[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri Mar 23 11:00:06 EDT 2007


[***] Results from Oinkmaster started Fri Mar 23 11:00:06 2007 [***]

[+++]          Added rules:          [+++]

 2003493 - BLEEDING-EDGE MALWARE AskSearch Spyware User-Agent (AskSearchAssistant) (bleeding-malware.rules)
 2003494 - BLEEDING-EDGE MALWARE AskSearch Toolbar Spyware User-Agent (AskTBar) (bleeding-malware.rules)
 2003495 - BLEEDING-EDGE MALWARE HSN.com Toolbar Spyware User-Agent (HSN) (bleeding-malware.rules)
 2003496 - BLEEDING-EDGE MALWARE AskSearch Toolbar Spyware User-Agent (AskBar) (bleeding-malware.rules)
 2003497 - BLEEDING-EDGE MALWARE 180Solutions Related Spyware User-Agent (msbb) (bleeding-malware.rules)
 2003498 - BLEEDING-EDGE MALWARE Gamehouse.com Related Spyware User-Agent (Sprout Game) (bleeding-malware.rules)
 2003499 - BLEEDING-EDGE MALWARE SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn) (bleeding-malware.rules)
 2003500 - BLEEDING-EDGE MALWARE Adwave.com Related Spyware User-Agent (STBHOGet) (bleeding-malware.rules)
 2003501 - BLEEDING-EDGE MALWARE Bestoffersnetwork.com Related Spyware User-Agent (TBONAS) (bleeding-malware.rules)
 2003502 - BLEEDING-EDGE MALWARE Sysupdates.com Related Spyware User-Agent (TM_SEARCH3) (bleeding-malware.rules)
 2003503 - BLEEDING-EDGE MALWARE AAValue.com Related Spyware User-Agent (Toolbar) (bleeding-malware.rules)
 2003504 - BLEEDING-EDGE Malware E2give Spyware Reporting (check url) (bleeding-malware.rules)
 2003505 - BLEEDING-EDGE MALWARE Toplist.cz Related Spyware User-Agent (BWL Toplist) (bleeding-malware.rules)
 2003506 - BLEEDING-EDGE MALWARE Alawar Toolbar Spyware User-Agent (Alawar Toolbar) (bleeding-malware.rules)
 2003507 - BLEEDING-EDGE CURRENT EVENTS SpaceTalk-QT-js (bleeding.rules)
 2003508 - BLEEDING-EDGE WEB Wordpress wp-login.php redirect_to credentials stealing attempt (bleeding-web.rules)
 2003509 - BLEEDING-EDGE TROJAN Gozi Certificate Information Leakage (bleeding-virus.rules)
 2003510 - BLEEDING-EDGE TROJAN Gozi Registration (bleeding-virus.rules)
 2003511 - BLEEDING-EDGE TROJAN Gozi Form Data Information Leakage (bleeding-virus.rules)
 2003512 - BLEEDING-EDGE CURRENT EVENTS TROJ_MESPAM.A HTTP Request (bleeding.rules)
 2003513 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0) (bleeding.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2001415 - BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll (bleeding-malware.rules)
 2001416 - BLEEDING-EDGE Malware E2give Related Reporting Install (bleeding-malware.rules)
 2001417 - BLEEDING-EDGE Malware E2give Related Receiving Config (bleeding-malware.rules)
 2001418 - BLEEDING-EDGE Malware E2give Related Downloading Code (bleeding-malware.rules)
 2001423 - BLEEDING-EDGE Malware E2give Related Reporting (bleeding-malware.rules)
 2003173 - BLEEDING-EDGE EXPLOIT Possible UTF-8 encoded Shellcode Detected (bleeding-exploit.rules)
 2003174 - BLEEDING-EDGE EXPLOIT Possible UTF-16 encoded Shellcode Detected (bleeding-exploit.rules)
 2003405 - BLEEDING-EDGE MALWARE Freeze.com Spyware User-Agent (YourScreen123) (bleeding-malware.rules)
 2003492 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0) (bleeding.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2003485 - BLEEDING-EDGE MALWARE Weatherbug Related User-Agent (CFNetwork/) (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 129

     -> Added to bleeding-drop.rules (1):
        #  VERSION 129

     -> Added to bleeding-malware.rules (1):
        #from spyware listening post hits

     -> Added to bleeding-sid-msg.map (29):
        2001415 || BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728
        2001416 || BLEEDING-EDGE Malware E2give Related Reporting Install || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728
        2001417 || BLEEDING-EDGE Malware E2give Related Receiving Config || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728
        2001418 || BLEEDING-EDGE Malware E2give Related Downloading Code || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728
        2001423 || BLEEDING-EDGE Malware E2give Related Reporting || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728
        2003492 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492
        2003493 || BLEEDING-EDGE MALWARE AskSearch Spyware User-Agent (AskSearchAssistant)
        2003494 || BLEEDING-EDGE MALWARE AskSearch Toolbar Spyware User-Agent (AskTBar)
        2003495 || BLEEDING-EDGE MALWARE HSN.com Toolbar Spyware User-Agent (HSN)
        2003496 || BLEEDING-EDGE MALWARE AskSearch Toolbar Spyware User-Agent (AskBar)
        2003497 || BLEEDING-EDGE MALWARE 180Solutions Related Spyware User-Agent (msbb) || url,www.auditmypc.com/process/msbb.asp
        2003498 || BLEEDING-EDGE MALWARE Gamehouse.com Related Spyware User-Agent (Sprout Game)
        2003499 || BLEEDING-EDGE MALWARE SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn) || url,www.spywareguide.com/spydet_3366_spydawn.html
        2003500 || BLEEDING-EDGE MALWARE Adwave.com Related Spyware User-Agent (STBHOGet)
        2003501 || BLEEDING-EDGE MALWARE Bestoffersnetwork.com Related Spyware User-Agent (TBONAS) || url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670
        2003502 || BLEEDING-EDGE MALWARE Sysupdates.com Related Spyware User-Agent (TM_SEARCH3)
        2003503 || BLEEDING-EDGE MALWARE AAValue.com Related Spyware User-Agent (Toolbar) || url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189
        2003504 || BLEEDING-EDGE Malware E2give Spyware Reporting (check url) || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728
        2003505 || BLEEDING-EDGE MALWARE Toplist.cz Related Spyware User-Agent (BWL Toplist)
        2003506 || BLEEDING-EDGE MALWARE Alawar Toolbar Spyware User-Agent (Alawar Toolbar) || url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html
        2003507 || BLEEDING-EDGE CURRENT EVENTS SpaceTalk-QT-js || url,didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/
        2003508 || BLEEDING-EDGE WEB Wordpress wp-login.php redirect_to credentials stealing attempt || url,www.inliniac.net/blog/?p=71
        2003509 || BLEEDING-EDGE TROJAN Gozi Certificate Information Leakage || url,www.secureworks.com/research/threats/gozi
        2003510 || BLEEDING-EDGE TROJAN Gozi Registration || url,www.secureworks.com/research/threats/gozi
        2003511 || BLEEDING-EDGE TROJAN Gozi Form Data Information Leakage || url,www.secureworks.com/research/threats/gozi
        2003512 || BLEEDING-EDGE CURRENT EVENTS TROJ_MESPAM.A HTTP Request || url,de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=TROJ_MESPAM.A
        2003513 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0) || url,doc.bleedingthreats.net/2003513
        2404006 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  || url,www.shadowserver.org
        2405006 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to bleeding-virus.rules (2):
        #by Secureworks
        # Paper here: www.secureworks.com/research/threats/gozi/?threat=gozi

     -> Added to bleeding-web.rules (1):
        #by Victor Julien

     -> Added to bleeding.rules (3):
        #by Thierry Chich. Should be removed once the domain isn't active
        #by Russ McRee of Expedia
        #from rras, another typo'd trojan

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 124

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 124

     -> Removed from bleeding-sid-msg.map (7):
        2001415 || BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll
        2001416 || BLEEDING-EDGE Malware E2give Related Reporting Install
        2001417 || BLEEDING-EDGE Malware E2give Related Receiving Config
        2001418 || BLEEDING-EDGE Malware E2give Related Downloading Code
        2001423 || BLEEDING-EDGE Malware E2give Related Reporting
        2003485 || BLEEDING-EDGE MALWARE Weatherbug Related User-Agent (CFNetwork/)
        2003492 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozila/4.0) || url,doc.bleedingthreats.net/2003492





More information about the Snort-sigs mailing list