alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Weatherbug Related User-Agent (CFNetwork/)"; flow:to_server,established; content:"User-Agent\: CFNetwork/"; nocase; classtype:trojan-activity; sid:2003485; rev:1;)

Added 2007-03-16 10:30:25 UTC

Weatherbug seems to be using a new UA. Or someone else is pulling weatherbug data. Either way, something is installed on the source machine.

-- MattJonkman - 16 Mar 2007

Nope, pulling this sig. It's now out of the ruleset.

CFNetwork is an apple coding framework:

http://developer.apple.com/documentation/Networking/Conceptual/CFNetwork/

-- MattJonkman - 19 Mar 2007


Topic revision: r3 - 2007-03-19 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats