[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Mon Feb 21 17:00:44 EST 2005


[***] Results from Oinkmaster started Mon Feb 21 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (2):
        alert tcp $HOME_NET any -> any 11768 (msg:"BLEEDING-EDGE Virus Dipnet infected host response"; content:"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123"; reference:url,www.lurhq.com/dipnet.html; classtype:trojan-activity; sid:2001740; rev:1;)
        alert tcp $HOME_NET any -> any 15118 (msg:"BLEEDING-EDGE Virus Dipnet infected host response"; content:"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123"; reference:url,www.lurhq.com/dipnet.html; classtype:trojan-activity; sid:2001739; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (2):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001413; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001413; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001412; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001412; rev:4;)

     -> Modified active in bleeding-p2p.rules (2):
        old: alert udp any any -> any any  (msg:"BLEEDING-EDGE P2P Overnet Server Announce"; content:"|00000203006c6f63|"; offset:36; content:"|006263703a2f2f|"; distance:1; classtype:policy-violation; rev:1; sid:2000335;)
        new: alert udp any any -> any any (msg:"BLEEDING-EDGE P2P Overnet Server Announce"; content:"|00000203006c6f63|"; offset:36; content:"|006263703a2f2f|"; distance:1; classtype:policy-violation; rev:2; sid:2000335;)
        old: alert udp $EXTERNAL_NET any -> $HOME_NET any  (msg:"BLEEDING-EDGE P2P Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; offset:0; depth:6; classtype:policy-violation;threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:2000340; rev:2;)
        new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE P2P Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; offset:0; depth:6; classtype:policy-violation;threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; sid:2000340; rev:3;)

     -> Modified active in bleeding-virus.rules (7):
        old: alert ip $HOME_NET any -> $EXTERNAL_NET any (content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; classtype:trojan-activity; sid:2001287; rev:4; )
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; classtype:trojan-activity; sid:2001287; rev:5;)
        old: alert tcp $EXTERNAL_NET 6667 -> any any (msg: "BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC"; content:"##r00tGiuSe##"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001631; rev:1;)
        new: alert tcp $EXTERNAL_NET 6667 -> any any (msg: "BLEEDING-EDGE Virus Rbot IRC INCOMING activity - Trying to join IRC"; content:"##r00tGiuSe##"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001631; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; msg:"BLEEDING-EDGE VIRUS SWEN.A Worm detected"; classtype:trojan-activity; flow:to_server,established; sid:2001268; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS SWEN.A Worm detected"; content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; classtype:trojan-activity; flow:to_server,established; sid:2001268; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; within:30; msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; classtype:trojan-activity; flow:established; sid:2001273; rev:8; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; within:30; classtype:trojan-activity; flow:established; sid:2001273; rev:9; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"GET HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; classtype:trojan-activity; flow:to_server,established; sid:2001278; rev:4; )
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; content:"GET HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; classtype:trojan-activity; flow:to_server,established; sid:2001278; rev:5;)
        old: alert ip $HOME_NET any -> $EXTERNAL_NET any (content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; classtype:trojan-activity; sid:2001288; rev:4; )
        new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; classtype:trojan-activity; sid:2001288; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC"; content:"##r00tGiuSe##"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001630; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "BLEEDING-EDGE Virus Rbot IRC OUTGOING activity - Trying to join IRC"; content:"##r00tGiuSe##"; reference:url,secunia.com/virus_information/11709/; flow:established; classtype: misc-activity;  sid:2001630; rev:2;)

[---]         Disabled rules:        [---]

     -> Disabled in bleeding-virus.rules (1):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/2\.jpg/i"; flow:established; classtype:trojan-activity; sid:2001061; rev:10;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (4):
        2001630 || BLEEDING-EDGE Virus Rbot IRC OUTGOING activity - Trying to join IRC || url,secunia.com/virus_information/11709/
        2001631 || BLEEDING-EDGE Virus Rbot IRC INCOMING activity - Trying to join IRC || url,secunia.com/virus_information/11709/
        2001739 || BLEEDING-EDGE Virus Dipnet infected host response || url,www.lurhq.com/dipnet.html
        2001740 || BLEEDING-EDGE Virus Dipnet infected host response || url,www.lurhq.com/dipnet.html

     -> Added to bleeding-virus.rules (44):
        #	Dipnet
        #Submitted by Sven
        #	CIA
        #	Evaman Worm
        #Taken from the Netsquid Rules
        #	GDI Exploit
        #	Korgo Worm
        #	MiMail Worm
        #Submitted by Michael Sconzo and taken from Netsquid
        #Taken from Lurhq for MyDoom.m,o
        #	MySQL Worm
        #Submitted by unknown
        #	Nachi/Phatbot Worm
        #Taken from the Netsquid Rules
        #	Netsky Worm
        #Submitted by Mark Scott, 3/11/2004, for NetSky.C
        #Submitted by Mark Scott, 3/22/2004, for Netsky.P
        #Submitted by Mark Scott, 5/18/2004, for Netsky.Z
        #Taken from the Netsquid Rules
        #	Novarg Worm
        #Taken from the Netsquid Rules
        #	PHPInclude Worm
        #Submitted by Matt Jonkman for phpinclude.worm
        #	Rbot trojan
        #Submitted by Mark Scott, 12/27/2004, for robot
        #Submitted by Christopher Harrington for RXBOT/RBOT
        #Submitted by Jason Alexander for RBOT BestFriends.scr
        #Submitted by Chris Norton for Rbot.Gen
        #Submitted by James Riden for bot activity
        #	Santy Worm
        #Taken from Dshield for Santy.A
        #Submitted  Erik Fichtner for Santy.B
        #	Sasser Worm
        #Submitted by Lin Zhong for Sasser variants
        #Submitted by unknown
        #Submitted by Joe Stewart for Sasser FTP exploit
        #	Small Trojan
        #	Stdbot
        #Taken from the Netsquid Rules stdbot variants
        #	Suspicious Extensions
        #	Swen Worm
        #Taken from the Netsquid rules
        #	VBSun Worm
        #	Zincite worm

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (2):
        2001630 || BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC || url,secunia.com/virus_information/11709/
        2001631 || BLEEDING-EDGE Virus Rbot IRC activity - Trying to join IRC || url,secunia.com/virus_information/11709/

     -> Removed from bleeding-virus.rules (24):
        #Written by Chris Norton
        #From the Netsquid Rules
        #From Michael Sconzo and Netsquid
        # Very crude first draft of rule to detect MySQL worm
        #From the Netsquid Rules
        #From the Netsquid Rules
        #Submitted by Mark Scott, Mark.Scott at ...2921..., created 3/22/2004
        #added by Mark Scott 3/11/2004 for NetSky.C, updated 3/23/2003
        #Submitted by Mark Scott 5/18/2004 for Netsky.Z
        #From the Netsquid Rules
        #Matt Jonkman phpinclude.worm
        #Submitted by Christopher Harrington
        #Submitted by Jason Alexander
        #Written by Chris Norton
        # Investigating Rbot activity - created by Mark Scott, 12/27/2004
        #By James Riden
        #From Dshield
        #By Erik Fichtner
        #Submitted by Lin Zhong
        # as posted by Joe Stewart
        #From the Netsquid Rules
        #From the Netsquid rules
        #Matt Jonkman
        #From Lurhq

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list