Rule

--
Sid
18944

--
Summary:
This event is generated when a suspected infection has taken place on the network

--
Impact:
Information disclosure. Loss of integrity. 

--
Detailed Information:
The detection in this rule is a generic match for known strings that is used in many pieces of malware.  If this rule triggers on your network, the Source IP that triggers the event needs to be analyzed for malware.  When analyzing the traffic from this machine, you may see what appears to be legitimate looking search strings.  This is a malicious indicator.  The malware that was used in order to generate this signature will infect a machine, then attempt to perform SEO-type search traffic in order to drive search certain search terms higher.  We have observed many different kinds of search terms as a result of the malware, anything from bankruptcy lawyers to pornographic ads.  Scan the machine in question for malicious software. The VRT recommends Immunet with ClamAV.

--
Affected Systems:
All Windows Versions

--
Attack Scenarios:
This alert is likely generated by malware communicating with the Internet in the background on an infected machine.

--
Ease of Attack:
Easy; the machine is likely already infected.

--
False Positives:
Occasionally the VRT's whitelisting process may miss a legitimate User-Agent string. If you feel that User-Agent string here is legitimate, please notify us at fp@sourcefire.com so we can investigate.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

--
Contributors:
Sourcefire Vulnerability Research Team

--
Additional References:

--
