alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:00:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:7;)

Added 2011-10-12 19:23:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; sid:2007594; rev:7;)

Added 2011-09-14 22:36:57 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:7;)

Added 2011-02-04 17:26:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;)

Added 2009-09-25 14:00:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;)

Added 2009-09-25 14:00:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:4;)

Added 2009-02-12 18:21:15 UTC

FPs on Symantec live updates frown

GET /streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip HTTP/1.1..
If-Modified-Since: Mon, 30 Mar 2009 00:14:34 GMT..
Cache-control: max-age=0..
Cache-Control: no-cache..
Cache-Control: max-stale=0..
Cache-Control: min-fresh=1000..
Accept: */*..
HOST: liveupdate.symantecliveupdate.com..
User-Agent: MzHRU1zAfcV0V14ymFccsIBLq1Iqg/QSQAAAAALUE..
Connection: Keep-Alive....

-- RussellFulton - 31 Mar 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:4;)

Added 2009-02-12 18:21:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz/MzApp)"; flow:established,to_server; content:"User-Agent\: Mz"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:3;)

Added 2008-07-14 10:00:22 UTC

This sig can get false positives at times from Symantec Updates. They tend to use a random string in the User-Agent field that can sometimes start with an Mz. These should be rare.

Real hits will be like "User-Agent: Mz\r\n" or "User-Agent: MzApp?\r\n" or "User-Agent: MzLoader?\r\n"

-- MattJonkman - 25 Aug 2008


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (MzApp?)"; flow:established,to_server; content:"User-Agent\: MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:2;)

Added 2008-01-31 10:12:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (MzApp?)"; flow:established,to_server; content:"User-Agent\: MzApp?"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:1;)

Added 2007-09-03 13:16:46 UTC


Topic revision: r4 - 2009-03-31 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats