[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Feb 23 10:00:06 EST 2007


[***] Results from Oinkmaster started Fri Feb 23 15:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003415 - BLEEDING-EDGE EXPLOIT Firefox Cookie Manipulation Attempt (bleeding-exploit.rules)
 2003424 - BLEEDING-EDGE VIRUS Sality Trojan Web Update (bleeding-virus.rules)
 2003425 - BLEEDING-EDGE MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module) (bleeding-malware.rules)
 2003426 - BLEEDING-EDGE MALWARE Outerinfo.com Spyware Checkin (bleeding-malware.rules)
 2003427 - BLEEDING-EDGE VIRUS Bagle Worm User-Agent (DEBUT.TMP) (bleeding-virus.rules)
 2003428 - BLEEDING-EDGE MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installe) (bleeding-malware.rules)
 2003429 - BLEEDING-EDGE MALWARE xxxtoolbar.com Spyware Install User-Agent (bleeding-malware.rules)
 2003430 - BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt (bleeding.rules)
 2003431 - BLEEDING-EDGE TROJAN Unnamed Generic.Malware http get (bleeding-virus.rules)
 2003432 - BLEEDING-EDGE TROJAN Nukebot related infection - Unique HTTP get request (bleeding-virus.rules)
 2003433 - BLEEDING-EDGE TROJAN Nukebot Checkin (bleeding-virus.rules)
 2003434 - BLEEDING-EDGE EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt (bleeding-exploit.rules)
 2003435 - BLEEDING-EDGE TROJAN Stormy Variant HTTP Request (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001495 - BLEEDING-EDGE MALWARE Outerinfo.com Spyware Install (bleeding-malware.rules)
 2001496 - BLEEDING-EDGE MALWARE Outerinfo.com Spyware Advertising Campaign Download (bleeding-malware.rules)
 2001497 - BLEEDING-EDGE MALWARE Outerinfo.com Spyware Activity (bleeding-malware.rules)
 2003088 - BLEEDING-EDGE VIRUS Sality Trojan User-Agent (KUKU v3.09 exp) (bleeding-virus.rules)
 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser (bleeding.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2003299 - BLEEDING-EDGE TROJAN Stormy P2P bot C&C Seek Traffic Outbound (bleeding-virus.rules)
 2003300 - BLEEDING-EDGE TROJAN Stormy P2P bot C&C Reply Traffic Inbound (bleeding-virus.rules)
 2003301 - BLEEDING-EDGE TROJAN Stormy P2P bot C&C Data Traffic Inbound (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 95

     -> Added to bleeding-drop.rules (1):
        #  VERSION 95

     -> Added to bleeding-exploit.rules (2):
        #Issue is fixed by patch, and all http traffic is now redirected to https. So anything on this
        # port in the clear using the bad cookie name is suspect. Thanks for the reference Jose

     -> Added to bleeding-malware.rules (2):
        #Matt jonkman, from spywarelp data
        #Matt Jonkman form SpywareLP Data

     -> Added to bleeding-sid-msg.map (18):
        2001495 || BLEEDING-EDGE MALWARE Outerinfo.com Spyware Install
        2001496 || BLEEDING-EDGE MALWARE Outerinfo.com Spyware Advertising Campaign Download
        2001497 || BLEEDING-EDGE MALWARE Outerinfo.com Spyware Activity
        2003088 || BLEEDING-EDGE VIRUS Sality Trojan User-Agent (KUKU v3.09 exp) || url,www.sophos.com/security/analyses/w32salityu.html
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/ || url,isc.sans.org/diary.html?n&storyid=2277 || url,asert.arbornetworks.com/2007/02/phpwebguard-and-aspwebguard-attacks/
        2003415 || BLEEDING-EDGE EXPLOIT Firefox Cookie Manipulation Attempt || cve,2007-0981
        2003424 || BLEEDING-EDGE VIRUS Sality Trojan Web Update || url,www.sophos.com/security/analyses/w32salityu.html
        2003425 || BLEEDING-EDGE MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module)
        2003426 || BLEEDING-EDGE MALWARE Outerinfo.com Spyware Checkin
        2003427 || BLEEDING-EDGE VIRUS Bagle Worm User-Agent (DEBUT.TMP)
        2003428 || BLEEDING-EDGE MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installe)
        2003429 || BLEEDING-EDGE MALWARE xxxtoolbar.com Spyware Install User-Agent
        2003430 || BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt || url,isc.sans.org/diary.html?n&storyid=2277 || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
        2003431 || BLEEDING-EDGE TROJAN Unnamed Generic.Malware http get
        2003432 || BLEEDING-EDGE TROJAN Nukebot related infection - Unique HTTP get request || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743
        2003433 || BLEEDING-EDGE TROJAN Nukebot Checkin || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743
        2003434 || BLEEDING-EDGE EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt || url,www.trendmicro.com/download/product.asp?productid=20 || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477
        2003435 || BLEEDING-EDGE TROJAN Stormy Variant HTTP Request

     -> Added to bleeding-virus.rules (4):
        #No better name for it yet
        #Matt Jonkman, found by axn jxn
        # Advisory by Websense, www.websense.com/securitylabs/alerts/alert.php?AlertID=743
        #This one is from what appears to be a typo in the get string right after the initial infection

     -> Added to bleeding.rules (2):
        # These are coming in zips asking you to run on the server. This will hit on the html coming FROM the infected server to a client browser, NOT the zip in transit
        #The email drop is dead, but phishes are still going out with this address. If you see it, someone ran the script... follow up!

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 88

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 88

     -> Removed from bleeding-sid-msg.map (8):
        2001495 || BLEEDING-EDGE Malware Outerinfo.com Spyware Install
        2001496 || BLEEDING-EDGE Malware Outerinfo.com Spyware Advertising Campaign Download
        2001497 || BLEEDING-EDGE Malware Outerinfo.com Spyware Activity
        2003088 || BLEEDING-EDGE MALWARE W32/Sality || url,www.sophos.com/security/analyses/w32salityu.html
        2003299 || BLEEDING-EDGE TROJAN Stormy P2P bot C&C Seek Traffic Outbound
        2003300 || BLEEDING-EDGE TROJAN Stormy P2P bot C&C Reply Traffic Inbound
        2003301 || BLEEDING-EDGE TROJAN Stormy P2P bot C&C Data Traffic Inbound
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser

     -> Removed from bleeding-virus.rules (2):
        #by Bojan Zdrnja
        #Commenting these out. This is edonkey protocol. Altering the wexisting edonkey rules to be inclusive





More information about the Snort-sigs mailing list