[Snort-sigs] Gator Client GET zip file

daniel uriah clemens daniel_clemens at ...842...
Tue Jul 8 13:56:31 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"GATOR CLIENT CONNECTION VIA HTTP GET -Zip file Gator 4.0- "; \
flow:to_server,established;\
content:"GET";\
content:".zip";content:"Gator/4.0"; within:30;\
classtype:policy-violation; )



--
Sid:

--
Summary:

A client on your network has somehow had a gator adware/spyware client
installed on its host.
This rule should detect a client that is performing a GET request on a
.zip file originating from a gator based client.

--
Impact:

Many corporations and individuals view this type of adware/user profile
software a policy violation by their end users. This type of software is
also generally thought of as 'spy-ware' by the way sends data about your
surfing habits to a third party without the direct knowledge of the end
user.


--
--
Detailed Information:

A simple dump of http get requests on your network will reveal something
like the following.
#Examples:
x.1.20.23 - - [x/Jun/2003:x:35:58 -0500] "GET http://gatorcme.gator.com/gatorcme/core/appllist.zip HTTP/1.1" - - "-" "Gator/4.0 Blast Thread {B59A723F-D985-4D94-8B14-xxxxxxx}"
x.1.20.23 - - [x/Jun/2003:x:36:23 -0500] "GET http://gatorcme.gator.com/gatorcme/core/syscfg.zip HTTP/1.1" - - "-" "Gator/4.0 Blast Thread {B59A723F-#D985-4D94-8B14-xxxxxxx}"
x.1.24.66 - - [ 5/Jun/2003:08:22:27 -0500] "GET http://gatorcme.gator.com/gatorcme/core/col.zip HTTP/1.1" - - "-" "Gator/4.0 Blast Thread {56A31F5B- 6B18-42FD-8D2B-xxxxxx}"

This particular rule looks at the GET ,the file type it is downloading and
then the Gator' portion of the client identifation.

--
Affected Systems:

windows based operating systems.


-- 
--
Attack Scenarios:
A website tricks the end user into loading this software, or this software
can be coupled with other software installing itself silently on your
computer without the end users knowledge.


 --
Ease of Attack:

simple

--
False Positives:

--
False Negatives:

--
Corrective Action:

The esiest way to clean up this software is to download a copy of
pestpatrol from pestpatrol.com.

To eliviate further installation you should tighten up the security level
on your browser and watch what software you install.

--
Contributors:

Daniel Uriah Clemens
dan.clemens at ...1661...

--
Additional References:


-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD








More information about the Snort-sigs mailing list