[Snort-sigs] GATOR CLIENT GET exe file + Precision Time
daniel uriah clemens
daniel_clemens at ...842...
Tue Jul 8 13:57:21 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"GATOR CLIENT CONNECTION VIA HTTP GET - Precision Time - exe file -
content:".exe"; content:"Gator/1.0 Precision Time"; within: 30;\
classtype: policy-violation; )
A client on your network has somehow had a gator adware/spyware client
installed on its host.
This rule should detect
Many corporations and individuals view this type of adware/user profile
software a policy violation by their end users. This type of software is
also generally thought of as 'spy-ware' by the way sends data about your
surfing habits to a third party without the direct knowledge of the end
A simple dump of http get requests on your network will reveal something
lik the following.
# x.1.24.66 - - [ 5/Jun/2003:08:22:16 -0500] "GET
HTTP/1.1" - - "-" "Gator/1.0 Precision Time
This particular rule looks at the GET, an .exe file attachment and the
Gator' portion of the
client identifation accompanied by the Gator Precision Time Identification
windows based operating systems.
A website tricks the end user into loading this software, or this software
can be coupled with other software installing itself silently on your
computer without the end users knowledge.
Ease of Attack:
The esiest way to clean up this software is to download a copy of
pestpatrol from pestpatrol.com.
To eliviate further installation you should tighten up the security level
on your browser and watch what software you install.
Daniel Uriah Clemens
dan.clemens at ...1661...
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
More information about the Snort-sigs