[Snort-sigs] Gator.com Client HTTP GET w/ BLAST THREAD

daniel uriah clemens daniel_clemens at ...842...
Tue Jul 8 13:57:02 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"GATOR CLIENT CONNECTION VIA HTTP GET - Blast Thread"; \
flow:to_server,established; \
content:"GET"; \
content:".zip"; uricontent:".zip";content:"Blast Thread"; within: 30; \
classtype:policy-violation;)

--
Sid:

--
Summary:

A client on your network has somehow had a gator adware/spyware client
installed on its host.
This rule should detect

--
Impact:

Many corporations and individuals view this type of adware/user profile
software a policy violation by their end users. This type of software is
also generally thought of as 'spy-ware' by the way sends data about your
surfing habits to a third party without the direct knowledge of the end
user.


--
--
Detailed Information:

A simple dump of http get requests on your network will reveal something
lik the following.

#x.1.24.66 - - [ 5/Jun/2003:08:22:27 -0500] "GET
http://gatorcme.gator.com/gatorcme/core/col.zip HTTP/1.1" - - "-"
"Gator/4.0 Blast Thread {56A31F5B-
# 6B18-42FD-8D2B-E2D638C03832}"

This particular rule looks at the GET, an .zip file attachment and  the
Gator' portion of the
client identifation accompanied by the Gator Blast Thread Identification
tag.

--
Affected Systems:

windows based operating systems.


-- 
--
Attack Scenarios:
A website tricks the end user into loading this software, or this software
can be coupled with other software installing itself silently on your
computer without the end users knowledge.


 --
Ease of Attack:

simple

--
False Positives:

--
False Negatives:

--
Corrective Action:

The esiest way to clean up this software is to download a copy of
pestpatrol from pestpatrol.com.

To eliviate further installation you should tighten up the security level
on your browser and watch what software you install.

--
Contributors:

Daniel Uriah Clemens
dan.clemens at ...1661...

--
Additional References:


-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD







More information about the Snort-sigs mailing list