[Snort-sigs] Bleeding Edge Threats Daily Signature Changes

bleeding at ...3254... bleeding at ...3254...
Thu Oct 4 20:00:17 EDT 2007


[***] Results from Oinkmaster started Fri Oct  5 00:00:17 2007 [***]

[+++]          Added rules:          [+++]

 2007620 - BLEEDING-EDGE TROJAN Zlob Updating via HTTP (v2) (bleeding-virus.rules)
 2007621 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet login (bleeding-virus.rules)
 2007622 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet Response (bleeding-virus.rules)
 2007623 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet Commands (bleeding-virus.rules)
 2007624 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Response (bleeding-virus.rules)
 2007625 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Commands (bleeding-virus.rules)
 2007626 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Fetch (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2003302 - BLEEDING-EDGE TROJAN psyBNC IRC Server Connection (bleeding-virus.rules)
 2007568 - BLEEDING-EDGE TROJAN Zlob Updating via HTTP (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (24):
        2003302 || BLEEDING-EDGE TROJAN psyBNC IRC Server Connection || url,en.wikipedia.org/wiki/PsyBNC
        2007620 || BLEEDING-EDGE TROJAN Zlob Updating via HTTP (v2)
        2007621 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet login || url,en.wikipedia.org/wiki/IRC_bot
        2007622 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet Response || url,en.wikipedia.org/wiki/IRC_bot
        2007623 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet Commands || url,en.wikipedia.org/wiki/IRC_bot
        2007624 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet Response || url,en.wikipedia.org/wiki/IRC_bot
        2007625 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet Commands || url,en.wikipedia.org/wiki/IRC_bot
        2007626 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet Fetch || url,en.wikipedia.org/wiki/IRC_bot
        2500517 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (518) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500518 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (519) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500519 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (520) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500520 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (521) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500521 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (522) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500522 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (523) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500523 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (524) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500524 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic (525) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510517 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (518) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510518 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (519) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510519 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (520) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510520 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (521) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510521 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (522) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510522 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (523) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510523 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (524) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510524 || BLEEDING-EDGE COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (525) || url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to bleeding-virus.rules (46):
        # by Reg Quinton
        # Kaiten is a compiled code DDOS IRCbotnet for Unix/Linux systems. You will
        # find the string "Kaiten wagoraku" in the code ..(or in the strings if you
        # have a compiled version). It's been around since at least 2006, source can
        # be found at many sites.
        # See also
        # http://isc.sans.org/diary.html?storyid=1127
        # http://handlers.dshield.org/pbueno/Steve_malware6.pdf
        # http://www.stacksegment.net/wiki/index.php/Linux_Malware_Analysis
        # http://ktp.e-isa.com/Viruses/Linux.DDos-Kaiten.htm
        # Reg Quinton; 2007/08/30
        # Botnet begins by contacting an IRC server (there's some randomization to
        # pick one) and saying (with short nick,ident,user strings..):
        #  Send(sock,"NICK %s\nUSER %s localhost localhost :%s\n",nick,ident,user);
        # various distinctive responses to commmands implemented by Kaiten client
        # various commmands implemented by Kaiten client, they don't use a : delimiter
        # as others do, it's "[:<server> ]PRIVMSG !<clients> <command> <args>". I'm
        # skipping the server part. I wish there were flowbits that noted that we have
        # an IRC channel going. I don't want to watch everything.
        # Pitbull is an IRCbot implemented in Perl since 2007/09/13, code seems to have
        # authors who speak spanish or portugese. Small sample here
        #   http://www.directadmin.com/forum/showthread.php?p=113720
        # Google had a cached version, you might browse around to find others.
        # Versions I captured are a little different from one another (s/space/etx/).
        # Code *says* it supports these commands (but versions differ):
        #!bot @portscan <ip>
        #!bot @nmap <ip> <beginport> <endport>
        #!bot @back <ip><port>
        #!bot @udpflood <ip> <packet size> <time>
        #!bot @tcpflood <ip> <port> <packet size> <time>
        #!bot @httpflood <site> <time>
        #!bot @linuxhelp
        #!bot @rfi <vuln> <dork>
        #!bot @system
        #!bot @milw0rm
        #!bot @logcleaner
        #!bot @sendmail <subject> <sender> <recipient> <message>
        #!bot @join <#channel>
        #!bot @part <#channel>
        #!bot @help
        #!bot cd tmp for example
        #!bot !eval <code= for example :@nickname>
        # Reg Quinton; 26-Sept-2007
        # seems to be a common prefix in responses with the few I've seen.
        # various commmands implemented by Pitbull client as provided above
        # distinctive string in page fetch to google, yahoo, lycos, milw0rm, etc.

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2003302 || BLEEDING-EDGE TROJAN psyBNC IRC Server Connection





More information about the Snort-sigs mailing list