[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

bleeding at ...3254... bleeding at ...3254...
Fri May 11 18:00:06 EDT 2007


[***] Results from Oinkmaster started Fri May 11 18:00:05 2007 [***]

[+++]          Added rules:          [+++]

 2003643 - BLEEDING-EDGE TROJAN Win32.Small.mi User-Agent Detected (MyAgent) (bleeding-virus.rules)
 2003644 - BLEEDING-EDGE MALWARE Generic.Malware.dld User-Agent (Sickloader) (bleeding-malware.rules)
 2003645 - BLEEDING-EDGE TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11) (bleeding-virus.rules)
 2003646 - BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control) (bleeding-virus.rules)
 2003647 - BLEEDING-EDGE TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U) (bleeding-virus.rules)
 2003648 - BLEEDING-EDGE TROJAN Clicker.BC User Agent Detected (linkrunner) (bleeding-virus.rules)
 2003649 - BLEEDING-EDGE TROJAN Hupington User Agent Detected (SykO) (bleeding-virus.rules)
 2003650 - BLEEDING-EDGE TROJAN Dialer-715 Install Checkin (bleeding-virus.rules)
 2003651 - BLEEDING-EDGE Sality Virus User Agent Detected (SPM_ID=) (bleeding-virus.rules)
 2003652 - BLEEDING-EDGE MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar) (bleeding-malware.rules)
 2003653 - BLEEDING-EDGE POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc) (bleeding-policy.rules)
 2003654 - BLEEDING-EDGE MALWARE Effectivebrands.com Spyware User-Agent (GTBank) (bleeding-malware.rules)
 2003655 - BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) (bleeding-malware.rules)
 2003656 - BLEEDING-EDGE MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6) (bleeding-malware.rules)
 2003657 - BLEEDING-EDGE MALWARE Ibankis.org related Spyware User-Agent (MSIE 5.3 (xpsp2-xxx)) (bleeding-malware.rules)
 2003658 - BLEEDING-EDGE MALWARE qq.com related Spyware User-Agent (QQGame) (bleeding-malware.rules)
 2003659 - BLEEDING-EDGE MALWARE Unusual Referer String (human) (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2003399 - BLEEDING-EDGE MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer) (bleeding-malware.rules)
 2003640 - BLEEDING-EDGE MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) (bleeding-malware.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 180

     -> Added to bleeding-drop.rules (1):
        #  VERSION 180

     -> Added to bleeding-malware.rules (3):
        #from spyware lp data
        #not really a UA sig, but related:
        #by Mark Warren at Praemunio

     -> Added to bleeding-policy.rules (1):
        #this is a distributed search engine crawling thing. I am not aware of any spyware-like activity, but it is likely not welcome on a corporate net

     -> Added to bleeding-sid-msg.map (17):
        2003643 || BLEEDING-EDGE TROJAN Win32.Small.mi User-Agent Detected (MyAgent)
        2003644 || BLEEDING-EDGE MALWARE Generic.Malware.dld User-Agent (Sickloader)
        2003645 || BLEEDING-EDGE TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11)
        2003646 || BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)
        2003647 || BLEEDING-EDGE TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U)
        2003648 || BLEEDING-EDGE TROJAN Clicker.BC User Agent Detected (linkrunner)
        2003649 || BLEEDING-EDGE TROJAN Hupington User Agent Detected (SykO)
        2003650 || BLEEDING-EDGE TROJAN Dialer-715 Install Checkin
        2003651 || BLEEDING-EDGE Sality Virus User Agent Detected (SPM_ID=)
        2003652 || BLEEDING-EDGE MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)
        2003653 || BLEEDING-EDGE POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)
        2003654 || BLEEDING-EDGE MALWARE Effectivebrands.com Spyware User-Agent (GTBank)
        2003655 || BLEEDING-EDGE MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0)
        2003656 || BLEEDING-EDGE MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6) || url,www.f-secure.com/v-descs/rizo.shtml
        2003657 || BLEEDING-EDGE MALWARE Ibankis.org related Spyware User-Agent (MSIE 5.3 (xpsp2-xxx))
        2003658 || BLEEDING-EDGE MALWARE qq.com related Spyware User-Agent (QQGame)
        2003659 || BLEEDING-EDGE MALWARE Unusual Referer String (human)

     -> Added to bleeding-virus.rules (5):
        #from the bleeding sandnet
        #Matt Jonkman from snadnet data
        #Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this
        #from castlecops research
        #UA used by trojan small.mi, sent in from castlecops research

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 173

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 173

     -> Removed from bleeding-virus.rules (1):
        #No better name for it yet





More information about the Snort-sigs mailing list