[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Sun Jan 30 17:01:42 EST 2005


[***] Results from Oinkmaster started Sun Jan 30 20:00:01 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (18):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm Outbound"; content:"Authorized Researcher Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; content:".zip"; flow:to_server,established; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak at ...1512...; sid:2000494; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm Outbound"; content:"Authorized Researcher Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; content:".zip"; flow:to_server,established; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak at ...1512...; classtype:trojan-activity; sid:2000494; rev:3;)
        old: alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE Korgo.P binary upload"; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; flow:to_server,established; sid:2001338; rev:2;)
        new: alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE Korgo.P binary upload"; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; flow:to_server,established; classtype:trojan-activity; sid:2001338; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM MyDoom.S Outbound"; content:"LOL!\;)"; nocase; content:"filename=photos_arc.exe"; nocase; reference:url,www.f-secure.com/v-descs/mydoom_s.shtml; reference:url,isc.sans.org/diary.php?date=2004-08-16; flow:to_server,established; sid:2001196; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM MyDoom.S Outbound"; content:"LOL!\;)"; nocase; content:"filename=photos_arc.exe"; nocase; reference:url,www.f-secure.com/v-descs/mydoom_s.shtml; reference:url,isc.sans.org/diary.php?date=2004-08-16; flow:to_server,established; classtype:trojan-activity; sid:2001196; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm"; content:"Authorized Resear cher Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; content:".zip"; flow:to_server,established; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak at ...1512...; sid:2001291; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm"; content:"Authorized Resear cher Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; content:".zip"; flow:to_server,established; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak at ...1512...; classtype:trojan-activity; sid:2001291; rev:3;)
        old: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This site is defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; flow:from_server,established; sid:2001607; rev:2;)
        new: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; content:"This site is defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; flow:from_server,established; classtype:trojan-activity; sid:2001607; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; content:"filename="; pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; nocase; flow:to_server,established; sid:2001065; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; content:"filename="; pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001065; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AI Worm"; content:"filename="; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/"; flow:to_server,established; sid:2001292; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AI Worm"; content:"filename="; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/"; flow:to_server,established; classtype:trojan-activity; sid:2001292; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Outbound"; content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av at ...1512...; flow:to_server,established; sid:2001390; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Outbound"; content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av at ...1512...; flow:to_server,established; classtype:trojan-activity; sid:2001390; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Outbound Attack --LOCAL INFECTION--"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; flow:to_server,established; sid:2001615; rev:8;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Outbound Attack --LOCAL INFECTION--"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; flow:to_server,established; classtype:trojan-activity; sid:2001615; rev:9;)
        old: alert tcp any any -> [194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248] 6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity"; threshold: type limit, track by_src, count 1, seconds 1800; sid:2001439; rev:1;)
        new: alert tcp any any -> [194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248] 6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity"; threshold: type limit, track by_src, count 1, seconds 1800; classtype:trojan-activity; sid:2001439; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLEEDING-EDGE VIRUS Psyme Trojan Download"; reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html; uricontent:"/download/IEService215.chm"; nocase; flow:to_server,established; sid:2000365; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLEEDING-EDGE VIRUS Psyme Trojan Download"; reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html; uricontent:"/download/IEService215.chm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2000365; rev:5;)
        old: alert tcp $HOME_NET any -> any 445 (msg:"BLEEDING-EDGE Korgo.P offering executable"; content:"|FF|SMB"; flow:to_server,established; depth:10; content:"|58|http"; content:".exe"; nocase; within:36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; rev:1; sid:2001337;)
        new: alert tcp $HOME_NET any -> any 445 (msg:"BLEEDING-EDGE Korgo.P offering executable"; content:"|FF|SMB"; flow:to_server,established; depth:10; content:"|58|http"; content:".exe"; nocase; within:36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; rev:2; classtype:trojan-activity; sid:2001337;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AI Worm Outbound"; content:"filename="; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/"; content:"\<html\>"; flow:to_server,established; sid:2000561; rev:6;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AI Worm Outbound"; content:"filename="; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/"; content:"\<html\>"; flow:to_server,established; classtype:trojan-activity; sid:2000561; rev:7;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Evaman Worm Outbound"; content:"filename="; pcre: "m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; flow:to_server,established; reference:url,secunia.com/virus_information/10429/evaman; sid:2000343; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Evaman Worm Outbound"; content:"filename="; pcre: "m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; flow:to_server,established; reference:url,secunia.com/virus_information/10429/evaman; classtype:trojan-activity; sid:2000343; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; flow:established; sid:2001061; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; flow:established; classtype:trojan-activity; sid:2001061; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MyDoom.P Query"; content:"/py/psSearch.py|3f|"; nocase; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM"; flow:to_server,established; sid:2001045; rev:5;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MyDoom.P Query"; content:"/py/psSearch.py|3f|"; nocase; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM"; flow:to_server,established; classtype:trojan-activity; sid:2001045; rev:6;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; flow:established; sid:2001064; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; flow:established; classtype:trojan-activity; sid:2001064; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Evaman Worm"; content:"filename="; pcre:"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; content:"formart"; flow:to_server,established; reference:url,secunia.com/virus_information/10429/evaman; sid:2001290; rev:4;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Evaman Worm"; content:"filename="; pcre:"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; content:"formart"; flow:to_server,established; reference:url,secunia.com/virus_information/10429/evaman; classtype:trojan-activity; sid:2001290; rev:5;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-virus.rules (2):
        old: #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Inbound"; content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av at ...1512...; flow:to_server,established; sid:2001391; rev:2;)
        new: #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Inbound"; content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av at ...1512...; flow:to_server,established; classtype:trojan-activity; sid:2001391; rev:3;)
        old: #alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE Worm Zincite Probing port 1034"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html; flags:S,12; sid:2001011; threshold: type threshold, track by_src, count 30,seconds 60; rev:5;)
        new: #alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE Worm Zincite Probing port 1034"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html; flags:S,12; classtype:trojan-activity; sid:2001011; threshold: type threshold, track by_src, count 30,seconds 60; rev:6;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; flow:to_server,established; sid:2001614; rev:8;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; flow:to_server,established; classtype:trojan-activity; id:2001614; rev:9;)

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001614 || BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack || url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list