[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Feb 16 19:00:08 EST 2008


[***] Results from Oinkmaster started Sat Feb 16 19:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2007831 - ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id push) (bleeding-virus.rules)
 2007832 - ET TROJAN Theoreon.com Related Trojan Checkin (bleeding-virus.rules)
 2007833 - ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5) (bleeding-virus.rules)
 2007834 - ET TROJAN Renos/ssd.com HTTP Checkin (bleeding-virus.rules)
 2007835 - ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe) (bleeding.rules)
 2007836 - ET TROJAN Downloader General Bot Checking In - Possible Win32.Small.htz related (bleeding-virus.rules)
 2007837 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (WinInet) (bleeding-virus.rules)
 2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
 2007839 - ET MALWARE Drpcclean.com Related Spyware User Agent (DrPCClean Transmit) (bleeding-malware.rules)
 2007840 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell) (bleeding-virus.rules)
 2007841 - ET TROJAN W32.Downloader Tibs.ek Reporting to C&C (bleeding-virus.rules)
 2007842 - ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin (bleeding-malware.rules)
 2007844 - ET TROJAN Downloader Agent.isd Checkin (bleeding-virus.rules)
 2007845 - ET MALWARE Errclean.com Related Spyware User Agent (Locus NetInstaller) (bleeding-malware.rules)
 2007846 - ET MALWARE Berlinads3.com Related Spyware User Agent (StixAero Engine v1.5) (bleeding-malware.rules)
 2007847 - ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit (bleeding-exploit.rules)
 2007848 - ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit (bleeding.rules)
 2007849 - ET TROJAN Kpang.com Related Trojan User-Agent (alertup) (bleeding-virus.rules)
 2007850 - ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability (bleeding-exploit.rules)
 2007851 - ET EXPLOIT Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit (bleeding-exploit.rules)
 2007852 - ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit (bleeding-exploit.rules)
 2007853 - ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability (bleeding-exploit.rules)
 2007854 - ET MALWARE Suspicious User Agent - Possible Playmp3z or other Spyware Related (Mozilla) (bleeding-malware.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (bleeding-botcc.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2003238 - ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (bleeding-virus.rules)
 2003239 - ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2) (bleeding-virus.rules)
 2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (bleeding-policy.rules)
 2007724 - ET TROJAN Prg Trojan HTTP POST version 2 (bleeding-virus.rules)
 2007758 - ET TROJAN Eldorado.BHO User-Agent Detected (netcfg) (bleeding-virus.rules)
 2007779 - ET TROJAN Kpang.com Related Trojan User-Agent (kpangupdate) (bleeding-virus.rules)
 2007815 - ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt (bleeding.rules)
 2007816 - ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use (bleeding.rules)
 2007817 - ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit (bleeding.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (bleeding-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (bleeding-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (bleeding-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (bleeding-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (bleeding-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (bleeding-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (bleeding-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (bleeding-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2007830 - ET MALWARE Maxthom/Myie2.com Related Spyware User Agent (MyIE2) (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (2):
        #  VERSION 1060
        #  Generated 2008-02-16 01:03:00 EDT

     -> Added to bleeding-drop.rules (2):
        #  VERSION 1060
        #  Generated 2008-02-16 01:03:00 EDT

     -> Added to bleeding-exploit.rules (5):
        #by Akash Mahajan of Stillsecure
        #by Akash Mahajan of Stillsecure
        #by Akash Mahajan of Stillsecure
        #by Akash Mahajan of Stillsecure
        #by Akash Mahajan of Stillsecure

     -> Added to bleeding-malware.rules (5):
        #another fake antispyware package, by matt jonkman
        #drpcclean.com by matt jonkman
        #errclean.com related, by matt jonkman
        #berlinads3.com related
        #playmp3z adware seen using this

     -> Added to bleeding-sid-msg.map (33):
        2003238 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C
        2003239 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2)
        2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
        2007758 || ET TROJAN Eldorado.BHO User-Agent Detected (netcfg)
        2007779 || ET TROJAN Kpang.com Related Trojan User-Agent (kpangupdate)
        2007815 || ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27539
        2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929 || url,www.milw0rm.com/exploits/5049
        2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 || url,www.milw0rm.com/exploits/5102 || url,www.milw0rm.com/exploits/5049
        2007831 || ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id push)
        2007832 || ET TROJAN Theoreon.com Related Trojan Checkin
        2007833 || ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5)
        2007834 || ET TROJAN Renos/ssd.com HTTP Checkin
        2007835 || ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)
        2007836 || ET TROJAN Downloader General Bot Checking In - Possible Win32.Small.htz related
        2007837 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (WinInet)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007839 || ET MALWARE Drpcclean.com Related Spyware User Agent (DrPCClean Transmit)
        2007840 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell)
        2007841 || ET TROJAN W32.Downloader Tibs.ek Reporting to C&C
        2007842 || ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin
        2007844 || ET TROJAN Downloader Agent.isd Checkin
        2007845 || ET MALWARE Errclean.com Related Spyware User Agent (Locus NetInstaller)
        2007846 || ET MALWARE Berlinads3.com Related Spyware User Agent (StixAero Engine v1.5)
        2007847 || ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit || url,www.milw0rm.com/exploits/5100 || url,www.milw0rm.com/exploits/5086
        2007848 || ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit || bugtraq,24426 || url,www.milw0rm.com/exploits/5087
        2007849 || ET TROJAN Kpang.com Related Trojan User-Agent (alertup)
        2007850 || ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438
        2007851 || ET EXPLOIT Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit || cve,CVE-2006-6334 || bugtraq,21458 || url,www.milw0rm.com/exploits/5106
        2007852 || ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982
        2007853 || ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981
        2007854 || ET MALWARE Suspicious User Agent - Possible Playmp3z or other Spyware Related (Mozilla)
        2404017 || ET DROP Known Bot C&C Server Traffic (group 18)  || url,www.shadowserver.org
        2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to bleeding-sid-msg.map.txt (33):
        2003238 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C
        2003239 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2)
        2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
        2007758 || ET TROJAN Eldorado.BHO User-Agent Detected (netcfg)
        2007779 || ET TROJAN Kpang.com Related Trojan User-Agent (kpangupdate)
        2007815 || ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27539
        2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929 || url,www.milw0rm.com/exploits/5049
        2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 || url,www.milw0rm.com/exploits/5102 || url,www.milw0rm.com/exploits/5049
        2007831 || ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id push)
        2007832 || ET TROJAN Theoreon.com Related Trojan Checkin
        2007833 || ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5)
        2007834 || ET TROJAN Renos/ssd.com HTTP Checkin
        2007835 || ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)
        2007836 || ET TROJAN Downloader General Bot Checking In - Possible Win32.Small.htz related
        2007837 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (WinInet)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007839 || ET MALWARE Drpcclean.com Related Spyware User Agent (DrPCClean Transmit)
        2007840 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell)
        2007841 || ET TROJAN W32.Downloader Tibs.ek Reporting to C&C
        2007842 || ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin
        2007844 || ET TROJAN Downloader Agent.isd Checkin
        2007845 || ET MALWARE Errclean.com Related Spyware User Agent (Locus NetInstaller)
        2007846 || ET MALWARE Berlinads3.com Related Spyware User Agent (StixAero Engine v1.5)
        2007847 || ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit || url,www.milw0rm.com/exploits/5100 || url,www.milw0rm.com/exploits/5086
        2007848 || ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit || bugtraq,24426 || url,www.milw0rm.com/exploits/5087
        2007849 || ET TROJAN Kpang.com Related Trojan User-Agent (alertup)
        2007850 || ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 || bugtraq,27438
        2007851 || ET EXPLOIT Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit || cve,CVE-2006-6334 || bugtraq,21458 || url,www.milw0rm.com/exploits/5106
        2007852 || ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982
        2007853 || ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || bugtraq,27439 || url,www.milw0rm.com/exploits/4981
        2007854 || ET MALWARE Suspicious User Agent - Possible Playmp3z or other Spyware Related (Mozilla)
        2404017 || ET DROP Known Bot C&C Server Traffic (group 18)  || url,www.shadowserver.org
        2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to bleeding-virus.rules (5):
        #yet another c&c method, by matt jonkman
        #matt jonkman, sample marked Trojan-Downloader.Win32.Small.htz by fsecure
        #Matt Jonkman, Kaspersky  Trojan-Proxy.Win32.Agent.ty
        #Matt Jonkman, Kaspersky  Trojan-Proxy.Win32.Agent.blm
        #matt jonkman, downloader Agent.isd

     -> Added to bleeding.rules (2):
        #by Akash Mahajan of Stillsecure
        #by Akash Mahajan of Stillsecure

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (2):
        #  VERSION 1052
        #  Generated 2008-02-08 01:03:03 EDT

     -> Removed from bleeding-drop.rules (2):
        #  VERSION 1052
        #  Generated 2008-02-08 01:03:03 EDT

     -> Removed from bleeding-malware.rules (1):
        #maxthon related, by matt jonkman

     -> Removed from bleeding-sid-msg.map (9):
        2003238 || ET TROJAN W32.Downloader-388 (Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C
        2003239 || ET TROJAN W32.Downloader-388 (Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C (2)
        2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url, ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
        2007758 || ET TROJAN Eldorado.BHO User-Agent Detected
        2007779 || ET TROJAN Kpang.com Related Trojan User-Agent
        2007815 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader4 ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
        2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
        2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 || url,www.milw0rm.com/exploits/5049
        2007830 || ET MALWARE Maxthom/Myie2.com Related Spyware User Agent (MyIE2)

     -> Removed from bleeding-sid-msg.map.txt (9):
        2003238 || ET TROJAN W32.Downloader-388 (Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C
        2003239 || ET TROJAN W32.Downloader-388 (Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C (2)
        2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url, ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
        2007758 || ET TROJAN Eldorado.BHO User-Agent Detected
        2007779 || ET TROJAN Kpang.com Related Trojan User-Agent
        2007815 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader4 ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
        2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
        2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 || url,www.milw0rm.com/exploits/5049
        2007830 || ET MALWARE Maxthom/Myie2.com Related Spyware User Agent (MyIE2)

     -> Removed from bleeding-virus.rules (1):
        #first found by ClamAV





More information about the Snort-sigs mailing list