List Info

Thread: Windows 98
Windows 98
user name
 2007-11-12 18:56:09 
Hypothetical question for you all:

A lot of spyware and redirectors are using fake static UA
strings
purporting to be windows 98 machines. They're obviously
not.

Are there any win98 boxes out there in production anymore?
Would it be
safe to put out a sig looking for UAs like:

 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt;
Maxthon)

Knowing that it's be likely hostile? Some old kits appear to
be hard
coded to that, maybe it's been forgotten.

Matt


-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
Re: Windows 98
user name
 2007-11-12 19:22:44 

  


  

    I would put it in as a policy rule or something like that... Many companies have policies that require a system to be at a certain level, so it might catch those types of offenders. Otherwise, I would say that there are very few windows 98 machines(if any) in businesses these days. The other thing is that if there are active 98 machines on the network that might be a very large amount of hit on the signature(every web request would get an alert if you didn't do any thresholding).


Just my 2 cents :/

--James

On Nov 12, 2007 5:56 PM, Matt Jonkman < jonkmanjonkmans.com">jonkmanjonkmans.com> wrote:

Hypothetical question for you all:

A lot of spyware and redirectors are using fake static UA strings
purporting to be windows 98 machines. They're obviously not.

Are there any win98 boxes out there in production anymore? Would it be

safe to put out a sig looking for UAs like:

&nbsp;Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; Maxthon)

Knowing that it's be likely hostile? Some old kits appear to be hard
coded to that, maybe it's been forgotten.


Matt


--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026

http://www.bleedingthreats.net
--------------------------------------------

PGP: 
http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
 Bleeding-sigsbleedingthreats.net">Bleeding-sigsbleedingthreats.net

http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs




  

  
  
   
     
    

  

    Re:  Windows 98
  


  

     country flaguser name
United States		
     2007-11-12 19:31:52
  


  

    

  


  

    We have been trying to get rid of all Windows 98 and 95 systems. The issue becomes that we do not have control of all systems that are on the network; some of these systems are running old POS (Point of Sale not Piece of #) software that is difficult to upgrade on a departmental budget (University).

I agree that there would have to be some sort of thresholding that is put into place.

Josh G

On Nov 12, 2007, at 6:22 PM, James Pleger wrote:

I would put it in as a policy rule or something like that... Many companies have policies that require a system to be at a certain level, so it might catch those types of offenders. Otherwise, I would say that there are very few windows 98 machines(if any) in businesses these days. The other thing is that if there are active 98 machines on the network that might be a very large amount of hit on the signature(every web request would get an alert if you didn't do any thresholding). 

Just my 2 cents :/

--James

On Nov 12, 2007 5:56 PM, Matt Jonkman < jonkmanjonkmans.com">jonkmanjonkmans.com> wrote:
 Hypothetical question for you all:

A lot of spyware and redirectors are using fake static UA strings
purporting to be windows 98 machines. They're obviously not.

Are there any win98 boxes out there in production anymore? Would it be 
safe to put out a sig looking for UAs like:

&nbsp;Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; Maxthon)

Knowing that it's be likely hostile? Some old kits appear to be hard
coded to that, maybe it's been forgotten. 

Matt


--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
 http://www.bleedingthreats.net
--------------------------------------------

PGP:  http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
 Bleeding-sigsbleedingthreats.net">Bleeding-sigsbleedingthreats.net 
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

 _______________________________________________
Bleeding-sigs mailing list
 Bleeding-sigsbleedingthreats.net">Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs


  

  
  
   
     
    

  

    Re:  Windows 98
  


  

     user name

     2007-11-13 00:08:00
  


  

    
On Nov 12, 2007 5:56 PM, Matt Jonkman <jonkmanjonkmans.com> wrote:
> Hypothetical question for you all:
>
> A lot of spyware and redirectors are using fake static
UA strings
> purporting to be windows 98 machines. They're obviously
not.
>
> Are there any win98 boxes out there in production
anymore? Would it be
> safe to put out a sig looking for UAs like:
>
>  Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt;
Maxthon)
>
> Knowing that it's be likely hostile? Some old kits
appear to be hard
> coded to that, maybe it's been forgotten.

Just to be certain, did IE on Win98 advertise the OS in the
user
agent? Did it do it in the same string match as these
malware agents?

DS
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs



  


  

    
  

  
  
   
     
    

  

    Re:  Windows 98
  


  

     user name

     2007-11-13 00:23:37
  


  

    

  


  

    I am pretty positive it does.

IIRC the useragent would be something along the lines of "User-Agent: Mozilla/4.0 ( compatible; IE Version; OS Version;)&quot;.

I know for a fact that NT did.


On Nov 12, 2007 11:08 PM, Darren Spruell < phatbuckettgmail.com">phatbuckettgmail.com> wrote:


On Nov 12, 2007 5:56 PM, Matt Jonkman < jonkmanjonkmans.com">jonkmanjonkmans.com> wrote:
>; Hypothetical question for you all:
>
> A lot of spyware and redirectors are using fake static UA strings

> purporting to be windows 98 machines. They're obviously not.
>
> Are there any win98 boxes out there in production anymore? Would it be
> safe to put out a sig looking for UAs like:
>

>  Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; Maxthon)
&gt;
> Knowing that it's be likely hostile? Some old kits appear to be hard
> coded to that, maybe it's been forgotten.


Just to be certain, did IE on Win98 advertise the OS in the user
agent? Did it do it in the same string match as these malware agents?

DS
_______________________________________________

Bleeding-sigs mailing list
 Bleeding-sigsbleedingthreats.net">Bleeding-sigsbleedingthreats.net

http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs




  

  
  
   
     
    

  

    Re:  Windows 98
  


  

     user name

     2007-11-13 08:27:51
  


  

    
Yes, Windows 98 did advertise in the User Agent like Windows
NT in
similar formats to what James gave.  You can verify it
here:
ht
tp://www.user-agents.org/cgi-bin/free-search.cgi

--jeremy

On Nov 13, 2007 12:23 AM, James Pleger <jplegergmail.com> wrote:
> I am pretty positive it does.
>
> IIRC the useragent would be something along the lines
of "User-Agent:
> Mozilla/4.0 ( compatible; IE Version; OS
Version;)".
>
> I know for a fact that NT did.
>
>
>
>  On Nov 12, 2007 11:08 PM, Darren Spruell
<phatbuckettgmail.com> wrote:
> >
> > On Nov 12, 2007 5:56 PM, Matt Jonkman
<jonkmanjonkmans.com> wrote:
> > > Hypothetical question for you all:
> > >
> > > A lot of spyware and redirectors are using
fake static UA strings
> > > purporting to be windows 98 machines. They're
obviously not.
> > >
> > > Are there any win98 boxes out there in
production anymore? Would it be
> > > safe to put out a sig looking for UAs like:
> > >
> > >  Mozilla/4.0 (compatible; MSIE 5.0; Windows
98; DigExt; Maxthon)
> > >
> > > Knowing that it's be likely hostile? Some old
kits appear to be hard
> > > coded to that, maybe it's been forgotten.
> >
> > Just to be certain, did IE on Win98 advertise the
OS in the user
> > agent? Did it do it in the same string match as
these malware agents?
> >
> > DS
> >
> >
> >
> > _______________________________________________
> > Bleeding-sigs mailing list
> > Bleeding-sigsbleedingthreats.net
> > http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
> >
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>
>
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs



  


  

    
  

  
  
   
     
    






 [1-6]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )