Rule Category

MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc.

Alert Message

MALWARE-CNC User-Agent known malicious user-agent string RookIE/1.0

Rule Explanation

This event is generated when a system generates an HTTP request that contains a known-malicious User-Agent string. Impact: The system generating the requests with the User-Agent string in question likely infected with malware, or may have been exposed to malicious code. Details: Cisco Talos maintains a set of User-Agent strings from HTTP requests generated by malware-infected machines with no human interaction; all traffic from the machines is known to be generated by malware. After applying an extensive whitelist, Cisco Talos pulls out the most common User-Agent strings and adds them to its indicator-compromise.rules category. The supplied reference lists the md5sum of the piece of malware used to infect the machine that generated the traffic in question. Ease of Attack: Easy; the machine is likely already infected.

What To Look For

No information provided

Known Usage

No public information

False Positives

Known false positives, with the described conditions

Occasionally Cisco Talos's whitelisting process may miss a legitimate User-Agent string. If you feel that User-Agent string here is legitimate, please notify us by following the following procedures: http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html so we can investigate.

Contributors

Cisco Talos

Rule Groups

No rule groups

CVE

None

Additional Links

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None