[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Mar 8 19:00:09 EST 2008


[***] Results from Oinkmaster started Sat Mar  8 19:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2007843 - ET TROJAN Bzub2 Related RPC/Http Checkin (bleeding-virus.rules)
 2007902 - ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe) (bleeding.rules)
 2007903 - ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability (bleeding-exploit.rules)
 2007904 - ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability (bleeding-exploit.rules)
 2007905 - ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability (bleeding-exploit.rules)
 2007906 - ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF (bleeding-game.rules)
 2007907 - ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF (bleeding-exploit.rules)
 2007908 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA) (bleeding-malware.rules)
 2007909 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN) (bleeding-malware.rules)
 2007910 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN) (bleeding-malware.rules)
 2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
 2007912 - ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg) (bleeding-virus.rules)
 2007913 - ET TROJAN Dialer.MC(vf) HTTP Request - Checkin (bleeding-virus.rules)
 2007914 - ET WORM SDBot HTTP Checkin (bleeding-virus.rules)
 2007917 - ET TROJAN Dropper-497 (Yumato) Initial Checkin (bleeding-virus.rules)
 2007918 - ET TROJAN Dropper-497 (Yumato) System Stats Report (bleeding-virus.rules)
 2007919 - ET TROJAN Dropper-497 Yumato Reply from server (bleeding-virus.rules)
 2007920 - ET TROJAN Dropper-497 (Yumato) Status Reply from server (bleeding-virus.rules)
 2007921 - ET MALWARE Suspicious User Agent (Explorer) (bleeding-malware.rules)
 2007922 - ET TROJAN Backdoor.Win32.VB.brg C&C Checkin (bleeding-virus.rules)
 2007923 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital) (bleeding-virus.rules)
 2007924 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded) (bleeding-virus.rules)
 2007925 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames) (bleeding-virus.rules)
 2007926 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0) (bleeding-virus.rules)
 2007927 - ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey) (bleeding-malware.rules)
 2007928 - ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd) (bleeding-malware.rules)
 2007929 - ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible\; )) (bleeding-malware.rules)
 2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report (bleeding-virus.rules)
 2007931 - ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability (bleeding-exploit.rules)
 2007932 - ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability (bleeding-exploit.rules)
 2007933 - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability (bleeding-exploit.rules)
 2007934 - ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability (bleeding-exploit.rules)
 2007935 - ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fs3update) (bleeding-malware.rules)
 2007936 - ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability (bleeding-web.rules)
 2007937 - ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (bleeding-exploit.rules)
 2007938 - ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fian3manager) (bleeding-malware.rules)
 2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
 2007940 - ET TROJAN Banker.ili HTTP Checkin (bleeding-virus.rules)
 2007941 - ET MALWARE Invalid HTTP GET Request - Often Malware Related (bleeding-malware.rules)
 2007942 - ET MALWARE Suspicious User Agent (_) (bleeding-malware.rules)
 2007943 - ET MALWARE Suspicious User Agent (HTTP) (bleeding-malware.rules)
 2007944 - ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008) (bleeding-malware.rules)
 2007945 - ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php) (bleeding-malware.rules)
 2007946 - ET MALWARE Suspicious User Agent (popup) (bleeding-malware.rules)
 2007947 - ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup) (bleeding-malware.rules)
 2007948 - ET MALWARE Suspicious User Agent (--) (bleeding-malware.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (bleeding-botcc.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2406035 - ET RBN Known Russian Business Network Monitored Domains (31) (bleeding-rbn.rules)
 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (bleeding-rbn-BLOCK.rules)


[///]     Modified active rules:     [///]

 2002157 - ET POLICY Skype User-Agent detected (bleeding-policy.rules)
 2002383 - ET SCAN Potential FTP Brute-Force attempt (bleeding-scan.rules)
 2002950 - ET POLICY TOR 1.0 Server Key Retrieval (bleeding-policy.rules)
 2006429 - ET MALWARE Karine.co.kr Related Spyware User Agent (chk Profile) (bleeding-malware.rules)
 2006430 - ET MALWARE Karine.co.kr Related Spyware User Agent (Access down) (bleeding-malware.rules)
 2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (bleeding-policy.rules)
 2007701 - ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1) (bleeding-virus.rules)
 2007702 - ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2) (bleeding-virus.rules)
 2007760 - ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe) (bleeding.rules)
 2007761 - ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe) (bleeding.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (bleeding-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (bleeding-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (bleeding-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (bleeding-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (bleeding-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (bleeding-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (bleeding-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (bleeding-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (bleeding-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (bleeding-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (bleeding-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (bleeding-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (bleeding-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (bleeding-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (bleeding-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (bleeding-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (bleeding-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (bleeding-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (bleeding-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
 2406005 - ET RBN Known Russian Business Network Monitored Domains (1) (bleeding-rbn.rules)
 2406006 - ET RBN Known Russian Business Network Monitored Domains (2) (bleeding-rbn.rules)
 2406007 - ET RBN Known Russian Business Network Monitored Domains (3) (bleeding-rbn.rules)
 2406008 - ET RBN Known Russian Business Network Monitored Domains (4) (bleeding-rbn.rules)
 2406009 - ET RBN Known Russian Business Network Monitored Domains (5) (bleeding-rbn.rules)
 2406010 - ET RBN Known Russian Business Network Monitored Domains (6) (bleeding-rbn.rules)
 2406011 - ET RBN Known Russian Business Network Monitored Domains (7) (bleeding-rbn.rules)
 2406012 - ET RBN Known Russian Business Network Monitored Domains (8) (bleeding-rbn.rules)
 2406013 - ET RBN Known Russian Business Network Monitored Domains (9) (bleeding-rbn.rules)
 2406014 - ET RBN Known Russian Business Network Monitored Domains (10) (bleeding-rbn.rules)
 2406015 - ET RBN Known Russian Business Network Monitored Domains (11) (bleeding-rbn.rules)
 2406016 - ET RBN Known Russian Business Network Monitored Domains (12) (bleeding-rbn.rules)
 2406017 - ET RBN Known Russian Business Network Monitored Domains (13) (bleeding-rbn.rules)
 2406018 - ET RBN Known Russian Business Network Monitored Domains (14) (bleeding-rbn.rules)
 2406019 - ET RBN Known Russian Business Network Monitored Domains (15) (bleeding-rbn.rules)
 2406020 - ET RBN Known Russian Business Network Monitored Domains (16) (bleeding-rbn.rules)
 2406021 - ET RBN Known Russian Business Network Monitored Domains (17) (bleeding-rbn.rules)
 2406022 - ET RBN Known Russian Business Network Monitored Domains (18) (bleeding-rbn.rules)
 2406023 - ET RBN Known Russian Business Network Monitored Domains (19) (bleeding-rbn.rules)
 2406024 - ET RBN Known Russian Business Network Monitored Domains (20) (bleeding-rbn.rules)
 2406025 - ET RBN Known Russian Business Network Monitored Domains (21) (bleeding-rbn.rules)
 2406026 - ET RBN Known Russian Business Network Monitored Domains (22) (bleeding-rbn.rules)
 2406027 - ET RBN Known Russian Business Network Monitored Domains (23) (bleeding-rbn.rules)
 2406028 - ET RBN Known Russian Business Network Monitored Domains (24) (bleeding-rbn.rules)
 2406029 - ET RBN Known Russian Business Network Monitored Domains (25) (bleeding-rbn.rules)
 2406030 - ET RBN Known Russian Business Network Monitored Domains (26) (bleeding-rbn.rules)
 2406031 - ET RBN Known Russian Business Network Monitored Domains (27) (bleeding-rbn.rules)
 2406032 - ET RBN Known Russian Business Network Monitored Domains (28) (bleeding-rbn.rules)
 2406033 - ET RBN Known Russian Business Network Monitored Domains (29) (bleeding-rbn.rules)
 2406034 - ET RBN Known Russian Business Network Monitored Domains (30) (bleeding-rbn.rules)
 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (bleeding-rbn-BLOCK.rules)
 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (bleeding-rbn-BLOCK.rules)
 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (bleeding-rbn-BLOCK.rules)
 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (bleeding-rbn-BLOCK.rules)
 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (bleeding-rbn-BLOCK.rules)
 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (bleeding-rbn-BLOCK.rules)
 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (bleeding-rbn-BLOCK.rules)
 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (bleeding-rbn-BLOCK.rules)
 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (bleeding-rbn-BLOCK.rules)
 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (bleeding-rbn-BLOCK.rules)
 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (bleeding-rbn-BLOCK.rules)
 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (bleeding-rbn-BLOCK.rules)
 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (bleeding-rbn-BLOCK.rules)
 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (bleeding-rbn-BLOCK.rules)
 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (bleeding-rbn-BLOCK.rules)
 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (bleeding-rbn-BLOCK.rules)
 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (bleeding-rbn-BLOCK.rules)
 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (bleeding-rbn-BLOCK.rules)
 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (bleeding-rbn-BLOCK.rules)
 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (bleeding-rbn-BLOCK.rules)
 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (bleeding-rbn-BLOCK.rules)
 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (bleeding-rbn-BLOCK.rules)
 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (bleeding-rbn-BLOCK.rules)
 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (bleeding-rbn-BLOCK.rules)
 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (bleeding-rbn-BLOCK.rules)
 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (bleeding-rbn-BLOCK.rules)
 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (bleeding-rbn-BLOCK.rules)
 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (bleeding-rbn-BLOCK.rules)
 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (bleeding-rbn-BLOCK.rules)
 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (bleeding-rbn-BLOCK.rules)


[///]    Modified inactive rules:    [///]

 2006424 - ET MALWARE Karine.co.kr Related Spyware User Agent (WebUpdate) (bleeding-malware.rules)


[---]         Removed rules:         [---]

 2007835 - ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe) (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (2):
        #  VERSION 1081
        #  Generated 2008-03-08 01:03:00 EDT

     -> Added to bleeding-drop.rules (2):
        #  VERSION 1081
        #  Generated 2008-03-08 01:03:00 EDT

     -> Added to bleeding-exploit.rules (3):
        #by Akash Mahajan at stillsecure
        #by Akash Mahajan at Stillsecure
        #by Akash Mahajan of stillsecure

     -> Added to bleeding-game.rules (1):
        #by Akash Mahajan at Stillsecure

     -> Added to bleeding-malware.rules (5):
        # Seeing several bits of malware that are creating their http get's
        #  incorrectly. They're adding an http://domain.com/url to the GET string,
        #  which should be just the uri. This will catch those
        #fake av package, sigs by matt jonkman
        #by victor julien

     -> Added to bleeding-rbn-BLOCK.rules (2):
        #  VERSION 37
        #  Updated 2008-03-06 19:56:19

     -> Added to bleeding-rbn.rules (2):
        #  VERSION 37
        #  Updated 2008-03-06 19:56:19

     -> Added to bleeding-sid-msg.map (53):
        2002950 || ET POLICY TOR 1.0 Server Key Retrieval || url,tor.eff.org
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
        2007843 || ET TROJAN Bzub2 Related RPC/Http Checkin
        2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
        2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
        2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
        2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
        2007906 || ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
        2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190
        2007908 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA)
        2007909 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN)
        2007910 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN)
        2007911 || ET TROJAN Delf Download via HTTP
        2007912 || ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)
        2007913 || ET TROJAN Dialer.MC(vf) HTTP Request - Checkin
        2007914 || ET WORM SDBot HTTP Checkin
        2007917 || ET TROJAN Dropper-497 (Yumato) Initial Checkin || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
        2007918 || ET TROJAN Dropper-497 (Yumato) System Stats Report || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
        2007919 || ET TROJAN Dropper-497 Yumato Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
        2007920 || ET TROJAN Dropper-497 (Yumato) Status Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
        2007921 || ET MALWARE Suspicious User Agent (Explorer)
        2007922 || ET TROJAN Backdoor.Win32.VB.brg C&C Checkin
        2007923 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital)
        2007924 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded)
        2007925 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames)
        2007926 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)
        2007927 || ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey)
        2007928 || ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd)
        2007929 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible\; ))
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877
        2007932 || ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205
        2007933 || ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability || bugtraq,27940 || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
        2007934 || ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability || bugtraq,27940 || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
        2007935 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fs3update)
        2007936 || ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability || bugtraq,27990 || cve,CVE-2008-1055 || url,aluigi.altervista.org/adv/surgemailz-adv.txt
        2007937 || ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow || url,aluigi.altervista.org/adv/visibroken-adv.txt || bugtraq,28084
        2007938 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fian3manager)
        2007939 || ET TROJAN Delf Checkin via HTTP (up)
        2007940 || ET TROJAN Banker.ili HTTP Checkin
        2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941
        2007942 || ET MALWARE Suspicious User Agent (_)
        2007943 || ET MALWARE Suspicious User Agent (HTTP)
        2007944 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
        2007945 || ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)
        2007946 || ET MALWARE Suspicious User Agent (popup)
        2007947 || ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup)
        2007948 || ET MALWARE Suspicious User Agent (--)
        2404019 || ET DROP Known Bot C&C Server Traffic (group 20)  || url,www.shadowserver.org
        2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org
        2406035 || ET RBN Known Russian Business Network Monitored Domains (31) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407035 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork

     -> Added to bleeding-sid-msg.map.txt (53):
        2002950 || ET POLICY TOR 1.0 Server Key Retrieval || url,tor.eff.org
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
        2007843 || ET TROJAN Bzub2 Related RPC/Http Checkin
        2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
        2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
        2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
        2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
        2007906 || ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
        2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190
        2007908 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA)
        2007909 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN)
        2007910 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN)
        2007911 || ET TROJAN Delf Download via HTTP
        2007912 || ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)
        2007913 || ET TROJAN Dialer.MC(vf) HTTP Request - Checkin
        2007914 || ET WORM SDBot HTTP Checkin
        2007917 || ET TROJAN Dropper-497 (Yumato) Initial Checkin || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
        2007918 || ET TROJAN Dropper-497 (Yumato) System Stats Report || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
        2007919 || ET TROJAN Dropper-497 Yumato Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
        2007920 || ET TROJAN Dropper-497 (Yumato) Status Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
        2007921 || ET MALWARE Suspicious User Agent (Explorer)
        2007922 || ET TROJAN Backdoor.Win32.VB.brg C&C Checkin
        2007923 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital)
        2007924 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded)
        2007925 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames)
        2007926 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)
        2007927 || ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey)
        2007928 || ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd)
        2007929 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible\; ))
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877
        2007932 || ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205
        2007933 || ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability || bugtraq,27940 || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
        2007934 || ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability || bugtraq,27940 || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
        2007935 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fs3update)
        2007936 || ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability || bugtraq,27990 || cve,CVE-2008-1055 || url,aluigi.altervista.org/adv/surgemailz-adv.txt
        2007937 || ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow || url,aluigi.altervista.org/adv/visibroken-adv.txt || bugtraq,28084
        2007938 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fian3manager)
        2007939 || ET TROJAN Delf Checkin via HTTP (up)
        2007940 || ET TROJAN Banker.ili HTTP Checkin
        2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941
        2007942 || ET MALWARE Suspicious User Agent (_)
        2007943 || ET MALWARE Suspicious User Agent (HTTP)
        2007944 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
        2007945 || ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)
        2007946 || ET MALWARE Suspicious User Agent (popup)
        2007947 || ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup)
        2007948 || ET MALWARE Suspicious User Agent (--)
        2404019 || ET DROP Known Bot C&C Server Traffic (group 20)  || url,www.shadowserver.org
        2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org
        2406035 || ET RBN Known Russian Business Network Monitored Domains (31) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
        2407035 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork

     -> Added to bleeding-virus.rules (4):
        #by Victor Julien
        #Banker.ili by matt jonkman
        #matt jonkman, labeled logsnif, bzub2, dopip
        #discovered by victor julien, sigs by matt jonkman, interesting one. Uses an html-like tag language on 8181

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (2):
        #  VERSION 1073
        #  Generated 2008-02-29 01:03:00 EDT

     -> Removed from bleeding-drop.rules (2):
        #  VERSION 1073
        #  Generated 2008-02-29 01:03:00 EDT

     -> Removed from bleeding-rbn-BLOCK.rules (2):
        #  VERSION 36
        #  Updated 2008-02-21 10:21:51

     -> Removed from bleeding-rbn.rules (2):
        #  VERSION 36
        #  Updated 2008-02-21 10:21:51

     -> Removed from bleeding-sid-msg.map (4):
        2002950 || ET POLICY TOR 1.0 Server Key Retrival || url,tor.eff.org
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (withlove.exe) || url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (with_love.exe) || url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
        2007835 || ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)

     -> Removed from bleeding-sid-msg.map.txt (4):
        2002950 || ET POLICY TOR 1.0 Server Key Retrival || url,tor.eff.org
        2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (withlove.exe) || url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
        2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (with_love.exe) || url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
        2007835 || ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)





More information about the Snort-sigs mailing list