Sign in
Follow

ETPRO MALWARE User-Agent (MRSPUTNIK)

 

 IP AddressPortHostname
Source (local) 57512  
Destination 192.95.125.101 (United States) html (80) cpaway.afftrack.com 

 

url http://bt.io/click?aid=10385&linkid=B320881473450387279&s1=111_NEW&s2=111_NEW&s3=us&s99=1&admintest=1
Host bt.io
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection keep-alive
Keep-Alive 300
User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; MRSPUTNIK 2, 4, 1, 328; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)

 

Description:

  • 'MRSPUTNIK' is present in a number of User-Agent strings used by malware.
  • It isn't definitive by itself, but we can't find any legitimate users of this string.
  • It also seems to be linked to more than one family of malware.

 

False Positive:

  • MAYBE
  • This is a single request for an ad from this host. It was not made by a browser, so some other application must be requesting it.
  • A lot of strange surfing and automated behavior. When looking at this specific signature it looks like something is walking craigslist ads for apartments and culling contact information? Given the wide geographic range of these lookups, it doesn't look like one person looking for themselves.
  • Also the number of lookups isn't as high as I'd expect if this were a botnet, but that could be deliberate. The lookups are triggered by cleartext credentials.

 

Action:

  • There's enough strange behavior on this host to warrant a deeper dive on the asset.

 

Comments

Powered by Zendesk