[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Fri Jun 23 21:00:11 EDT 2006


[***] Results from Oinkmaster started Fri Jun 23 21:00:11 2006 [***]

[+++]          Added rules:          [+++]

 2002973 - BLEEDING-EDGE Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor (bleeding-scan.rules)
 2002974 - BLEEDING-EDGE TROJAN Backdoor.Hupigon Possible Control Connection Being Established (bleeding-virus.rules)
 2002975 - BLEEDING-EDGE TROJAN Backdoor.Hupigon INFECTION - Reporting Host Type (bleeding-virus.rules)
 2002976 - BLEEDING-EDGE TROJAN Banker.Delf Infection - Sending Initial Email to Owner (bleeding-virus.rules)
 2002977 - BLEEDING-EDGE TROJAN Banload Downloader Infection - Sending initial email to owner (bleeding-virus.rules)
 2002978 - BLEEDING-EDGE TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002979 - BLEEDING-EDGE POLICY SC-KeyLog Keylogger Installed - Sending Initial Email Report (bleeding-policy.rules)
 2002980 - BLEEDING-EDGE TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002981 - BLEEDING-EDGE TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002982 - BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO (bleeding-virus.rules)
 2002983 - BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001569 - BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001579 - BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001580 - BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001581 - BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001582 - BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2001583 - BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection (bleeding-scan.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        # This is a commercial product, but we see it very often used in malware. Send this email on install

     -> Added to bleeding-sid-msg.map (11):
        2002973 || BLEEDING-EDGE Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor
        2002974 || BLEEDING-EDGE TROJAN Backdoor.Hupigon Possible Control Connection Being Established || url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html
        2002975 || BLEEDING-EDGE TROJAN Backdoor.Hupigon INFECTION - Reporting Host Type || url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html
        2002976 || BLEEDING-EDGE TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002977 || BLEEDING-EDGE TROJAN Banload Downloader Infection - Sending initial email to owner || url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586
        2002978 || BLEEDING-EDGE TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002979 || BLEEDING-EDGE POLICY SC-KeyLog Keylogger Installed - Sending Initial Email Report || url,www.soft-central.net/keylog.php
        2002980 || BLEEDING-EDGE TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || BLEEDING-EDGE TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002982 || BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO
        2002983 || BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO

     -> Added to bleeding-virus.rules (12):
        #Matt Jonkman, analysis from captured binary
        # Don't know a lot about this one. But the control session is apparently opened by a 00 00 00 00
        #  Then the bot replies with a packet that begins with the date in form such as 20060622, and
        #  among other things contains the host OS info.
        #  Since this is a windos bot, we can assume the word windows will be in there.
        #  Hopefully we can update these as more is learned. This is sorta crude, but should
        #  be reliable to not false pos at least....
        # This thing send out an email to it's owner with stats and such. This ought to catch it..
        #another variant
        #Yet another
        # Regular downloader, usually grabs a fw swf exploiting files from brazilian servers. Sends an email on installl
        # General signs of trojan infections....





More information about the Snort-sigs mailing list