From 34e0352a21a1bb7475cabc905d79f5fc74694ddd Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 3 Feb 2018 14:47:04 +0100
Subject: [PATCH] Rule: Proxy UAs - malware - Ghost419
 https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

---
 rules/proxy/proxy_ua_malware.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml
index b67c9e0a9..fab2b0614 100644
--- a/rules/proxy/proxy_ua_malware.yml
+++ b/rules/proxy/proxy_ua_malware.yml
@@ -22,6 +22,9 @@ detection:
         - '*<|>*'  # Houdini / Iniduoh / njRAT
         - 'nsis_inetc (mozilla)'  # ZeroAccess
         - 'Wget/1.9+cvs-stable (Red Hat modified)'  # Dyre / Upatre
+        # Ghost419 https://goo.gl/rW1yvZ
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
+
 
         # Malware
         - '*zeroup*'  # W32/Renos.Downloader