[Snort-sigs] [Emerging-Sigs] Emerging Threats Daily Signature Changes

Matt Jonkman jonkman at ...829...
Wed Feb 13 20:20:06 EST 2008


I've played with a few known samples, but their C&Cs were down so I'm
unable to get much for them yet.

It is on the radar though.

matt

Detore, Mario R. wrote:
> All,
> 
> Anyone have any Snort sigs for the Mega-D or Mayday botnets yet?  I've seen
> the analysis of Mega-D at
> http://www.secureworks.com/research/threats/ozdok/?threat=ozdok, but need
> more specific information on protocols used and whatnot - really pretty much
> anything that we can see going across our IDS.
> 
> Thanks!
> 
> Mario
> 
> -----Original Message-----
> From: emerging-sigs-bounces at ...3335...
> [mailto:emerging-sigs-bounces at ...3335...]On Behalf Of
> emerging at ...3335...
> Sent: Wednesday, February 13, 2008 5:00 PM
> To: snort-sigs at lists.sourceforge.net; emerging-sigs at ...3335...
> Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes
> 
> 
> 
> [***] Results from Oinkmaster started Wed Feb 13 17:00:09 2008 [***]
> 
> [+++]          Added rules:          [+++]
> 
>  2007844 - ET TROJAN Downloader Agent.isd Checkin (bleeding-virus.rules)
>  2007845 - ET MALWARE Errclean.com Related Spyware User Agent (Locus
> NetInstaller) (bleeding-malware.rules)
>  2007846 - ET MALWARE Berlinads3.com Related Spyware User Agent (StixAero
> Engine v1.5) (bleeding-malware.rules)
>  2007847 - ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX
> Buffer Overflow Exploit (bleeding-exploit.rules)
>  2007848 - ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module
> (XVoice.dll 4.0.4.3303) remote BoF exploit (bleeding.rules)
> 
> 
> [///]     Modified active rules:     [///]
> 
>  2007815 - ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx
> ActiveX Control Buffer Overflow Attempt (bleeding.rules)
> 
> 
> [+++]      Added non-rule lines:     [+++]
> 
>      -> Added to bleeding-exploit.rules (1):
>         #by Akash Mahajan of Stillsecure
> 
>      -> Added to bleeding-malware.rules (2):
>         #errclean.com related, by matt jonkman
>         #berlinads3.com related
> 
>      -> Added to bleeding-sid-msg.map (6):
>         2007815 || ET CURRENT_EVENTS Aurigma Image Uploader
> ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt ||
> url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27539
>         2007844 || ET TROJAN Downloader Agent.isd Checkin
>         2007845 || ET MALWARE Errclean.com Related Spyware User Agent (Locus
> NetInstaller)
>         2007846 || ET MALWARE Berlinads3.com Related Spyware User Agent
> (StixAero Engine v1.5)
>         2007847 || ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38)
> ActiveX Buffer Overflow Exploit || url,www.milw0rm.com/exploits/5100 ||
> url,www.milw0rm.com/exploits/5086
>         2007848 || ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module
> (XVoice.dll 4.0.4.3303) remote BoF exploit || bugtraq,24426 ||
> url,www.milw0rm.com/exploits/5087
> 
>      -> Added to bleeding-sid-msg.map.txt (6):
>         2007815 || ET CURRENT_EVENTS Aurigma Image Uploader
> ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt ||
> url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27539
>         2007844 || ET TROJAN Downloader Agent.isd Checkin
>         2007845 || ET MALWARE Errclean.com Related Spyware User Agent (Locus
> NetInstaller)
>         2007846 || ET MALWARE Berlinads3.com Related Spyware User Agent
> (StixAero Engine v1.5)
>         2007847 || ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38)
> ActiveX Buffer Overflow Exploit || url,www.milw0rm.com/exploits/5100 ||
> url,www.milw0rm.com/exploits/5086
>         2007848 || ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module
> (XVoice.dll 4.0.4.3303) remote BoF exploit || bugtraq,24426 ||
> url,www.milw0rm.com/exploits/5087
> 
>      -> Added to bleeding-virus.rules (1):
>         #matt jonkman, downloader Agent.isd
> 
>      -> Added to bleeding.rules (2):
>         #by Akash Mahajan of Stillsecure
>         #by Akash Mahajan of Stillsecure
> 
> [---]     Removed non-rule lines:    [---]
> 
>      -> Removed from bleeding-sid-msg.map (3):
>         2007815 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader4
> ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
>         2402000 || ET DROP Dshield Block Listed Source ||
> url,feeds.dshield.org/block.txt
>         2403000 || ET DROP Dshield Block Listed Source - BLOCKING ||
> url,feeds.dshield.org/block.txt
> 
>      -> Removed from bleeding-sid-msg.map.txt (3):
>         2007815 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader4
> ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
>         2402000 || ET DROP Dshield Block Listed Source ||
> url,feeds.dshield.org/block.txt
>         2403000 || ET DROP Dshield Block Listed Source - BLOCKING ||
> url,feeds.dshield.org/block.txt
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-sigs mailing list