[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Thu Aug 18 12:41:40 EDT 2005


[***] Results from Oinkmaster started Wed Aug 17 20:00:06 2005 [***]

[+++]          Added rules:          [+++]

 2002194 - BLEEDING-EDGE Malware Unknown Spyware. Please report hits to lp-analysts at ...2727... (bleeding-malware.rules)
 2002195 - BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited1 (bleeding-malware.rules)
 2002196 - BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited2 (bleeding-malware.rules)
 2002197 - BLEEDING-EDGE MALWARE Tickle.com Spyware (bleeding-malware.rules)
 2002198 - BLEEDING-EDGE MALWARE Bidclix.com Spyware (bleeding-malware.rules)
 2002199 - BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP HOD bind attempt (bleeding-exploit.rules)
 2002200 - BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP bind attempt (bleeding-exploit.rules)
 2002201 - BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP QueryResConfList exploit attempt (bleeding-exploit.rules)
 2002202 - BLEEDING-EDGE EXPLOIT SMB DCERPC PnP bind attempt (bleeding-exploit.rules)
 2002203 - BLEEDING-EDGE EXPLOIT SMB DCERPC PnP QueryResConfList exploit attempt (bleeding-exploit.rules)
 2002204 - BLEEDING-EDGE MALWARE Websponsors.com Spyware (bleeding-malware.rules)
 2002296 - BLEEDING-EDGE Malware Searchfeed.com Spyware 1 (bleeding-malware.rules)
 2002297 - BLEEDING-EDGE Malware Searchfeed.com Spyware 2 (bleeding-malware.rules)
 2002298 - BLEEDING-EDGE Malware Searchfeed.com Spyware 3 (bleeding-malware.rules)
 2002299 - BLEEDING-EDGE Malware Searchfeed.com Spyware 4 (bleeding-malware.rules)
 2002300 - BLEEDING-EDGE Malware Searchfeed.com Spyware 5 (bleeding-malware.rules)
 2002301 - BLEEDING-EDGE Malware Searchfeed.com Spyware 6 (bleeding-malware.rules)
 2002302 - BLEEDING-EDGE Malware Searchfeed.com Spyware 7 (bleeding-malware.rules)
 2002303 - BLEEDING-EDGE Malware Searchfeed.com Spyware 8 (bleeding-malware.rules)
 2002304 - BLEEDING-EDGE MALWARE Advertising.com Reporting Data (bleeding-malware.rules)
 2002308 - BLEEDING-EDGE EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll) (bleeding-exploit.rules)


[///]     Modified active rules:     [///]

 2000026 - BLEEDING-EDGE Malware Gator Agent Traffic (bleeding-malware.rules)
 2000586 - BLEEDING-EDGE Malware Ezula Related Calling Home (bleeding-malware.rules)
 2001295 - BLEEDING-EDGE MALWARE Browseraid.com Agent (bleeding-malware.rules)
 2001487 - BLEEDING-EDGE Malware Tibsystems Spyware Activity (bleeding-malware.rules)
 2001492 - BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (MyApp) (bleeding-malware.rules)
 2001493 - BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (IST) (bleeding-malware.rules)
 2001498 - BLEEDING-EDGE Malware Internet Optimizer Activity (bleeding-malware.rules)
 2001504 - BLEEDING-EDGE Malware Medialoads.com Spyware Activity (bleeding-malware.rules)
 2001562 - BLEEDING-EDGE Malware MarketScore.com Spyware User Configuration and Setup Access (bleeding-malware.rules)
 2001639 - BLEEDING-EDGE Malware Wild Tangent Agent Activity (bleeding-malware.rules)
 2001640 - BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Traffic (bleeding-malware.rules)
 2001652 - BLEEDING-EDGE Malware JoltID Agent New Code Download (bleeding-malware.rules)
 2001699 - BLEEDING-EDGE Malware YourSiteBar Activity (bleeding-malware.rules)
 2001702 - BLEEDING-EDGE Malware Shop at Home Select Spyware Activity (Bundle) (bleeding-malware.rules)
 2001703 - BLEEDING-EDGE Malware Context Plus Spyware Activity (1) (bleeding-malware.rules)
 2001706 - BLEEDING-EDGE Malware Context Plus Spyware Activity (2) (bleeding-malware.rules)
 2001707 - BLEEDING-EDGE Malware Shop at Home Select Spyware Activity (SAH) (bleeding-malware.rules)
 2001732 - BLEEDING-EDGE Malware Top Converting Agent Activity (bleeding-malware.rules)
 2001736 - BLEEDING-EDGE Malware UCMore Spyware Activity (bleeding-malware.rules)
 2001746 - BLEEDING-EDGE Malware Enhance My Search Spyware Activity (bleeding-malware.rules)
 2001852 - BLEEDING-EDGE MALWARE 404Search Spyware User Agent (bleeding-malware.rules)
 2001853 - BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent (bleeding-malware.rules)
 2001854 - BLEEDING-EDGE MALWARE EZULA Spyware User Agent (bleeding-malware.rules)
 2001855 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1) (bleeding-malware.rules)
 2001858 - BLEEDING-EDGE MALWARE Hotbar Spyware User Agent (bleeding-malware.rules)
 2001859 - BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent (bleeding-malware.rules)
 2001860 - BLEEDING-EDGE MALWARE Kontiki Spyware User Agent (bleeding-malware.rules)
 2001861 - BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent (bleeding-malware.rules)
 2001862 - BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent (bleeding-malware.rules)
 2001863 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2) (bleeding-malware.rules)
 2001864 - BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3) (bleeding-malware.rules)
 2001865 - BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent (bleeding-malware.rules)
 2001866 - BLEEDING-EDGE MALWARE Smartpops/Mediaload Spyware User Agent (bleeding-malware.rules)
 2001867 - BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent (bleeding-malware.rules)
 2001868 - BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent (bleeding-malware.rules)
 2001869 - BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent (bleeding-malware.rules)
 2001870 - BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent (bleeding-malware.rules)
 2001871 - BLEEDING-EDGE MALWARE Target Saver Spyware User Agent (bleeding-malware.rules)
 2001872 - BLEEDING-EDGE MALWARE Visicom Spyware User Agent (bleeding-malware.rules)
 2001891 - BLEEDING-EDGE Malware ToolbarPartner User Agent Activity (bleeding-malware.rules)
 2001996 - BLEEDING-EDGE Malware UCMore Spyware Activity User Agent String (bleeding-malware.rules)
 2002002 - BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (thnall) (bleeding-malware.rules)
 2002005 - BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (poller) (bleeding-malware.rules)
 2002007 - BLEEDING-EDGE Malware Wildmedia Spyware User Agent Activity (bleeding-malware.rules)
 2002011 - BLEEDING-EDGE Malware PeopleonPage Spyware User Agent Activity (bleeding-malware.rules)
 2002014 - BLEEDING-EDGE Malware Grandstreet Interactive Spyware User Agent Activity (2) (bleeding-malware.rules)
 2002020 - BLEEDING-EDGE Malware Overpro Spyware User Agent Activity (merong) (bleeding-malware.rules)
 2002021 - BLEEDING-EDGE Malware Grandstreet Interactive Spyware User Agent Activity (1) (bleeding-malware.rules)
 2002035 - BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (thin) (bleeding-malware.rules)
 2002038 - BLEEDING-EDGE Malware Shopathomeselect.com Spyware User Agent Activity (bleeding-malware.rules)
 2002039 - BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (aurareco) (bleeding-malware.rules)
 2002071 - BLEEDING-EDGE Malware XupiterToolbar Spyware User Agent Activity (bleeding-malware.rules)
 2002073 - BLEEDING-EDGE Malware General Spyware User Agent Activity (bleeding-malware.rules)
 2002074 - BLEEDING-EDGE Malware Win32.Stubby Spyware User Agent Activity (bleeding-malware.rules)
 2002076 - BLEEDING-EDGE Malware New.net Spyware User Agent Activity (bleeding-malware.rules)
 2002077 - BLEEDING-EDGE Malware IEBar Spyware User Agent Activity (bleeding-malware.rules)
 2002078 - BLEEDING-EDGE Malware SideStep Spyware User Agent Activity (bleeding-malware.rules)
 2002079 - BLEEDING-EDGE MALWARE MyWaySearch Products Spyware User Agent (bleeding-malware.rules)
 2002080 - BLEEDING-EDGE MALWARE MySearch Products Spyware User Agent (bleeding-malware.rules)
 2002082 - BLEEDING-EDGE Malware Unknown Spyware User Agent Activity -- Please report to bleedingsnort.com (bleeding-malware.rules)
 2002097 - BLEEDING-EDGE Malware IEHelp.net Spyware User Agent Activity (bleeding-malware.rules)
 2002153 - BLEEDING-EDGE MALWARE EXE as User Agent -- Potential Spyware (bleeding-malware.rules)
 2002160 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat) (bleeding-malware.rules)
 2002161 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware (feat2) (bleeding-malware.rules)
 2002163 - BLEEDING-EDGE MALWARE Ezula Update Engine (bleeding-malware.rules)
 2002164 - BLEEDING-EDGE MALWARE Hotbar Spyware (bleeding-malware.rules)
 2002165 - BLEEDING-EDGE MALWARE IESearch Spyware (bleeding-malware.rules)
 2002166 - BLEEDING-EDGE MALWARE Alexa Search Toolbar (bleeding-malware.rules)
 2002167 - BLEEDING-EDGE MALWARE Spyware Labs Spyware (bleeding-malware.rules)
 2002168 - BLEEDING-EDGE MALWARE Svcmm Parasite (bleeding-malware.rules)
 2002169 - BLEEDING-EDGE MALWARE iWon Spyware (bleeding-malware.rules)
 2002173 - BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3) (bleeding-exploit.rules)
 2002177 - BLEEDING-EDGE VIRUS Bagle.CC (aka Win32.Bagle.bz, .ca, .cb) - outbound (bleeding-virus.rules)
 2002189 - BLEEDING-EDGE Current Events OSA4.GIF Detected Possible Trojan.Tooso Infection (bleeding.rules)


[///]    Modified inactive rules:    [///]

 2002162 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware (SCAgent) (bleeding-malware.rules)
 2002178 - BLEEDING-EDGE VIRUS Bagle.CC (aka Win32.Bagle.bz, .ca, .cb) - incoming (bleeding-virus.rules)
 2002183 - BLEEDING-EDGE VIRUS BagleDL-S SMTP Outbound (bleeding-virus.rules)
 2002184 - BLEEDING-EDGE VIRUS BagleDL-S SMTP Inbound (bleeding-virus.rules)


[---]         Disabled rules:        [---]

 2002186 - BLEEDING-EDGE EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability (bleeding-exploit.rules)
 2002187 - BLEEDING-EDGE EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln (bleeding-exploit.rules)
 2002188 - BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln (bleeding-exploit.rules)


[---]         Removed rules:         [---]

 2000368 - BLEEDING-EDGE Malware Gator/Claria Agent Installed (bleeding-malware.rules)
 2001527 - BLEEDING-EDGE MALWARE Casalemedia Access, Likely Spyware (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-exploit.rules (6):
        #This is for the new IE Exploit. It will be moved to it's own file shortly. It is staying put to make sure it's after the
        # clsid flowbits set above.
        #By Blake Harstein of Demarc
        #Replaced by sigs below
        #All related to UPnP Exploit, MS05-039
        #Thanks to the Alert Logic team

     -> Added to bleeding-malware.rules (7):
        #From Listening Post data
        #Matt Jonkman from Spyware listening post data
        #By Matt Jonkman from Spyware listening post data
        #By Matt Jonkman from Listening Post Data
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE User-Agent String"; flow:established,to_server; flowbits:isnotset,http.UserAgent; flowbits:noalert; flowbits:set,http.UserAgent; content:"User-Agent\:"; nocase; classtype:string-detect; rev:1;)
        #By Matt Jonkman from Spyware listening post data
        #Matt Jonkman from spyware listening post data

     -> Added to bleeding-sid-msg.map (25):
        2002177 || BLEEDING-EDGE VIRUS Bagle.CC (aka Win32.Bagle.bz, .ca, .cb) - outbound || url,www.viruslist.com/en/alerts?alertid=168511904
        2002178 || BLEEDING-EDGE VIRUS Bagle.CC (aka Win32.Bagle.bz, .ca, .cb) - incoming || url,www.viruslist.com/en/alerts?alertid=168511904
        2002183 || BLEEDING-EDGE VIRUS BagleDL-S SMTP Outbound || url,www.sophos.com/virusinfo/analyses/trojbagledls.html
        2002184 || BLEEDING-EDGE VIRUS BagleDL-S SMTP Inbound || url,www.sophos.com/virusinfo/analyses/trojbagledls.html
        2002194 || BLEEDING-EDGE Malware Unknown Spyware. Please report hits to lp-analysts at ...2727...
        2002195 || BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited1
        2002196 || BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited2
        2002197 || BLEEDING-EDGE MALWARE Tickle.com Spyware || url,www.spywareremove.com/removeTickle.html
        2002198 || BLEEDING-EDGE MALWARE Bidclix.com Spyware
        2002199 || BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP HOD bind attempt
        2002200 || BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP bind attempt
        2002201 || BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP QueryResConfList exploit attempt || url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx || cve,CAN-2005-1983
        2002202 || BLEEDING-EDGE EXPLOIT SMB DCERPC PnP bind attempt
        2002203 || BLEEDING-EDGE EXPLOIT SMB DCERPC PnP QueryResConfList exploit attempt || url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx || cve,CAN-2005-1983
        2002204 || BLEEDING-EDGE MALWARE Websponsors.com Spyware
        2002296 || BLEEDING-EDGE Malware Searchfeed.com Spyware 1 || url,www.searchfeed.com
        2002297 || BLEEDING-EDGE Malware Searchfeed.com Spyware 2 || url,www.searchfeed.com
        2002298 || BLEEDING-EDGE Malware Searchfeed.com Spyware 3 || url,www.searchfeed.com
        2002299 || BLEEDING-EDGE Malware Searchfeed.com Spyware 4 || url,www.searchfeed.com
        2002300 || BLEEDING-EDGE Malware Searchfeed.com Spyware 5 || url,www.searchfeed.com
        2002301 || BLEEDING-EDGE Malware Searchfeed.com Spyware 6 || url,www.searchfeed.com
        2002302 || BLEEDING-EDGE Malware Searchfeed.com Spyware 7 || url,www.searchfeed.com
        2002303 || BLEEDING-EDGE Malware Searchfeed.com Spyware 8 || url,www.searchfeed.com
        2002304 || BLEEDING-EDGE MALWARE Advertising.com Reporting Data || url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html
        2002308 || BLEEDING-EDGE EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-malware.rules (2):
        # This looks more like legit ad traffic. Needs to be verified
        #Joel Esler rule (depth added by bobkberg)

     -> Removed from bleeding-sid-msg.map (6):
        2000368 || BLEEDING-EDGE Malware Gator/Claria Agent Installed
        2001527 || BLEEDING-EDGE MALWARE Casalemedia Access, Likely Spyware || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082755
        2002177 || Bagle.CC (aka Win32.Bagle.bz, .ca, .cb) - outbound || url,www.viruslist.com/en/alerts?alertid=168511904
        2002178 || Bagle.CC (aka Win32.Bagle.bz, .ca, .cb) - incoming || url,www.viruslist.com/en/alerts?alertid=168511904
        2002183 || VIRUS BagleDL-S SMTP Outbound || url,www.sophos.com/virusinfo/analyses/trojbagledls.html
        2002184 || VIRUS BagleDL-S SMTP Inbound || url,www.sophos.com/virusinfo/analyses/trojbagledls.html





More information about the Snort-sigs mailing list