MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc.
MALWARE-CNC User-Agent known malicious user-agent string UtilMind HTTPGet
This event is generated when a system generates an HTTP request that contains a known-malicious User-Agent string. Impact: The system generating the requests with the User-Agent string in question likely infected with malware, or may have been exposed to malicious code. Details: Cisco Talos maintains a set of User-Agent strings from HTTP requests generated by malware-infected machines with no human interaction; all traffic from the machines is known to be generated by malware. After applying an extensive whitelist, Cisco Talos pulls out the most common User-Agent strings and adds them to its indicator-compromise.rules category. The supplied reference lists the md5sum of the piece of malware used to infect the machine that generated the traffic in question. Ease of Attack: Easy; the machine is likely already infected.
No information provided
No public information
Known false positives, with the described conditions
Occasionally Cisco Talos's whitelisting process may miss a legitimate User-Agent string. If you feel that User-Agent string here is legitimate, please notify us by following the following procedures: http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html so we can investigate.
Cisco Talos
No rule groups
None
No information provided
None