[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Mon Mar 10 17:00:11 EDT 2008


[***] Results from Oinkmaster started Mon Mar 10 17:00:11 2008 [***]

[+++]          Added rules:          [+++]

 2002959 - ET TROJAN Tibs Checkin (bleeding-virus.rules)
 2002960 - ET TROJAN Tibs Download (bleeding-virus.rules)
 2002961 - ET TROJAN Tibs Checkin 2 (bleeding-virus.rules)
 2002962 - ET TROJAN Tibs Code Download (bleeding-virus.rules)
 2002963 - ET TROJAN Generic Spambot-Spyware Access (bleeding-virus.rules)
 2002964 - ET TROJAN Generic Spyware Update Download (bleeding-virus.rules)
 2002965 - ET TROJAN Generic Spambot Spam Download (bleeding-virus.rules)
 2007960 - ET MALWARE Suspicious User Agent (AutoItScript/3.2.10.0) (bleeding-malware.rules)
 2007961 - ET MALWARE Fake Wget User Agent - Likely Hostile (wget 3.0) (bleeding-malware.rules)
 2007962 - ET TROJAN Vipdataend C&C Traffic - Checkin (bleeding-virus.rules)
 2007963 - ET TROJAN Vipdataend C&C Traffic - Status OK (bleeding-virus.rules)
 2007964 - ET TROJAN Vipdataend C&C Traffic - Server Status OK (bleeding-virus.rules)
 2007965 - ET TROJAN Goldun Reporting Install (bleeding-virus.rules)
 2007966 - ET TROJAN Win32.Inject.zy Checkin Post (bleeding-virus.rules)
 2007967 - ET TROJAN Universal1337 FTP Upload of Compromised Data (bleeding-virus.rules)
 2007968 - ET TROJAN Universal1337 Email Upload of Compromised Data (bleeding-virus.rules)
 2007970 - ET TROJAN Vipdataend C&C Traffic - Checkin (XY) (bleeding-virus.rules)
 2007971 - ET POLICY SSN Detected in Clear Text (SSN ) (bleeding-policy.rules)
 2007972 - ET POLICY SSN Detected in Clear Text (SSN# ) (bleeding-policy.rules)
 2007973 - ET TROJAN Perfect Keylogger FTP Initial Install Log Upload (bleeding-virus.rules)
 2007974 - ET TROJAN Perfect Keylogger FTP Log Upload (bleeding-virus.rules)
 2007975 - ET TROJAN Common Downloader Trojan Checkin (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2002029 - ET TROJAN BOT - channel topic scan/exploit command (bleeding-virus.rules)
 2002030 - ET TROJAN BOT - potential scan/exploit command (bleeding-virus.rules)
 2002031 - ET TROJAN BOT - potential update/download (bleeding-virus.rules)
 2002032 - ET TROJAN BOT - potential DDoS command (1) (bleeding-virus.rules)
 2002033 - ET TROJAN BOT - potential response (bleeding-virus.rules)
 2002363 - ET TROJAN BOT - potential reptile commands (bleeding-virus.rules)
 2002384 - ET TROJAN BOT - potential misc bot commands (bleeding-virus.rules)
 2002385 - ET TROJAN BOT - channel topic reptile commands (bleeding-virus.rules)
 2002386 - ET TROJAN BOT - channel topic misc bot commands (bleeding-virus.rules)
 2002775 - ET TROJAN Goldun Reporting User Activity (bleeding-virus.rules)
 2002780 - ET TROJAN Goldun Reporting User Activity 2 (bleeding-virus.rules)
 2003132 - ET TROJAN BOT - potential DDoS command (2) (bleeding-virus.rules)
 2003157 - ET TROJAN Agobot-SDBot Commands (bleeding-virus.rules)
 2003208 - ET TROJAN pBot (PHP bot) Commands (bleeding-virus.rules)
 2006910 - ET TROJAN perlb0t/w0rmb0t Response (Case 1) (bleeding-virus.rules)
 2006911 - ET TROJAN perlb0t/w0rmb0t Response (Case 2) (bleeding-virus.rules)
 2006912 - ET TROJAN perlb0t/w0rmb0t Response (Case 3) (bleeding-virus.rules)
 2007828 - ET TROJAN LDPinch Checkin (2) (bleeding-virus.rules)
 2007862 - ET TROJAN LDPinch Checkin (3) (bleeding-virus.rules)
 2007949 - ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at ...3335... for analysis (bleeding-virus.rules)


[///]    Modified inactive rules:    [///]

 2001328 - ET POLICY SSN Detected in Clear Text (dashed) (bleeding-policy.rules)
 2001384 - ET POLICY SSN Detected in Clear Text (spaced) (bleeding-policy.rules)


[---]         Removed rules:         [---]

 2002959 - ET MALWARE Blueskyltd.biz Spyware Checkin (bleeding-malware.rules)
 2002960 - ET MALWARE Blueskyltd.biz Spyware Download (bleeding-malware.rules)
 2002961 - ET MALWARE Blueskyltd.biz Spyware Checkin 2 (bleeding-malware.rules)
 2002962 - ET MALWARE nov.ru Spyware Code Download (bleeding-malware.rules)
 2002963 - ET MALWARE Generic Spambot-Spyware Access (bleeding-malware.rules)
 2002964 - ET MALWARE Generic Spyware Update Download (bleeding-malware.rules)
 2002965 - ET MALWARE Generic Spambot Spam Download (bleeding-malware.rules)
 2003107 - ET TROJAN Possible Goldun Dropsite 1 (bleeding-virus.rules)
 2003108 - ET TROJAN Possible Goldun Dropsite 2 (bleeding-virus.rules)
 2007879 - ET EXPLOIT Cyan Soft Products Format String Vulnerability (bleeding-exploit.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (24):
        2001328 || ET POLICY SSN Detected in Clear Text (dashed)
        2001384 || ET POLICY SSN Detected in Clear Text (spaced)
        2002959 || ET TROJAN Tibs Checkin
        2002960 || ET TROJAN Tibs Download
        2002961 || ET TROJAN Tibs Checkin 2
        2002962 || ET TROJAN Tibs Code Download
        2002963 || ET TROJAN Generic Spambot-Spyware Access
        2002964 || ET TROJAN Generic Spyware Update Download
        2002965 || ET TROJAN Generic Spambot Spam Download
        2007960 || ET MALWARE Suspicious User Agent (AutoItScript/3.2.10.0)
        2007961 || ET MALWARE Fake Wget User Agent - Likely Hostile (wget 3.0)
        2007962 || ET TROJAN Vipdataend C&C Traffic - Checkin
        2007963 || ET TROJAN Vipdataend C&C Traffic - Status OK
        2007964 || ET TROJAN Vipdataend C&C Traffic - Server Status OK
        2007965 || ET TROJAN Goldun Reporting Install
        2007966 || ET TROJAN Win32.Inject.zy Checkin Post
        2007967 || ET TROJAN Universal1337 FTP Upload of Compromised Data || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337
        2007968 || ET TROJAN Universal1337 Email Upload of Compromised Data || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337
        2007970 || ET TROJAN Vipdataend C&C Traffic - Checkin (XY)
        2007971 || ET POLICY SSN Detected in Clear Text (SSN )
        2007972 || ET POLICY SSN Detected in Clear Text (SSN# )
        2007973 || ET TROJAN Perfect Keylogger FTP Initial Install Log Upload
        2007974 || ET TROJAN Perfect Keylogger FTP Log Upload
        2007975 || ET TROJAN Common Downloader Trojan Checkin

     -> Added to bleeding-sid-msg.map.txt (24):
        2001328 || ET POLICY SSN Detected in Clear Text (dashed)
        2001384 || ET POLICY SSN Detected in Clear Text (spaced)
        2002959 || ET TROJAN Tibs Checkin
        2002960 || ET TROJAN Tibs Download
        2002961 || ET TROJAN Tibs Checkin 2
        2002962 || ET TROJAN Tibs Code Download
        2002963 || ET TROJAN Generic Spambot-Spyware Access
        2002964 || ET TROJAN Generic Spyware Update Download
        2002965 || ET TROJAN Generic Spambot Spam Download
        2007960 || ET MALWARE Suspicious User Agent (AutoItScript/3.2.10.0)
        2007961 || ET MALWARE Fake Wget User Agent - Likely Hostile (wget 3.0)
        2007962 || ET TROJAN Vipdataend C&C Traffic - Checkin
        2007963 || ET TROJAN Vipdataend C&C Traffic - Status OK
        2007964 || ET TROJAN Vipdataend C&C Traffic - Server Status OK
        2007965 || ET TROJAN Goldun Reporting Install
        2007966 || ET TROJAN Win32.Inject.zy Checkin Post
        2007967 || ET TROJAN Universal1337 FTP Upload of Compromised Data || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337
        2007968 || ET TROJAN Universal1337 Email Upload of Compromised Data || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337
        2007970 || ET TROJAN Vipdataend C&C Traffic - Checkin (XY)
        2007971 || ET POLICY SSN Detected in Clear Text (SSN )
        2007972 || ET POLICY SSN Detected in Clear Text (SSN# )
        2007973 || ET TROJAN Perfect Keylogger FTP Initial Install Log Upload
        2007974 || ET TROJAN Perfect Keylogger FTP Log Upload
        2007975 || ET TROJAN Common Downloader Trojan Checkin

     -> Added to bleeding-virus.rules (1):
        #by Matt Jonkman, significant update from Don Jackson of Secureworks

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (12):
        2001328 || ET POLICY SSN Detected in Clear Text
        2001384 || ET POLICY SSN Detected in Clear Text
        2002959 || ET MALWARE Blueskyltd.biz Spyware Checkin
        2002960 || ET MALWARE Blueskyltd.biz Spyware Download
        2002961 || ET MALWARE Blueskyltd.biz Spyware Checkin 2
        2002962 || ET MALWARE nov.ru Spyware Code Download
        2002963 || ET MALWARE Generic Spambot-Spyware Access
        2002964 || ET MALWARE Generic Spyware Update Download
        2002965 || ET MALWARE Generic Spambot Spam Download
        2003107 || ET TROJAN Possible Goldun Dropsite 1
        2003108 || ET TROJAN Possible Goldun Dropsite 2
        2007879 || ET EXPLOIT Cyan Soft Products Format String Vulnerability || url,aluigi.altervista.org/adv/cyanuro-adv.txt || bugtraq,27728 || cve,CVE-2008-0755

     -> Removed from bleeding-sid-msg.map.txt (12):
        2001328 || ET POLICY SSN Detected in Clear Text
        2001384 || ET POLICY SSN Detected in Clear Text
        2002959 || ET MALWARE Blueskyltd.biz Spyware Checkin
        2002960 || ET MALWARE Blueskyltd.biz Spyware Download
        2002961 || ET MALWARE Blueskyltd.biz Spyware Checkin 2
        2002962 || ET MALWARE nov.ru Spyware Code Download
        2002963 || ET MALWARE Generic Spambot-Spyware Access
        2002964 || ET MALWARE Generic Spyware Update Download
        2002965 || ET MALWARE Generic Spambot Spam Download
        2003107 || ET TROJAN Possible Goldun Dropsite 1
        2003108 || ET TROJAN Possible Goldun Dropsite 2
        2007879 || ET EXPLOIT Cyan Soft Products Format String Vulnerability || url,aluigi.altervista.org/adv/cyanuro-adv.txt || bugtraq,27728 || cve,CVE-2008-0755

     -> Removed from bleeding-virus.rules (1):
        # Submitted 2006-09-22 by Frank Knobbe





More information about the Snort-sigs mailing list