alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; classtype:trojan-activity; sid:2007857; rev:1;)

Added 2008-02-20 09:49:15 UTC

Caught an interesting Delf variant pushing keylogs up via ftp with a predictable filename.

STOR MACHINENAME Keylog [12_54 AM].txt

as in 3f88ebc01fb1c4459d8041458fe97853

-- MattJonkman - 20 Feb 2008

STOR BXXX Keylogger [12_44_57 AM].txt

-- MattJonkman - 20 Feb 2008


Topic revision: r2 - 2008-02-20 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats