[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Wed Jan 30 17:00:07 EST 2008


[***] Results from Oinkmaster started Wed Jan 30 17:00:07 2008 [***]

[+++]          Added rules:          [+++]

 2007803 - ET TROJAN Win32.Inject.ql Checkin Post (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001711 - ET MALWARE Likely Spambot Web-based Control Traffic (bleeding-malware.rules)
 2002988 - ET MALWARE Possible Spambot Checking in to Spam (bleeding-malware.rules)
 2002989 - ET MALWARE Possible Spambot getting new exe url (bleeding-malware.rules)
 2002990 - ET MALWARE Possible Spambot Pulling IP List to Spam (bleeding-malware.rules)
 2002991 - ET MALWARE Possible Spambot getting new exe (bleeding-malware.rules)
 2006425 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin (bleeding-malware.rules)
 2006426 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (bleeding-malware.rules)
 2006427 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check (bleeding-malware.rules)
 2006428 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open) (bleeding-malware.rules)
 2006431 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (bleeding-malware.rules)
 2006432 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret) (bleeding-malware.rules)
 2006433 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result) (bleeding-malware.rules)
 2007642 - ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs) (bleeding-malware.rules)
 2007771 - BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected (bleeding-virus.rules)
 2007773 - BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected (bleeding-virus.rules)


[///]    Modified inactive rules:    [///]

 2001815 - ET Spambot Suspicious 220 Banner on Local Port (bleeding-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (15):
        2001711 || ET MALWARE Likely Spambot Web-based Control Traffic
        2001815 || ET Spambot Suspicious 220 Banner on Local Port
        2002988 || ET MALWARE Possible Spambot Checking in to Spam
        2002989 || ET MALWARE Possible Spambot getting new exe url
        2002990 || ET MALWARE Possible Spambot Pulling IP List to Spam
        2002991 || ET MALWARE Possible Spambot getting new exe
        2006425 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin
        2006426 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin
        2006427 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check
        2006428 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)
        2006431 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post
        2006432 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)
        2006433 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)
        2007642 || ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)
        2007803 || ET TROJAN Win32.Inject.ql Checkin Post

     -> Added to bleeding-sid-msg.map.txt (15):
        2001711 || ET MALWARE Likely Spambot Web-based Control Traffic
        2001815 || ET Spambot Suspicious 220 Banner on Local Port
        2002988 || ET MALWARE Possible Spambot Checking in to Spam
        2002989 || ET MALWARE Possible Spambot getting new exe url
        2002990 || ET MALWARE Possible Spambot Pulling IP List to Spam
        2002991 || ET MALWARE Possible Spambot getting new exe
        2006425 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin
        2006426 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin
        2006427 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check
        2006428 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)
        2006431 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post
        2006432 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)
        2006433 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)
        2007642 || ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)
        2007803 || ET TROJAN Win32.Inject.ql Checkin Post

     -> Added to bleeding-virus.rules (2):
        #kind of a general inject win32 kinda thing, but seeing it frequently
        # such as 7438b695c0f32cb5c3a0a89485a362c1, by matt jonkman

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (14):
        2001711 || "ET MALWARE Likely Spambot Web-based Control Traffic
        2001815 || "ET Spambot Suspicious 220 Banner on Local Port
        2002988 || "ET MALWARE Possible Spambot Checking in to Spam
        2002989 || "ET MALWARE Possible Spambot getting new exe url
        2002990 || "ET MALWARE Possible Spambot Pulling IP List to Spam
        2002991 || "ET MALWARE Possible Spambot getting new exe
        2006425 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin
        2006426 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin
        2006427 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check
        2006428 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)
        2006431 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post
        2006432 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)
        2006433 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)
        2007642 || "ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)

     -> Removed from bleeding-sid-msg.map.txt (14):
        2001711 || "ET MALWARE Likely Spambot Web-based Control Traffic
        2001815 || "ET Spambot Suspicious 220 Banner on Local Port
        2002988 || "ET MALWARE Possible Spambot Checking in to Spam
        2002989 || "ET MALWARE Possible Spambot getting new exe url
        2002990 || "ET MALWARE Possible Spambot Pulling IP List to Spam
        2002991 || "ET MALWARE Possible Spambot getting new exe
        2006425 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin
        2006426 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin
        2006427 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check
        2006428 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)
        2006431 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post
        2006432 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)
        2006433 || "ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)
        2007642 || "ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)





More information about the Snort-sigs mailing list