[Emerging-Sigs] Trojan: Delf Web Activity

dxp dxp2532 at gmail.com
Fri Jan 30 17:22:35 EST 2009


Do you mind sharing this sample with me or upload to Offensive Computing
and post the hash here.
Also, note the UAS field for engine build date "30060309".  That should
be quite unique, hows this sig:

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
MALWARE Suspicious User Agent (Gecko/30060309)";
flow:established,to_server; content:"|0D 0A|User-Agent\: Mozilla/";
content:"|20|Gecko/30060309|20|"; within:96; content:"|0D 0A|";
within:32; classtype:trojan-activity; sid:XXXXXXXX; rev:1;)

-  

-=[ dxp ]=-
0xA3F3C6E3



On Fri, 2009-01-30 at 16:42 -0500, ANDREW J WOOD wrote:

> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en;)
> Gecko/30060309 Firefox/1.5.0.7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090130/d331a2ee/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090130/d331a2ee/attachment.bin


More information about the Emerging-sigs mailing list