2. May 23rd, 2006, 11:01 AM #2
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Some malware modify the UserAgent the client is sending.. These snort rules trigger on that.. Look at the rules themselves to see why they trigger..
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Reply With Quote Reply With Quote
  3. May 23rd, 2006, 12:18 PM #3
    phishphreek
    phishphreek is offline
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by SirDice
    Some malware modify the UserAgent the client is sending.. These snort rules trigger on that.. Look at the rules themselves to see why they trigger..
    Just wondering... why would malware writers do that? So they can see how sucessful their code is? It seems to me that it's one more way for people to identify their malware and then remove it?

    They modify the browser user agent? Or, do they have their own mechnism for retreiving the offending content... such as wget or other perl libraries, etc?

    (similar to useragent switcher extention for firefox or proximon for windows?)
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
    Reply With Quote Reply With Quote
  4. May 23rd, 2006, 12:27 PM #4
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Not sure about the how or why but I can imagine a malware BHO is able to capture all requests and modifying them before sending it to the "real" website and the malware's logging site..
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules