[Snort-sigs] Gator spyware detection

daniel uriah clemens daniel_clemens at ...842...
Wed Jul 2 08:35:07 EDT 2003


On Wed, 2 Jul 2003, Esler, Joel  Contractor wrote:

>
> This is the most basic rule one can get for detecting Gator.com spyware in
> the network..
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Gator.com
> software"; content:"MACHINEID";)
>
> Let me know some results if any..

Here are a few other things you can look for in outgoing webtraffic:

x.1.24.66 - - [ 3/Jun/2003:17:48:58 -0500] "GET http://gatorcme.gator.com/gatorcme/autoupdate/installdatemanager.exe HTTP/1.1" - - "-" "Gator/1.0 Date Manager {XXXX}"

x.1.24.66 - - [ 3/Jun/2003:17:51:48 -0500] "GET http://gatorcme.gator.com/gatorcme/autoupdate/precisiontime.ini HTTP/1.1" - - "-" "Gator/1.0 Precision Time {xxxxxxxxx}"

x.1.20.23 - - [ 3/Jun/2003:21:02:37 -0500] "POST http://bannerserver.gator.com/bannerserver/bannerserver.dll?GetAEL HTTP/1.1" - - "-" "Gator/4.0"

x.1.20.23 - - [ 3/Jun/2003:21:02:38 -0500] "POST http://bannerserver.gator.com/bannerserver/bannerserver.dll?GetBannerList HTTP/1.1" - - "-" "Gator/4.0"

x.1.20.23 - - [ 3/Jun/2003:21:02:39 -0500] "GET http://bg.gator.com/Banners/Dmns/no/notrgs.gbtz HTTP/1.1" - - "-" "Gator/4.0"

x.1.20.23 - - [ 3/Jun/2003:21:02:59 -0500] "GET http://bg.gator.com/Banners/Groups/1313-9.grp HTTP/1.1" - - "-" "Gator/4.0"

x.1.20.23 - - [ 3/Jun/2003:21:03:21 -0500] "GET http://bg.gator.com/Banners/14164.0/14164.gbd2zip HTTP/1.1" - - "-" "Gator/4.0"

You can grab allot of interesting information from your webusers surfing
habits by running urlsnarf and then plotting it to a webpage with one of
the many perl scripts that will do webserver log analysis.

Hope this can help you out with some more things to create your
signatures.

 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(msg:"Possible Gator.com software"; \
 content:"GET"; \
 content:"Gator/1.0 Date Manager {";\
 classtype:policy-violation; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(msg:"Possible Gator.com software"; \
content:"POST"; \
content:"Gator/4.0";\
classtype:policy-violation;)


-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list