[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Apr 27 18:00:05 EDT 2007


[***] Results from Oinkmaster started Fri Apr 27 18:00:05 2007 [***]

[+++]          Added rules:          [+++]

 2003603 - BLEEDING-EDGE TROJAN W32.Virut.A joining an IRC Channel (bleeding-virus.rules)
 2003604 - BLEEDING-EDGE MALWARE Baidu.com Agent User-Agent (Desktop Web System) (bleeding-malware.rules)
 2003605 - BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Activity (bleeding-malware.rules)
 2003606 - BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL Visited (bleeding-malware.rules)
 2003607 - BLEEDING-EDGE MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting (bleeding-malware.rules)
 2003608 - BLEEDING-EDGE MALWARE Baidu.com Related Agent User-Agent (iexp) (bleeding-malware.rules)
 2003610 - BLEEDING-EDGE MALWARE Zango Spyware (tbrequest data post) (bleeding-malware.rules)
 2003611 - BLEEDING-EDGE MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating (bleeding-malware.rules)
 2003612 - BLEEDING-EDGE MALWARE Malwarealarm.com Fake AV/AntiSpyware Download (bleeding-malware.rules)
 2003613 - BLEEDING-EDGE MALWARE EELoader User-Agent - Unknown (multiple) Malware Packages (bleeding-malware.rules)
 2003614 - BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound (bleeding-virus.rules)
 2003615 - BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound (bleeding-virus.rules)
 2003616 - BLEEDING-EDGE WEB DataCha0s Web Scanner/Robot (bleeding-web.rules)


[///]     Modified active rules:     [///]

 2001409 - BLEEDING-EDGE MALWARE Mastermind Related Reporting (bleeding-malware.rules)
 2001410 - BLEEDING-EDGE MALWARE Mastermind Related Reporting 8081 (bleeding-malware.rules)
 2001411 - BLEEDING-EDGE MALWARE Mastermind Related Downloading mm20.ocx (bleeding-malware.rules)
 2001413 - BLEEDING-EDGE MALWARE Medis-Motor Related Downloading ast_4_mm.exe (bleeding-malware.rules)
 2001414 - BLEEDING-EDGE MALWARE Media-Motor Related Downloading MediaMotor25.exe (bleeding-malware.rules)
 2001419 - BLEEDING-EDGE MALWARE Avres.net Downloading cpr_mm2.exe (bleeding-malware.rules)
 2001420 - BLEEDING-EDGE MALWARE Avres.net Downloading ab1.exe (bleeding-malware.rules)
 2001421 - BLEEDING-EDGE MALWARE Avres.net Downloading tvm_bundle.exe (bleeding-malware.rules)
 2001422 - BLEEDING-EDGE MALWARE Avres.net Reporting Data (bleeding-malware.rules)
 2001531 - BLEEDING-EDGE MALWARE C4tdownload.com Access, Likely Spyware (bleeding-malware.rules)
 2001536 - BLEEDING-EDGE MALWARE Spyspotter.com Install (bleeding-malware.rules)
 2001537 - BLEEDING-EDGE MALWARE Spyspotter.com Access (bleeding-malware.rules)
 2001622 - BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 1 (bleeding-exploit.rules)
 2001624 - BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 3 (bleeding-exploit.rules)
 2001625 - BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 1 (bleeding-exploit.rules)
 2001626 - BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 2 (bleeding-exploit.rules)
 2001627 - BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 3 (bleeding-exploit.rules)
 2001633 - BLEEDING-EDGE EXPLOIT Probable MSIE XPSP2 Remote Compromise (1) (bleeding-exploit.rules)
 2001634 - BLEEDING-EDGE EXPLOIT Probable MSIE XPSP2 Remote Compromise (2) (bleeding-exploit.rules)
 2001871 - BLEEDING-EDGE MALWARE Target Saver Spyware User Agent (bleeding-malware.rules)
 2002395 - BLEEDING-EDGE MALWARE Miva User Agent (bleeding-malware.rules)
 2002765 - BLEEDING-EDGE MALWARE Corpsespyware.net BlackListed Malicious Domain - google.vc (bleeding-malware.rules)
 2002766 - BLEEDING-EDGE MALWARE Corpsespyware.net BlackList - pcpeek (bleeding-malware.rules)
 2002767 - BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - bos.biz (bleeding-malware.rules)
 2002768 - BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - fesexy (bleeding-malware.rules)
 2002769 - BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - studiolacase (bleeding-malware.rules)
 2003407 - BLEEDING-EDGE MALWARE searchenginebar.com Spyware User-Agent (RX Bar) (bleeding-malware.rules)
 2003512 - BLEEDING-EDGE CURRENT EVENTS TROJ_MESPAM.A HTTP Request (bleeding.rules)
 2003596 - BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage (bleeding.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2001412 - BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 166

     -> Added to bleeding-drop.rules (1):
        #  VERSION 166

     -> Added to bleeding-malware.rules (2):
        #by Matt Jonkman from spyware listeningpost data
        #by Matt Jonkman, from sunbelt blog

     -> Added to bleeding-sid-msg.map (24):
        2001409 || BLEEDING-EDGE MALWARE Mastermind Related Reporting
        2001410 || BLEEDING-EDGE MALWARE Mastermind Related Reporting 8081
        2001411 || BLEEDING-EDGE MALWARE Mastermind Related Downloading mm20.ocx
        2001413 || BLEEDING-EDGE MALWARE Medis-Motor Related Downloading ast_4_mm.exe
        2001414 || BLEEDING-EDGE MALWARE Media-Motor Related Downloading MediaMotor25.exe
        2001419 || BLEEDING-EDGE MALWARE Avres.net Downloading cpr_mm2.exe
        2001420 || BLEEDING-EDGE MALWARE Avres.net Downloading ab1.exe
        2001421 || BLEEDING-EDGE MALWARE Avres.net Downloading tvm_bundle.exe
        2001422 || BLEEDING-EDGE MALWARE Avres.net Reporting Data
        2001536 || BLEEDING-EDGE MALWARE Spyspotter.com Install
        2001537 || BLEEDING-EDGE MALWARE Spyspotter.com Access
        2003603 || BLEEDING-EDGE TROJAN W32.Virut.A joining an IRC Channel || url,www.bitcrank.net
        2003604 || BLEEDING-EDGE MALWARE Baidu.com Agent User-Agent (Desktop Web System)
        2003605 || BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Activity || url,www.pctools.com/mrc/infections/id/BaiDu/
        2003606 || BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL Visited
        2003607 || BLEEDING-EDGE MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting || url,vil.nai.com/vil/content/v_140364.htm
        2003608 || BLEEDING-EDGE MALWARE Baidu.com Related Agent User-Agent (iexp)
        2003610 || BLEEDING-EDGE MALWARE Zango Spyware (tbrequest data post) || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html
        2003611 || BLEEDING-EDGE MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating || url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html
        2003612 || BLEEDING-EDGE MALWARE Malwarealarm.com Fake AV/AntiSpyware Download || url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html
        2003613 || BLEEDING-EDGE MALWARE EELoader User-Agent - Unknown (multiple) Malware Packages
        2003614 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound || url,doc.bleedingthreats.net/bin/view/Main/WinPEHeaders
        2003615 || BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound || url,doc.bleedingthreats.net/bin/view/Main/WinPEHeaders
        2003616 || BLEEDING-EDGE WEB DataCha0s Web Scanner/Robot || url,www.internetofficer.com/web-robot/datacha0s.html

     -> Added to bleeding-virus.rules (2):
        #by Jonathan Gross. Experimental
        #by Daniel D.L.

     -> Added to bleeding-web.rules (1):
        #some kind of robot/scripted web scanner. Some reports that it's looking for awstats installs

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 159

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 159

     -> Removed from bleeding-sid-msg.map (12):
        2001409 || BLEEDING-EDGE Malware Mastermind Related Reporting
        2001410 || BLEEDING-EDGE Malware Mastermind Related Reporting 8081
        2001411 || BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx
        2001412 || BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable
        2001413 || BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe
        2001414 || BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe
        2001419 || BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe
        2001420 || BLEEDING-EDGE Malware Avres.net Downloading ab1.exe
        2001421 || BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe
        2001422 || BLEEDING-EDGE Malware Avres.net Reporting Data
        2001536 || BLEEDING-EDGE Malware Spyspotter.com Install
        2001537 || BLEEDING-EDGE Malware Spyspotter.com Access





More information about the Snort-sigs mailing list