[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Mon Feb 5 13:00:06 EST 2007


[***] Results from Oinkmaster started Mon Feb  5 18:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003380 - BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader (bleeding-virus.rules)
 2003381 - BLEEDING-EDGE POLICY McAfee Update User Agent (McAfee AutoUpdate) (bleeding-policy.rules)
 2003383 - BLEEDING-EDGE MALWARE Hotbar Tools Spyware User Agent (hbtools) (bleeding-malware.rules)
 2003384 - BLEEDING-EDGE MALWARE SpamBlockerUtility Fake Anti-Spyware User Agent (SpamBlockerUtility x.x.x) (bleeding-malware.rules)
 2003385 - BLEEDING-EDGE MALWARE sgrunt Dialer User Agent (sgrunt) (bleeding-malware.rules)
 2003386 - BLEEDING-EDGE MALWARE snprtz Dialer User Agent (snprtz) (bleeding-malware.rules)
 2003387 - BLEEDING-EDGE MALWARE dialno Dialer User Agent (dialno) (bleeding-malware.rules)
 2003388 - BLEEDING-EDGE Malware Hotbar Keywords Download (bleeding-malware.rules)
 2003389 - BLEEDING-EDGE Malware WhenUClick.com Application Version Check (bleeding-malware.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)


[///]     Modified active rules:     [///]

 2000908 - BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (1) (bleeding-malware.rules)
 2000909 - BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (2) (bleeding-malware.rules)
 2000910 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (bleeding-malware.rules)
 2000911 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (bleeding-malware.rules)
 2000912 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (1) (bleeding-malware.rules)
 2000913 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (2) (bleeding-malware.rules)
 2000914 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (1) (bleeding-malware.rules)
 2000915 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (2) (bleeding-malware.rules)
 2000916 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave App Checkin (bleeding-malware.rules)
 2000917 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (offersdata) (bleeding-malware.rules)
 2000918 - BLEEDING-EDGE Malware WhenUClick.com Desktop Bar Install (bleeding-malware.rules)
 2000919 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (Searchdb) (bleeding-malware.rules)
 2001443 - BLEEDING-EDGE Malware WhenUClick.com Desktop Bar App Checkin (bleeding-malware.rules)
 2003102 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID (bleeding-exploit.rules)
 2003103 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object (bleeding-exploit.rules)
 2003105 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object (bleeding-exploit.rules)
 2003110 - BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy (bleeding-exploit.rules)
 2003231 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (bleeding-exploit.rules)
 2003232 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (bleeding-exploit.rules)
 2003233 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (bleeding-exploit.rules)
 2003234 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) (bleeding-exploit.rules)
 2003337 - BLEEDING-EDGE MALWARE Suspcious User Agent (Autoupdate) (bleeding-malware.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 78

     -> Added to bleeding-drop.rules (1):
        #  VERSION 78

     -> Added to bleeding-exploit.rules (4):
        # Submitted 2006-09-18 by Christian Seifert, updated 2/5/07
        #by Chris Byrd, updated by Christian Siefert 2/5/07
        #Updated by Christian Siefert 2/5/07
        #Updated by Christian Siefert, 2/5/07

     -> Added to bleeding-policy.rules (1):
        #This will let you know when McAffee is updating sigs. Not a security threat, but could be of interest to folks using mcafee to track updates

     -> Added to bleeding-sid-msg.map (19):
        2003102 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841
        2003103 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841
        2003110 || BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy || cve,2006-3730 || url,osvdb.org/27110 || url, riosec.com/msie-setslice-vuln
        2003231 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705
        2003232 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705
        2003233 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913
        2003234 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913
        2003337 || BLEEDING-EDGE MALWARE Suspcious User Agent (Autoupdate)
        2003380 || BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader
        2003381 || BLEEDING-EDGE POLICY McAfee Update User Agent (McAfee AutoUpdate)
        2003383 || BLEEDING-EDGE MALWARE Hotbar Tools Spyware User Agent (hbtools)
        2003384 || BLEEDING-EDGE MALWARE SpamBlockerUtility Fake Anti-Spyware User Agent (SpamBlockerUtility x.x.x)
        2003385 || BLEEDING-EDGE MALWARE sgrunt Dialer User Agent (sgrunt) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347
        2003386 || BLEEDING-EDGE MALWARE snprtz Dialer User Agent (snprtz) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347
        2003387 || BLEEDING-EDGE MALWARE dialno Dialer User Agent (dialno) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347
        2003388 || BLEEDING-EDGE Malware Hotbar Keywords Download || url,www.hotbar.com
        2003389 || BLEEDING-EDGE Malware WhenUClick.com Application Version Check || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,www.whenusearch.com
        2400004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Added to bleeding-virus.rules (2):
        #Sigs for general downloader trojans and worms. Not all get unique names
        #by Matt Jonkman. Saw a downloader appending ver7 to the end of a regular UA. No spaces. very unique

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 76

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 76

     -> Removed from bleeding-exploit.rules (2):
        # Submitted 2006-09-18 by Christian Seifert
        #by Chris Byrd

     -> Removed from bleeding-sid-msg.map (8):
        2003102 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX controls spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841
        2003103 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841
        2003110 || BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy || cve,2006-3730 || url,osvdb.org/27110 || url,riosec.com/msie-setslice-vuln
        2003231 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url,osvdb.org/10705
        2003232 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url,osvdb.org/10705
        2003233 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url,osvdb.org/7913
        2003234 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url,osvdb.org/7913
        2003337 || BLEEDING-EDGE MALWARE www.paretologic.com Suspect Anti-Spyware AutoUpdate User Agent (Autoupdate)





More information about the Snort-sigs mailing list