[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Apr 6 11:00:05 EDT 2007


[***] Results from Oinkmaster started Fri Apr  6 11:00:05 2007 [***]

[+++]          Added rules:          [+++]

 2003491 - BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) (bleeding-malware.rules)
 2003492 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) (bleeding-malware.rules)
 2003513 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) (bleeding-malware.rules)
 2003519 - BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (bleeding.rules)
 2003521 - BLEEDING-EDGE TROJAN TROJ_ANICMOO.AX Downloading wincf.exe (bleeding.rules)
 2003522 - BLEEDING-EDGE TROJAN PossibleExploit-W32/Ani.C Traffic (bleeding.rules)
 2003523 - BLEEDING-EDGE TROJAN Possible Exploit-W32/Ani.C Traffic (bleeding.rules)
 2003524 - BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (rule 2) (bleeding.rules)
 2003525 - BLEEDING-EDGE MALWARE Supergames.aavalue.com Spyware (bleeding-malware.rules)
 2003526 - BLEEDING-EDGE MALWARE KMIP.net Spyware 2 (bleeding-malware.rules)
 2003527 - BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (WinSoftware) (bleeding-malware.rules)
 2003528 - BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (NetInstaller) (bleeding-malware.rules)
 2003529 - BLEEDING-EDGE MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3) (bleeding-malware.rules)
 2003530 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) (bleeding-malware.rules)
 2003531 - BLEEDING-EDGE MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans) (bleeding-malware.rules)
 2003532 - BLEEDING-EDGE MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent) (bleeding-malware.rules)
 2003533 - BLEEDING-EDGE MALWARE Sytes.net Related Spyware Reporting (bleeding-malware.rules)
 2003534 - BLEEDING-EDGE MALWARE Weatherbug Vista Gadget Activity (bleeding-malware.rules)
 2003535 - BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected (bleeding-attack_response.rules)
 2003536 - BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded (bleeding-attack_response.rules)


[///]     Modified active rules:     [///]

 2002750 - BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 (bleeding-policy.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2003491 - BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent (Mozila/4.0...) (bleeding.rules)
 2003492 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0) (bleeding.rules)
 2003513 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0) (bleeding.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-attack_response.rules (2):
        #by Cees Elzinga
        #note: most effective with a deep flow depth, or 0

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 144

     -> Added to bleeding-drop.rules (1):
        #  VERSION 144

     -> Added to bleeding-malware.rules (6):
        #By Matt Jonkman from spyware lp data
        #Seeing hits with a misspelled Mozila in the UA.
        #also seeing just Mozilla/4.0. That's unusual as well
        #from rras, another typo'd trojan
        #Pluses in a UA, suspicious as well
        #Matt Jonkman, from spyware lp data

     -> Added to bleeding-sid-msg.map (20):
        2003491 || BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491
        2003492 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492
        2003513 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) || url,doc.bleedingthreats.net/2003513
        2003519 || BLEEDING-EDGE CURRENT EVENTS MS ANI exploit
        2003521 || BLEEDING-EDGE TROJAN TROJ_ANICMOO.AX Downloading wincf.exe || url,uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=TROJ_ANICMOO.AX
        2003522 || BLEEDING-EDGE TROJAN PossibleExploit-W32/Ani.C Traffic || url,www.f-secure.com/v-descs/trojan-downloader_w32_small_ekv.shtml
        2003523 || BLEEDING-EDGE TROJAN Possible Exploit-W32/Ani.C Traffic || url,www.f-secure.com/v-descs/trojan-downloader_w32_small_ekv.shtml
        2003524 || BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (rule 2) || url,doc.bleedingthreats.net/2003524 || url,www.avertlabs.com/research/blog/?p=233 || url,isc.sans.org/diary.html?storyid=2534
        2003525 || BLEEDING-EDGE MALWARE Supergames.aavalue.com Spyware || url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189
        2003526 || BLEEDING-EDGE MALWARE KMIP.net Spyware 2 || url,www.kmip.net
        2003527 || BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (WinSoftware) || url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037
        2003528 || BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (NetInstaller) || url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037
        2003529 || BLEEDING-EDGE MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3) || url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931
        2003530 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) || url,doc.bleedingthreats.net/2003530
        2003531 || BLEEDING-EDGE MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans) || url,www.bleepingcomputer.com/forums/topic69886.htm
        2003532 || BLEEDING-EDGE MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent) || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618
        2003533 || BLEEDING-EDGE MALWARE Sytes.net Related Spyware Reporting || url,www.sophos.com/security/analyses/w32forbotdv.html
        2003534 || BLEEDING-EDGE MALWARE Weatherbug Vista Gadget Activity
        2003535 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2003536 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755

     -> Added to bleeding.rules (2):
        #by dajackman
        #A new approach, details from malaware

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 138

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 138

     -> Removed from bleeding-sid-msg.map (5):
        2003491 || BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491
        2003492 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492
        2003513 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0) || url,doc.bleedingthreats.net/2003513
        2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  || url,www.shadowserver.org
        2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Removed from bleeding.rules (3):
        #Seeing hits with a misspelled Mozila in the UA. Want to see how widespread this is.
        #also seeing just Mozilla/4.0. That's unusual as well
        #from rras, another typo'd trojan





More information about the Snort-sigs mailing list