[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Apr 13 01:00:06 EDT 2007


[***] Results from Oinkmaster started Fri Apr 13 01:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003549 - BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report (bleeding-virus.rules)
 2003550 - BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes (bleeding-virus.rules)
 2003551 - BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command (bleeding-virus.rules)
 2003552 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active (bleeding-virus.rules)
 2003553 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off (bleeding-virus.rules)
 2003554 - BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply (bleeding-virus.rules)
 2003555 - BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report (bleeding-virus.rules)
 2003556 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send (bleeding-virus.rules)
 2003557 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply (bleeding-virus.rules)
 2003558 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send (bleeding-virus.rules)
 2003559 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send (bleeding-virus.rules)
 2003560 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send (bleeding-virus.rules)
 2003561 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply (bleeding-virus.rules)
 2003562 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send (bleeding-virus.rules)
 2003563 - BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send (bleeding-virus.rules)
 2003564 - BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply (bleeding-virus.rules)
 2003565 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply (bleeding-virus.rules)
 2003566 - BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) (bleeding-malware.rules)
 2003567 - BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) (bleeding-malware.rules)
 2003568 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating (bleeding-malware.rules)
 2003569 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) (bleeding-malware.rules)
 2003570 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2001537 - BLEEDING-EDGE Malware Spyspotter.com Access (bleeding-malware.rules)
 2001663 - BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host) (bleeding-malware.rules)
 2002160 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat) (bleeding-malware.rules)


[---]         Removed rules:         [---]

 2002198 - BLEEDING-EDGE MALWARE Bidclix.com Spyware (bleeding-malware.rules)
 2002204 - BLEEDING-EDGE MALWARE Websponsors.com Spyware (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (2):
        #matt Jonkman from Spyware LP Data
        #from spyware LP Data

     -> Added to bleeding-sid-msg.map (22):
        2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || url,doc.bleedingthreats.net/2003566
        2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) || url,doc.bleedingthreats.net/2003567
        2003568 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating || url,www.evidencenuker.com
        2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) || url,doc.bleedingthreats.net/2003567
        2003570 || BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) || url,www.applicationsignatures.com/backend/index.php

     -> Added to bleeding-virus.rules (2):
        #Bandook 1.2
        #Bandook 1.35

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-malware.rules (2):
        #Matt Jonkman from Spyware listening post data
        #disabling for now, seems only to be hitting on ad pulls, not a spyware infection

     -> Removed from bleeding-sid-msg.map (2):
        2002198 || BLEEDING-EDGE MALWARE Bidclix.com Spyware
        2002204 || BLEEDING-EDGE MALWARE Websponsors.com Spyware





More information about the Snort-sigs mailing list