[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Sun Jan 28 15:00:04 EST 2007


[***] Results from Oinkmaster started Sun Jan 28 20:00:04 2007 [***]

[+++]          Added rules:          [+++]

 2003330 - BLEEDING-EDGE POLICY Unusually High Client DNS Query Volume -- Possible Spambot (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001742 - BLEEDING-EDGE EXPLOIT Arkeia full remote access without password or authentication (bleeding-exploit.rules)
 2002845 - BLEEDING-EDGE EXPLOIT MSSQL Hello Overflow Attempt (bleeding-exploit.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2001049 - BLEEDING-EDGE EXPLOIT Buffer Overflow Exploit in Adobe Acrobat Reader (bleeding-exploit.rules)
 2001094 - BLEEDING-EDGE EXPLOIT Internet Explorer URL parsing vulnerability (bleeding-exploit.rules)
 2001097 - BLEEDING-EDGE EXPLOIT Internet Explorer Object Data Remote Execution Vulnerability (bleeding-exploit.rules)
 2001667 - BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in (bleeding-exploit.rules)
 2001671 - BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in (to blahot.com) (bleeding-exploit.rules)
 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS (bleeding.rules)


[---]         Removed rules:         [---]

 2000004 - BLEEDING-EDGE EXPLOIT Microsoft MHTML URL Redirection Attempt (bleeding-exploit.rules)
 2000008 - BLEEDING-EDGE EXPLOIT Catalyst 3500 arbitrary command (bleeding-exploit.rules)
 2001093 - BLEEDING-EDGE EXPLOIT IE Local zone Shell execution of arbitrary code (bleeding-exploit.rules)
 2001687 - BLEEDING-EDGE WORM MySQL bot DNS lookup (bleeding-virus.rules)
 2001688 - BLEEDING-EDGE WORM MySQL bot DNS lookup (bleeding-virus.rules)
 2001690 - BLEEDING-EDGE WORM Potential MySQL bot connecting to IRC server (bleeding-virus.rules)
 2001922 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Outbound (bleeding-virus.rules)
 2001923 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Outbound (bleeding-virus.rules)
 2001924 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Outbound (bleeding-virus.rules)
 2001925 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Inbound (bleeding-virus.rules)
 2001926 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Inbound (bleeding-virus.rules)
 2001927 - BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Inbound (bleeding-virus.rules)
 2001955 - BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection / DNS lookup (bleeding-virus.rules)
 2001956 - BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection (bleeding-virus.rules)
 2001986 - BLEEDING-EDGE VIRUS Mytob.DI - outbound (bleeding-virus.rules)
 2001987 - BLEEDING-EDGE VIRUS Mytob.DI - incoming (bleeding-virus.rules)
 2002049 - BLEEDING-EDGE VIRUS Mytob.GC - outbound (bleeding-virus.rules)
 2002050 - BLEEDING-EDGE VIRUS Mytob.GC - incoming (bleeding-virus.rules)
 2002053 - BLEEDING-EDGE VIRUS Mytob.HF - outbound (bleeding-virus.rules)
 2002054 - BLEEDING-EDGE VIRUS Mytob.HF - incoming (bleeding-virus.rules)
 2002125 - BLEEDING-EDGE VIRUS Mytob.HE - outbound (bleeding-virus.rules)
 2002126 - BLEEDING-EDGE VIRUS Mytob.HE - incoming (bleeding-virus.rules)
 2002719 - BLEEDING-EDGE VIRUS Mytob.AH SMTP Inbound (aka - BQ,AU,BA,F,T-2,T,.gen,AR,-Fam) (bleeding-virus.rules)
 2003001 - BLEEDING-EDGE TROJAN Unknown Trojan Communication (bleeding.rules)
 2003090 - BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Outbound (bleeding.rules)
 2003091 - BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Inbound (bleeding.rules)
 2003246 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter Javascript Attempt (URL Inbound) (bleeding-exploit.rules)
 2003247 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter Javascript Client Request (bleeding-exploit.rules)
 2003248 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL (inbound) (bleeding-exploit.rules)
 2003249 - BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL Client Request (bleeding-exploit.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 69

     -> Added to bleeding-drop.rules (1):
        #  VERSION 69

     -> Added to bleeding-exploit.rules (2):
        #Disabling. Obsoleted. To be removed later
        #Domain dead

     -> Added to bleeding-sid-msg.map (2):
        2002845 || BLEEDING-EDGE EXPLOIT MSSQL Hello Overflow Attempt || bugtraq,5411 || cve,2002-1123
        2003330 || BLEEDING-EDGE POLICY Unusually High Client DNS Query Volume -- Possible Spambot

     -> Added to bleeding-virus.rules (2):
        #Experimenting with this idea. When a bot comes up live and starts spamming, it
        #  does a massive number of dns queries. This may be an extra way to identify infections

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 65

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 65

     -> Removed from bleeding-exploit.rules (7):
        #by Mr Magic Pants
        #Disabling. This will never hit, since the parameters are stripped from the uri before the browser makes the request. The request will be for the pdf only
        #by mr Magic Pants
        #These are probably higher load, and may false. We should consider removing these around the middle of february 2007 if the vuln passes
        #Commenting the first out by default. It's falsing a lot!
        #Disabling. This will never hit, since the parameters are stripped from the uri before the browser makes the request. The request will be for the pdf only
        #Disabling by default. Long since obsoleted. To be deleted MAJ 12.6.06

     -> Removed from bleeding-sid-msg.map (33):
        2000004 || BLEEDING-EDGE EXPLOIT Microsoft MHTML URL Redirection Attempt || url,www.microsoft.com/technet/security/bulletin/MS04-013.mspx || cve,CAN-2004-0380
        2000008 || BLEEDING-EDGE EXPLOIT Catalyst 3500 arbitrary command || url,www.securityfocus.com/archive/1/141471
        2001093 || BLEEDING-EDGE EXPLOIT IE Local zone Shell execution of arbitrary code || url,www.securityfocus.com/archive/1/348688/2003-12-31/2004-01-06/0
        2001687 || BLEEDING-EDGE WORM MySQL bot DNS lookup || url,isc.sans.org/diary.php?date=2005-01-27
        2001688 || BLEEDING-EDGE WORM MySQL bot DNS lookup || url,isc.sans.org/diary.php?date=2005-01-27
        2001690 || BLEEDING-EDGE WORM Potential MySQL bot connecting to IRC server || url,isc.sans.org/diary.php?date=2005-01-27
        2001922 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Outbound || url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed at ...1512...
        2001923 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Outbound || url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed at ...1512...
        2001924 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Outbound || url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed at ...1512...
        2001925 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Inbound || url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed at ...1512...
        2001926 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Inbound || url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed at ...1512...
        2001927 || BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Inbound || url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed at ...1512...
        2001955 || BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection / DNS lookup || url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43006
        2001956 || BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection || url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43006
        2001986 || BLEEDING-EDGE VIRUS Mytob.DI - outbound || url,secunia.com/virus_information/18407/
        2001987 || BLEEDING-EDGE VIRUS Mytob.DI - incoming || url,secunia.com/virus_information/18407/
        2002049 || BLEEDING-EDGE VIRUS Mytob.GC - outbound || url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002050 || BLEEDING-EDGE VIRUS Mytob.GC - incoming || url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002053 || BLEEDING-EDGE VIRUS Mytob.HF - outbound || url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002054 || BLEEDING-EDGE VIRUS Mytob.HF - incoming || url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002125 || BLEEDING-EDGE VIRUS Mytob.HE - outbound || url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002126 || BLEEDING-EDGE VIRUS Mytob.HE - incoming || url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default
        2002719 || BLEEDING-EDGE VIRUS Mytob.AH SMTP Inbound (aka - BQ,AU,BA,F,T-2,T,.gen,AR,-Fam) || url,www.symantec.com/avcenter/venc/data/w32.mytob.ah at ...1512...
        2002845 || BLEEDING-EDGE EXPLOIT Hello Overflow Attempt || bugtraq,5411 || cve,2002-1123
        2003001 || BLEEDING-EDGE TROJAN Unknown Trojan Communication
        2003090 || BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Outbound
        2003091 || BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Inbound
        2003246 || BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter Javascript Attempt (URL Inbound) || url,secunia.com/advisories/23483/
        2003247 || BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter Javascript Client Request || url,secunia.com/advisories/23483/
        2003248 || BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL (inbound)
        2003249 || BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL Client Request
        2400004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso
        2401004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso

     -> Removed from bleeding-virus.rules (15):
        #disabling, zone dead
        #disabling for falses, likely no longer relevant
        #Evgeny Pinchuk Mytob 5-9-05
        #Smetona 6-2-05
        #disabling, no longer relevant
        # Mytob.DI
        #Submitted by Mark Scott, 6/5/2005
        # Mytob.GC
        #Submitted by Mark Scott, 6/21/2005, for Mytob.GC
        # Mytob.HF
        #Submitted by Mark Scott, 6/26/2005, for Mytob.HF
        # Mytob.HE
        #Submitted by Mark Scott, 7/8/2005
        # Mytob.AH
        # Submitted by Mark Scott, 2005-12-11

     -> Removed from bleeding.rules (7):
        # Matt Jonkman
        # This is a sngle packet sent out by a bot binary that was submitted
        # If you get a hit on this check out the source system, and let us know please
        #  We have yet to figure out what this is. It doesn't get a reply but appears important
        #Matt Jonkman
        #Disabling, not new info, need more research
        #A new bot. It appears to have an encrypted or obfucated c&c channel. More as we get it, watch ISC for a diary entry and more info





More information about the Snort-sigs mailing list