#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate?|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008074; classtype:trojan-activity; sid:2008074; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:16 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate?|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008074; classtype:trojan-activity; sid:2008074; rev:5;)

Added 2011-10-12 19:24:24 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate?|0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008074; sid:2008074; rev:5;)

Added 2011-09-14 22:37:53 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate?|0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008074; rev:5;)

Added 2011-02-04 17:27:11 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WebUpdate?|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008074; rev:3;)

Added 2009-02-12 18:21:14 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WebUpdate?|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008074; rev:3;)

Added 2009-02-12 18:21:14 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WebUpdate?|0d 0a|"; classtype:trojan-activity; sid:2008074; rev:2;)

Added 2008-04-07 14:45:40 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WebUpdate?|0d 0a|"; classtype:trojan-activity; sid:2008074; rev:2;)

Added 2008-04-07 14:45:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WebUpdate?|0d 0a|"; classtype:trojan-activity; sid:2008074; rev:1;)

Added 2008-03-30 22:54:46 UTC

Be careful with this signature. Many false-positive hits are likely. WebUpdate? appears to be a legitimate SDK that is probably used by many legitimate applications. see: http://www.hallogram.com/webupdate/

Would like to see more refinement with the signature to better identify Banload trojan.

-- MikeWazowski - 05 Apr 2008


Topic revision: r2 - 2008-04-05 - MikeWazowski
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats