[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] New Delf keylog upload
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2008-02-20 14:56:04
Message-ID: 47BC3F84.5020601 () jonkmans ! com
[Download RAW message or body]
Caught an interesting Delf variant pushing keylogs up via ftp with a
predictable filename.
STOR MACHINENAME Keylog [12_54 AM].txt
That's easy enough to follow:
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Delf Keylog
FTP Upload"; flow:established,to_server; content:"STOR "; depth:5;
content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d
0a|"; nocase; distance:5; within:40; classtype:trojan-activity;
sid:2007858; rev:1;)
Please report issues with it!
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic