[Snort-sigs] Gator.com Client HTTP GET w/ BLAST THREAD

daniel uriah clemens daniel_clemens at ...842...
Tue Jul 8 13:57:02 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
flow:to_server,established; \
content:"GET"; \
content:".zip"; uricontent:".zip";content:"Blast Thread"; within: 30; \



A client on your network has somehow had a gator adware/spyware client
installed on its host.
This rule should detect


Many corporations and individuals view this type of adware/user profile
software a policy violation by their end users. This type of software is
also generally thought of as 'spy-ware' by the way sends data about your
surfing habits to a third party without the direct knowledge of the end

Detailed Information:

A simple dump of http get requests on your network will reveal something
lik the following.

#x.1.24.66 - - [ 5/Jun/2003:08:22:27 -0500] "GET
http://gatorcme.gator.com/gatorcme/core/col.zip HTTP/1.1" - - "-"
"Gator/4.0 Blast Thread {56A31F5B-
# 6B18-42FD-8D2B-E2D638C03832}"

This particular rule looks at the GET, an .zip file attachment and  the
Gator' portion of the
client identifation accompanied by the Gator Blast Thread Identification

Affected Systems:

windows based operating systems.

Attack Scenarios:
A website tricks the end user into loading this software, or this software
can be coupled with other software installing itself silently on your
computer without the end users knowledge.

Ease of Attack:


False Positives:

False Negatives:

Corrective Action:

The esiest way to clean up this software is to download a copy of
pestpatrol from pestpatrol.com.

To eliviate further installation you should tighten up the security level
on your browser and watch what software you install.


Daniel Uriah Clemens
dan.clemens at ...1661...

Additional References:

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD

More information about the Snort-sigs mailing list