[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Feb 9 10:00:08 EST 2007


[***] Results from Oinkmaster started Fri Feb  9 15:00:08 2007 [***]

[+++]          Added rules:          [+++]

 2003367 - BLEEDING-EDGE MALWARE www.baidu.com Spyware User Agent (sobar-post) (bleeding-malware.rules)
 2003368 - BLEEDING-EDGE MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7) (bleeding-malware.rules)
 2003369 - BLEEDING-EDGE EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption (bleeding-exploit.rules)
 2003370 - BLEEDING-EDGE EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS (bleeding-exploit.rules)
 2003371 - BLEEDING-EDGE WEB PHP Portail Includes.php remote file include (bleeding-web.rules)
 2003372 - BLEEDING-EDGE WEB PHPEventMan remote file include (bleeding-web.rules)
 2003373 - BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In (bleeding.rules)
 2003375 - BLEEDING-EDGE MALWARE Spy-Not.com Spyware Pulling Fake Sigs (bleeding-malware.rules)
 2003376 - BLEEDING-EDGE Instafinder.com spyware (bleeding-malware.rules)
 2003377 - BLEEDING-EDGE MALWARE Spy-Not.com Spyware Updating (bleeding-malware.rules)
 2003378 - BLEEDING-EDGE EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow (bleeding-exploit.rules)
 2003379 - BLEEDING-EDGE EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS (bleeding-exploit.rules)
 2003380 - BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader (bleeding-virus.rules)
 2003381 - BLEEDING-EDGE POLICY McAfee Update User Agent -NOT HOSTILE- (McAfee AutoUpdate) (bleeding-policy.rules)
 2003383 - BLEEDING-EDGE MALWARE Hotbar Tools Spyware User Agent (hbtools) (bleeding-malware.rules)
 2003384 - BLEEDING-EDGE MALWARE SpamBlockerUtility Fake Anti-Spyware User Agent (SpamBlockerUtility x.x.x) (bleeding-malware.rules)
 2003385 - BLEEDING-EDGE MALWARE sgrunt Dialer User Agent (sgrunt) (bleeding-malware.rules)
 2003386 - BLEEDING-EDGE MALWARE snprtz Dialer User Agent (snprtz) (bleeding-malware.rules)
 2003387 - BLEEDING-EDGE MALWARE dialno Dialer User Agent (dialno) (bleeding-malware.rules)
 2003388 - BLEEDING-EDGE Malware Hotbar Keywords Download (bleeding-malware.rules)
 2003389 - BLEEDING-EDGE Malware WhenUClick.com Application Version Check (bleeding-malware.rules)
 2003390 - BLEEDING-EDGE Malware SurfAccuracy.com Spyware Updating (bleeding-malware.rules)
 2003391 - BLEEDING-EDGE Malware SurfAccuracy.com Spyware Pulling Ads (bleeding-malware.rules)
 2003392 - BLEEDING-EDGE TROJAN Warezov/Stration Communicating with Controller (bleeding-virus.rules)
 2003393 - BLEEDING-EDGE Malware My Search Spyware Config Download 3 (bleeding-malware.rules)
 2003394 - BLEEDING-EDGE MALWARE User Agent Containing http\:// - Possible Spyware (bleeding-malware.rules)
 2003396 - BLEEDING-EDGE MALWARE Mysearch.com/Morpheus Bar Spyware User-Agent (bleeding-malware.rules)
 2003397 - BLEEDING-EDGE MALWARE Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar) (bleeding-malware.rules)
 2003398 - BLEEDING-EDGE MALWARE Morpheus Spyware Install User-Agent (SmartInstaller) (bleeding-malware.rules)
 2003399 - BLEEDING-EDGE MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer) (bleeding-malware.rules)
 2003400 - BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated script (bleeding-exploit.rules)
 2003401 - BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript download file (bleeding-exploit.rules)
 2003402 - BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript execute command (bleeding-exploit.rules)
 2003403 - BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript (bleeding-exploit.rules)
 2003404 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ) (bleeding-malware.rules)
 2003405 - BLEEDING-EDGE MALWARE Freeze.com Spyware User-Agent (YourScreen123) (bleeding-malware.rules)
 2003406 - BLEEDING-EDGE MALWARE Mysearch.com Spyware User-Agent (iMeshBar) (bleeding-malware.rules)
 2003407 - BLEEDING-EDGE MALWARE searchenginebar.com Spyware User-Agent (RX Bar) (bleeding-malware.rules)
 2003408 - BLEEDING-EDGE TROJAN Downloader-1355 Checking In (bleeding-virus.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)


[///]     Modified active rules:     [///]

 2000908 - BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (1) (bleeding-malware.rules)
 2000909 - BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (2) (bleeding-malware.rules)
 2000910 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (bleeding-malware.rules)
 2000911 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (bleeding-malware.rules)
 2000912 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (1) (bleeding-malware.rules)
 2000913 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (2) (bleeding-malware.rules)
 2000914 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (1) (bleeding-malware.rules)
 2000915 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (2) (bleeding-malware.rules)
 2000916 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave App Checkin (bleeding-malware.rules)
 2000917 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (offersdata) (bleeding-malware.rules)
 2000918 - BLEEDING-EDGE Malware WhenUClick.com Desktop Bar Install (bleeding-malware.rules)
 2000919 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (Searchdb) (bleeding-malware.rules)
 2001306 - BLEEDING-EDGE Malware Gator/Clarian Agent (bleeding-malware.rules)
 2001365 - BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt (bleeding-web.rules)
 2001443 - BLEEDING-EDGE Malware WhenUClick.com Desktop Bar App Checkin (bleeding-malware.rules)
 2002998 - BLEEDING-EDGE SMTP HELO Non-Displayable Characters MailEnable Denial of Service (bleeding-dos.rules)
 2003102 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID (bleeding-exploit.rules)
 2003103 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object (bleeding-exploit.rules)
 2003105 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object (bleeding-exploit.rules)
 2003109 - BLEEDING-EDGE Microsoft Internet Explorer VML Fill Method Attribute Overflow (bleeding-exploit.rules)
 2003110 - BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy (bleeding-exploit.rules)
 2003231 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (bleeding-exploit.rules)
 2003232 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (bleeding-exploit.rules)
 2003233 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (bleeding-exploit.rules)
 2003234 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) (bleeding-exploit.rules)
 2003337 - BLEEDING-EDGE MALWARE Suspcious User Agent (Autoupdate) (bleeding-malware.rules)
 2003362 - BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Pulling Ads) (bleeding-malware.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2003106 - BLEEDING-EDGE EXPLOIT Possible MSIE VML Exploit (bleeding-exploit.rules)


[---]         Removed rules:         [---]

 2001226 - BLEEDING-EDGE MALWARE Advertising.com Agent (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 82

     -> Added to bleeding-drop.rules (1):
        #  VERSION 82

     -> Added to bleeding-exploit.rules (17):
        #Blake Hartstein of Demarc
        #Also by Shirkdog
        # Submitted 2006-09-18 by Christian Seifert, updated 2/5/07
        #Commenting out by default. Major threat has passed
        #by Chris Byrd, updated by Christian Siefert 2/5/07
        #Updated by Christian Siefert 2/5/07
        #Updated by Christian Siefert, 2/5/07
        #by Fabien Bourdaire of ECSC Security
        # Re: http://www.internetdefence.net/2007/02/06/Javascript-payload
        # bc d3 c3 d2  c9 d0 d4 <SCRIPT
        # bc f3 e3 f2  e9 f0 f4 <script
        # ae ef f0 e5  ee a0 a2 e7 e5 f4 a2 .open "get"
        # ae cf d0 c5 ce a0 a2  c7 c5 d4 a2 .OPEN "GET"
        #  f3 e8 e5 ec ec e5 f8 e5 e3 f5 f4 e5  shellexecute
        #  d3 c8 c5 cc cc c5 d8 c5 c3 d5 d4 c5
        # f6 e2 f3 e3 f2 e9 f0 f4
        # d6 c2 d3 c3 d2 c9 d0 d4 VBSCRIPT

     -> Added to bleeding-malware.rules (1):
        #By Matt Jonkman from spywarelp data

     -> Added to bleeding-policy.rules (1):
        #This will let you know when McAffee is updating sigs. Not a security threat, but could be of interest to folks using mcafee to track updates

     -> Added to bleeding-sid-msg.map (56):
        2003102 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841
        2003103 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841
        2003110 || BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy || cve,2006-3730 || url,osvdb.org/27110 || url, riosec.com/msie-setslice-vuln
        2003231 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705
        2003232 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705
        2003233 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913
        2003234 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913
        2003337 || BLEEDING-EDGE MALWARE Suspcious User Agent (Autoupdate)
        2003362 || BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Pulling Ads)
        2003367 || BLEEDING-EDGE MALWARE www.baidu.com Spyware User Agent (sobar-post)
        2003368 || BLEEDING-EDGE MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7)
        2003369 || BLEEDING-EDGE EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption || cve,2007-0449
        2003370 || BLEEDING-EDGE EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS || url,www.milw0rm.com/exploits/3248
        2003371 || BLEEDING-EDGE WEB PHP Portail Includes.php remote file include || bugtraq,22361
        2003372 || BLEEDING-EDGE WEB PHPEventMan remote file include || bugtraq,22358
        2003373 || BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733
        2003375 || BLEEDING-EDGE MALWARE Spy-Not.com Spyware Pulling Fake Sigs
        2003376 || BLEEDING-EDGE Instafinder.com spyware
        2003377 || BLEEDING-EDGE MALWARE Spy-Not.com Spyware Updating
        2003378 || BLEEDING-EDGE EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow || url,www.milw0rm.com/exploits/3244
        2003379 || BLEEDING-EDGE EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS || url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded
        2003380 || BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader
        2003381 || BLEEDING-EDGE POLICY McAfee Update User Agent -NOT HOSTILE- (McAfee AutoUpdate)
        2003383 || BLEEDING-EDGE MALWARE Hotbar Tools Spyware User Agent (hbtools)
        2003384 || BLEEDING-EDGE MALWARE SpamBlockerUtility Fake Anti-Spyware User Agent (SpamBlockerUtility x.x.x)
        2003385 || BLEEDING-EDGE MALWARE sgrunt Dialer User Agent (sgrunt) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347
        2003386 || BLEEDING-EDGE MALWARE snprtz Dialer User Agent (snprtz) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347
        2003387 || BLEEDING-EDGE MALWARE dialno Dialer User Agent (dialno) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347
        2003388 || BLEEDING-EDGE Malware Hotbar Keywords Download || url,www.hotbar.com
        2003389 || BLEEDING-EDGE Malware WhenUClick.com Application Version Check || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,www.whenusearch.com
        2003390 || BLEEDING-EDGE Malware SurfAccuracy.com Spyware Updating || url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99
        2003391 || BLEEDING-EDGE Malware SurfAccuracy.com Spyware Pulling Ads || url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99
        2003392 || BLEEDING-EDGE TROJAN Warezov/Stration Communicating with Controller || url,www.avira.com/en/threats/section/fulldetails/id_vir/3242/tr_dldr.warezov.df.html || url,www.sophos.com/security/analyses/w32strationbo.html
        2003393 || BLEEDING-EDGE Malware My Search Spyware Config Download 3
        2003394 || BLEEDING-EDGE MALWARE User Agent Containing http\:// - Possible Spyware
        2003396 || BLEEDING-EDGE MALWARE Mysearch.com/Morpheus Bar Spyware User-Agent
        2003397 || BLEEDING-EDGE MALWARE Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)
        2003398 || BLEEDING-EDGE MALWARE Morpheus Spyware Install User-Agent (SmartInstaller)
        2003399 || BLEEDING-EDGE MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)
        2003400 || BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated script || url,www.securityfocus.com/archive/1/437948/30/0/threaded || cve,2006-3227 || url,www.internetdefence.net/2007/02/06/Javascript-payload
        2003401 || BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript download file || url,www.securityfocus.com/archive/1/437948/30/0/threaded || cve,2006-3227 || url,www.internetdefence.net/2007/02/06/Javascript-payload
        2003402 || BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript execute command || url,www.securityfocus.com/archive/1/437948/30/0/threaded || cve,2006-3227 || url,www.internetdefence.net/2007/02/06/Javascript-payload
        2003403 || BLEEDING-EDGE EXPLOIT US-ASCII Obfuscated VBScript || url,www.securityfocus.com/archive/1/437948/30/0/threaded || cve,2006-3227 || url,www.internetdefence.net/2007/02/06/Javascript-payload
        2003404 || BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ) || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,www.whenusearch.com
        2003405 || BLEEDING-EDGE MALWARE Freeze.com Spyware User-Agent (YourScreen123)
        2003406 || BLEEDING-EDGE MALWARE Mysearch.com Spyware User-Agent (iMeshBar)
        2003407 || BLEEDING-EDGE MALWARE searchenginebar.com Spyware User-Agent (RX Bar)
        2003408 || BLEEDING-EDGE TROJAN Downloader-1355 Checking In
        2400001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2400004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso
        2401004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Added to bleeding-virus.rules (4):
        #Matt Jonkman, thanks to the Clam guys for the information and sample
        #Sigs for general downloader trojans and worms. Not all get unique names
        #by Matt Jonkman. Saw a downloader appending ver7 to the end of a regular UA. No spaces. very unique
        #Matt Jonkman, strangely enough from spyware listening post hits

     -> Added to bleeding.rules (1):
        #Matt Jonkman. As yet unnamed downloader in a few high profile spots

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 73

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 73

     -> Removed from bleeding-exploit.rules (2):
        # Submitted 2006-09-18 by Christian Seifert
        #by Chris Byrd

     -> Removed from bleeding-sid-msg.map (10):
        2001226 || BLEEDING-EDGE MALWARE Advertising.com Agent || url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html
        2003102 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX controls spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841
        2003103 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841
        2003110 || BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy || cve,2006-3730 || url,osvdb.org/27110 || url,riosec.com/msie-setslice-vuln
        2003231 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url,osvdb.org/10705
        2003232 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url,osvdb.org/10705
        2003233 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url,osvdb.org/7913
        2003234 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url,osvdb.org/7913
        2003337 || BLEEDING-EDGE MALWARE www.paretologic.com Suspect Anti-Spyware AutoUpdate User Agent (Autoupdate)
        2003362 || BLEEDING-EDGE MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7)





More information about the Snort-sigs mailing list