[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Apr 13 02:00:05 EDT 2007


[***] Results from Oinkmaster started Fri Apr 13 02:00:05 2007 [***]

[+++]          Added rules:          [+++]

 2003155 - BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling (bleeding-policy.rules)
 2003514 - BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding-exploit.rules)
 2003537 - TROJAN Trojan.Duntek establishing remote connection (bleeding-virus.rules)
 2003538 - BLEEDING-EDGE TROJAN Klom.A Connecting to Controller (bleeding-virus.rules)
 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding at ...3254... (bleeding.rules)
 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding at ...3254... (bleeding.rules)
 2003541 - BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Updating (bleeding-malware.rules)
 2003542 - BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting (bleeding-malware.rules)
 2003543 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware Install (bleeding-malware.rules)
 2003544 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster) (bleeding-malware.rules)
 2003545 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master) (bleeding-malware.rules)
 2003546 - BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others (bleeding-malware.rules)
 2003547 - BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Install (bleeding-malware.rules)
 2003548 - BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Checkin (bleeding-malware.rules)
 2003549 - BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report (bleeding-virus.rules)
 2003550 - BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes (bleeding-virus.rules)
 2003551 - BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command (bleeding-virus.rules)
 2003552 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active (bleeding-virus.rules)
 2003553 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off (bleeding-virus.rules)
 2003554 - BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply (bleeding-virus.rules)
 2003555 - BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report (bleeding-virus.rules)
 2003556 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send (bleeding-virus.rules)
 2003557 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply (bleeding-virus.rules)
 2003558 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send (bleeding-virus.rules)
 2003559 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send (bleeding-virus.rules)
 2003560 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send (bleeding-virus.rules)
 2003561 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply (bleeding-virus.rules)
 2003562 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send (bleeding-virus.rules)
 2003563 - BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send (bleeding-virus.rules)
 2003564 - BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply (bleeding-virus.rules)
 2003565 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply (bleeding-virus.rules)
 2003566 - BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) (bleeding-malware.rules)
 2003567 - BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) (bleeding-malware.rules)
 2003568 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating (bleeding-malware.rules)
 2003569 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) (bleeding-malware.rules)
 2003570 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2001537 - BLEEDING-EDGE Malware Spyspotter.com Access (bleeding-malware.rules)
 2001663 - BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host) (bleeding-malware.rules)
 2002160 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat) (bleeding-malware.rules)
 2002388 - BLEEDING-EDGE WEB vBulletin misc.php Template Name Arbitrary Code Execution (bleeding-web.rules)
 2002954 - BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download (bleeding-malware.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2003191 - BLEEDING-EDGE CURRENT EVENTS Acer LunchApp.Aplunch ActiveX control access (bleeding.rules)


[---]         Removed rules:         [---]

 2002198 - BLEEDING-EDGE MALWARE Bidclix.com Spyware (bleeding-malware.rules)
 2002204 - BLEEDING-EDGE MALWARE Websponsors.com Spyware (bleeding-malware.rules)
 2002930 - BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit (bleeding-virus.rules)
 2003155 - BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling (bleeding.rules)
 2003177 - BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) (bleeding.rules)
 2003178 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access (bleeding.rules)
 2003181 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access (bleeding.rules)
 2003213 - BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function Memory Corruption - There are many legitimate uses of the normalize function (bleeding.rules)
 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS (bleeding.rules)
 2003373 - BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In (bleeding.rules)
 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser (bleeding.rules)
 2003430 - BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt (bleeding.rules)
 2003460 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet (bleeding.rules)
 2003461 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet (bleeding.rules)
 2003514 - BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 151

     -> Added to bleeding-drop.rules (1):
        #  VERSION 151

     -> Added to bleeding-exploit.rules (1):
        # steven at ...3269...

     -> Added to bleeding-malware.rules (5):
        #matt Jonkman from Spyware LP Data
        #By Matt Jonkman from spyware listening post data
        #Matt Jonkman, from spyware lp data and Castlecops
        #from spyware LP Data
        #By Matt Jonkman from spyware listening post data

     -> Added to bleeding-policy.rules (2):
        #by Jeff Kell
        # Microsoft teredo tunnel

     -> Added to bleeding-sid-msg.map (37):
        2002954 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com
        2003155 || BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling
        2003514 || BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577
        2003537 || TROJAN Trojan.Duntek establishing remote connection || url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99
        2003538 || BLEEDING-EDGE TROJAN Klom.A Connecting to Controller || url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html
        2003539 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding at ...3254... || url,www.dshield.org/diary.html?storyid=2584
        2003540 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding at ...3254... || url,www.dshield.org/diary.html?storyid=2584
        2003541 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Updating || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com
        2003542 || BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com
        2003543 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware Install
        2003544 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)
        2003545 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)
        2003546 || BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others
        2003547 || BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Install
        2003548 || BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Checkin
        2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com
        2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || url,doc.bleedingthreats.net/2003566
        2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) || url,doc.bleedingthreats.net/2003567
        2003568 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating || url,www.evidencenuker.com
        2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) || url,doc.bleedingthreats.net/2003567
        2003570 || BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) || url,www.applicationsignatures.com/backend/index.php

     -> Added to bleeding-virus.rules (3):
        #Bandook 1.2
        #Bandook 1.35
        # Submitted 4-6-07 Mark Warren

     -> Added to bleeding.rules (4):
        # Threat has mostly passed. Leaving in but commented out for now.
        #by Michael Schidell
        # ISC reports a possible active MS DNS exploit. Please report any hits. More info as we get it.
        ### Commenting out for now. More information hasn't surfaced yet. Will update when we can

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 144

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 144

     -> Removed from bleeding-malware.rules (2):
        #Matt Jonkman from Spyware listening post data
        #disabling for now, seems only to be hitting on ad pulls, not a spyware infection

     -> Removed from bleeding-sid-msg.map (16):
        2002198 || BLEEDING-EDGE MALWARE Bidclix.com Spyware
        2002204 || BLEEDING-EDGE MALWARE Websponsors.com Spyware
        2002930 || BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit
        2002954 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download || url,www.bravesentry.com
        2003155 || BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling
        2003177 || BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) || url,www.microsoft.com/technet/security/bulletin/ms06-068.mspx
        2003178 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access || cve,2006-5198
        2003181 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access || cve,2006-5198
        2003213 || BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function Memory Corruption - There are many legitimate uses of the normalize function || url,osvdb/30814 || cve,2006-5581
        2003252 || BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS || url,www.milw0rm.com/exploits/3111 || url,determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
        2003373 || BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/ || url,isc.sans.org/diary.html?n&storyid=2277 || url,asert.arbornetworks.com/2007/02/phpwebguard-and-aspwebguard-attacks/
        2003430 || BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt || url,isc.sans.org/diary.html?n&storyid=2277 || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
        2003460 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet || url,doc.bleedingthreats.net/2003460
        2003461 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet || url,doc.bleedingthreats.net/2003460
        2003514 || BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577

     -> Removed from bleeding-virus.rules (2):
        #by Jamie Riden
        #disabling, redundant

     -> Removed from bleeding.rules (18):
        #This is being sent to many victims under the pretense of being a securityt audit script for colocated customers
        #These should catch it in it's current form. More information coming soon
        #Analysis by Jose Nazario
        # These are coming in zips asking you to run on the server. This will hit on the html coming FROM the infected server to a client browser, NOT the zip in transit
        #The email drop is dead, but phishes are still going out with this address. If you see it, someone ran the script... follow up!
        #by Shirkdog
        # steven at ...3269...
        #by Christian Siefert
        # There are many legit uses for this, so we're disabling by default. Use where appropriate
        #by Blake Hartstein of Demarc
        #by shirkdog
        #by Jeff Kell
        # Microsoft teredo tunnel
        #So far unidentified bot and c&c channel. Working on it. These are crude sigs,
        # please let me know if you get hits. Need more information on this one.
        #Matt Jonkman
        #Matt Jonkman. As yet unnamed downloader in a few high profile spots
        #by Mr Magic Pants





More information about the Snort-sigs mailing list