|
Written by Matt Jonkman
|
|
Wednesday, 20 February 2008 |
|
Caught an interesting Delf variant pushing keylogs up via ftp with a predictable filename. STOR MACHINENAME Keylogger [12_54 AM].txt That's easy enough to follow: alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; classtype:trojan-activity; sid:2007858; rev:1;) Please report issues with it! Matt
|
|
Last Updated ( Wednesday, 20 February 2008 )
|
