[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Tue Apr 10 16:00:06 EDT 2007


[***] Results from Oinkmaster started Tue Apr 10 16:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003155 - BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling (bleeding-policy.rules)
 2003514 - BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding-exploit.rules)


[///]     Modified active rules:     [///]

 2002388 - BLEEDING-EDGE WEB vBulletin misc.php Template Name Arbitrary Code Execution (bleeding-web.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2003191 - BLEEDING-EDGE CURRENT EVENTS Acer LunchApp.Aplunch ActiveX control access (bleeding.rules)
 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding at ...3254... (bleeding.rules)
 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding at ...3254... (bleeding.rules)


[---]         Removed rules:         [---]

 2002930 - BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit (bleeding-virus.rules)
 2003155 - BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling (bleeding.rules)
 2003177 - BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) (bleeding.rules)
 2003178 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access (bleeding.rules)
 2003181 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access (bleeding.rules)
 2003213 - BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function Memory Corruption - There are many legitimate uses of the normalize function (bleeding.rules)
 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS (bleeding.rules)
 2003373 - BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In (bleeding.rules)
 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser (bleeding.rules)
 2003430 - BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt (bleeding.rules)
 2003460 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet (bleeding.rules)
 2003461 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet (bleeding.rules)
 2003514 - BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 149

     -> Added to bleeding-drop.rules (1):
        #  VERSION 149

     -> Added to bleeding-exploit.rules (1):
        # steven at ...3269...

     -> Added to bleeding-policy.rules (2):
        #by Jeff Kell
        # Microsoft teredo tunnel

     -> Added to bleeding-sid-msg.map (2):
        2003155 || BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling
        2003514 || BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577

     -> Added to bleeding.rules (2):
        # Threat has mostly passed. Leaving in but commented out for now.
        ### Commenting out for now. More information hasn't surfaced yet. Will update when we can

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 148

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 148

     -> Removed from bleeding-sid-msg.map (13):
        2002930 || BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit
        2003155 || BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling
        2003177 || BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) || url,www.microsoft.com/technet/security/bulletin/ms06-068.mspx
        2003178 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access || cve,2006-5198
        2003181 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access || cve,2006-5198
        2003213 || BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function Memory Corruption - There are many legitimate uses of the normalize function || url,osvdb/30814 || cve,2006-5581
        2003252 || BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS || url,www.milw0rm.com/exploits/3111 || url,determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
        2003373 || BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/ || url,isc.sans.org/diary.html?n&storyid=2277 || url,asert.arbornetworks.com/2007/02/phpwebguard-and-aspwebguard-attacks/
        2003430 || BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt || url,isc.sans.org/diary.html?n&storyid=2277 || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
        2003460 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet || url,doc.bleedingthreats.net/2003460
        2003461 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet || url,doc.bleedingthreats.net/2003460
        2003514 || BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577

     -> Removed from bleeding-virus.rules (2):
        #by Jamie Riden
        #disabling, redundant

     -> Removed from bleeding.rules (18):
        #This is being sent to many victims under the pretense of being a securityt audit script for colocated customers
        #These should catch it in it's current form. More information coming soon
        #Analysis by Jose Nazario
        # These are coming in zips asking you to run on the server. This will hit on the html coming FROM the infected server to a client browser, NOT the zip in transit
        #The email drop is dead, but phishes are still going out with this address. If you see it, someone ran the script... follow up!
        #by Shirkdog
        # steven at ...3269...
        #by Christian Siefert
        # There are many legit uses for this, so we're disabling by default. Use where appropriate
        #by Blake Hartstein of Demarc
        #by shirkdog
        #by Jeff Kell
        # Microsoft teredo tunnel
        #So far unidentified bot and c&c channel. Working on it. These are crude sigs,
        # please let me know if you get hits. Need more information on this one.
        #Matt Jonkman
        #Matt Jonkman. As yet unnamed downloader in a few high profile spots
        #by Mr Magic Pants





More information about the Snort-sigs mailing list