EmergingThreats> Main Web>2007594 (2009-03-31, MattJonkman) EditAttach

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"Mz"; http_user_agent; depth:2; isdataat:!1,relative; metadata: former_category USER_AGENTS; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:11; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

Added 2019-10-11 19:56:22 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

Added 2018-09-13 19:39:16 UTC

Added 2018-09-13 17:53:32 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

Added 2017-10-30 18:17:27 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

Added 2017-10-30 16:39:36 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:00:51 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:7;)

Added 2011-10-12 19:23:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; sid:2007594; rev:7;)

Added 2011-09-14 22:36:57 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:7;)

Added 2011-02-04 17:26:42 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;)

Added 2009-09-25 14:00:37 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;)

Added 2009-09-25 14:00:37 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:4;)

Added 2009-02-12 18:21:15 UTC

FPs on Symantec live updates frown 

GET /streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip HTTP/1.1..
If-Modified-Since: Mon, 30 Mar 2009 00:14:34 GMT..
Cache-control: max-age=0..
Cache-Control: no-cache..
Cache-Control: max-stale=0..
Cache-Control: min-fresh=1000..
Accept: */*..
HOST: liveupdate.symantecliveupdate.com..
User-Agent: MzHRU1zAfcV0V14ymFccsIBLq1Iqg/QSQAAAAALUE..
Connection: Keep-Alive....

-- RussellFulton - 31 Mar 2009

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:4;)

Added 2009-02-12 18:21:15 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:3;)

Added 2008-07-14 10:00:22 UTC

This sig can get false positives at times from Symantec Updates. They tend to use a random string in the User-Agent field that can sometimes start with an Mz. These should be rare.

Real hits will be like "User-Agent: Mz\r\n" or "User-Agent: MzApp?\r\n" or "User-Agent: MzLoader?\r\n"

-- MattJonkman - 25 Aug 2008

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (MzApp?)"; flow:established,to_server; content:"User-Agent\: MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:2;)

Added 2008-01-31 10:12:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (MzApp?)"; flow:established,to_server; content:"User-Agent\: MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:1;)

Added 2007-09-03 13:16:46 UTC

Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2009-03-31 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats