[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Wed Feb 23 17:01:27 EST 2005


[***] Results from Oinkmaster started Wed Feb 23 20:00:04 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (5):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Enhance My Search Spyware Activity"; content:"User-Agent\: HelperH"; nocase; classtype:trojan-activity; sid:2001746; rev:2;)
        alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Pynix.dll BHO Activity"; uricontent:"ABETTERINTERNET.EXE"; nocase; uricontent:"bho=PYNIX.DLL"; nocase; flow:established,to_server; reference:url,www.pynix.com; classtype:trojan-activity; sid:2001748; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Enhance My Search Spyware Install"; uricontent:"/admin/getinfo.php"; nocase; content:"User-Agent\: HelperH"; nocase; classtype:trojan-activity; sid:2001745; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/sideb.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001744; rev:4;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware My-Stats.com Spyware Checkin"; uricontent:"/ad-partner/SelectConfirm.php?dummy="; nocase; content:"Host\: www.my-stats.com"; nocase; sid:2001747; rev:1;)

     -> Added to bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Trojan HackerDefender Root Kit Remote Connection Attempt Detected"; flow:established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes; tag: session, 20, packets; classtype:trojan-activity; sid:2001743; rev:2;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (4):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky message.zip HEX port 445"; classtype:trojan-activity; flow:to_server,established; sid:2001281; rev:4; )
        new: alert tcp $HOME_NET any -> any 445 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky message.zip HEX port 445"; classtype:trojan-activity; flow:to_server,established; sid:2001281; rev:5; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky message.zip HEX port 139"; classtype:trojan-activity; flow:to_server,established; sid:2001280; rev:4; )
        new: alert tcp $HOME_NET any -> any 139 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"BLEEDING-EDGE VIRUS Netsky message.zip HEX port 139"; classtype:trojan-activity; flow:to_server,established; sid:2001280; rev:5; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 1352 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 1352"; classtype:trojan-activity; flow:to_server,established; sid:2001282; rev:4; )
        new: alert tcp $HOME_NET any -> any 1352 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 1352"; classtype:trojan-activity; flow:to_server,established; sid:2001282; rev:4; )
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE VIRUS Sasser/Korgo Worm"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2001286; rev:7;)
        new: alert tcp $HOME_NET any -> any 445 (msg:"BLEEDING-EDGE VIRUS Sasser/Korgo Worm"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2001286; rev:8;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (3):
        #Matt Jonkman 2/22/05
        #Matt Jonkman 2/22/05
        # Submitted by John Stewart, 2/23/2005

     -> Added to bleeding-sid-msg.map (6):
        2001743 || BLEEDING-EDGE Trojan HackerDefender Root Kit Remote Connection Attempt Detected
        2001744 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install || url,www.searchmiracle.com
        2001745 || BLEEDING-EDGE Malware Enhance My Search Spyware Install
        2001746 || BLEEDING-EDGE Malware Enhance My Search Spyware Activity
        2001747 || BLEEDING-EDGE Malware My-Stats.com Spyware Checkin
        2001748 || BLEEDING-EDGE MALWARE Pynix.dll BHO Activity || url,www.pynix.com

     -> Added to bleeding-virus.rules (2):
        #	Hacker Defender Root Kit
        #By Chris Norton 2/22/05

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list