FPs on 2003933 - BLEEDING-EDGE TROJAN Banker.Delf User-Agent (Ms)

I've noticed a number of alerts on 2003933 which all appear
to be Symantec LiveUpdate; e.g.,

> GET /minitri.flg HTTP/1.1
> Accept: */*
> If-Modified-Since: Fri, 29 Jul 2005 20:24:32 GMT
> Cache-Control: max-age=0
> User-Agent: MsDUkbXmJkECee/1uHHXdAel2G8
> Host: liveupdate.symantecliveupdate.com
> Connection: Keep-Alive
> Pragma: no-cache

All of the destination hosts appear to be akamai related.  

Jeff
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

Added a |0d 0a| to the end of the content match. That ought
to kill the
false positives.

Thanks!

Matt

Jeff Kell wrote:
> I've noticed a number of alerts on 2003933 which all
appear to be Symantec LiveUpdate; e.g.,
> 
>> GET /minitri.flg HTTP/1.1
>> Accept: */*
>> If-Modified-Since: Fri, 29 Jul 2005 20:24:32 GMT
>> Cache-Control: max-age=0
>> User-Agent: MsDUkbXmJkECee/1uHHXdAel2G8
>> Host: liveupdate.symantecliveupdate.com
>> Connection: Keep-Alive
>> Pragma: no-cache
> 
> All of the destination hosts appear to be akamai
related.  
> 
> Jeff
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs