[Snort-sigs] Gator.com Client GET w/Date Manager

daniel uriah clemens daniel_clemens at ...842...
Tue Jul 8 13:56:44 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"GATOR CLIENT CONNECTION VIA HTTP GET - DATE MANAGER - "; \
flow:to_server,established;\
content:"GET";\
content:".exe";content:"Gator/1.0 Date Manager {"; within:30;\
classtype:policy-violation; )

--
Sid:

--
Summary:

A client on your network has somehow had a gator adware/spyware client
installed on its host.
This rule should detect

--
Impact:

Many corporations and individuals view this type of adware/user profile
software a policy violation by their end users. This type of software is
also generally thought of as 'spy-ware' by the way sends data about your
surfing habits to a third party without the direct knowledge of the end
user.


--
--
Detailed Information:

A simple dump of http get requests on your network will reveal something
lik the following.

x.x.x.x - -  "GET http://gatorcme.gator.com/gatorcme/autoupdate/installdatemanager.exeHTTP/1.1" - - "-" "Gator/1.0 Date Manager
{56A31F5B-6B18-42FD-8D2B-xxxxxxxxxxx}"

This particular rule looks at the GET, an .exe file attachment and  the
Gator' portion of the
client identifation accompanied by the Date Manager Identification tag.

--
Affected Systems:

windows based operating systems.


-- 
--
Attack Scenarios:
A website tricks the end user into loading this software, or this software
can be coupled with other software installing itself silently on your
computer without the end users knowledge.


 --
Ease of Attack:

simple

--
False Positives:

--
False Negatives:

--
Corrective Action:

The esiest way to clean up this software is to download a copy of
pestpatrol from pestpatrol.com.

To eliviate further installation you should tighten up the security level
on your browser and watch what software you install.

--
Contributors:

Daniel Uriah Clemens
dan.clemens at ...1661...

--
Additional References:


-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD







More information about the Snort-sigs mailing list