Windows 98 Snort Signature
Win98 isn’t a security threat in itself… well mostly. But a LOT of spyware and downloaders still use old static User-Agent strings that identify them as Windows 98.
So the following sig is out, it’s thresholded to keep the numbers down in case you run across Win98 boxes you weren’t aware of.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System”; flow:established,to_server; content:”|0d 0a|User-Agent\: “; content:”Windows 98\;”; within:50; threshold:type limit, count 1, seconds 60, track by_src; classtype:policy-violation; reference:url.doc.bleedingthreats.net/bin/view/Main/Windows98UA; sid:2007695; rev:1;)
Don’t run this sig if you KNOW you have Win98 boxes. If you do, best of luck….
If you Don’t have Win98 boxes then any hits on this sig should be treated as extremely suspicious, likely spyware or a downloader.
Matt
November 13th, 2007 at 1:32 pm
Out of curiosity, I installed the signature on my IDS and came up with multiple clients trying to get out to this address: http://dellsupport.dellfix.com/new_dell_agent_am/gteko_01/status.txt. They are not running Windows 98 (looked at other traffic’s user agents via packet cap) so this strikes me as odd. The actual User-Agent is “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; GtekClient)”. A quick Google has a number of hits on this, but I haven’t been able to determine its validity as of yet.
November 13th, 2007 at 1:54 pm
Where was it going to?