[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Wed Mar 19 17:00:09 EDT 2008


[***] Results from Oinkmaster started Wed Mar 19 17:00:09 2008 [***]

[+++]          Added rules:          [+++]

 2008016 - ET MALWARE Servicepack.kr Fake Patch Software Checkin (bleeding-malware.rules)
 2008017 - ET TROJAN Philis.J ICMP Sweep (Payload Hello,World) (bleeding-virus.rules)
 2008018 - ET MALWARE Beautyscreens.com Related Spyware Install Success Report (bleeding-malware.rules)
 2008019 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https) (bleeding-virus.rules)
 2008020 - ET WORM Win32.Socks.s HTTP Post Checkin (bleeding-virus.rules)
 2008021 - ET TROJAN Turkojan C&C Initial Checkin (ams) (bleeding-virus.rules)
 2008022 - ET TROJAN Turkojan C&C Info Command (MINFO) (bleeding-virus.rules)
 2008023 - ET TROJAN Turkojan C&C Info Command Response (MINFO) (bleeding-virus.rules)
 2008024 - ET TROJAN Turkojan C&C Logs Parse Command (LOGS1) (bleeding-virus.rules)
 2008025 - ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1) (bleeding-virus.rules)
 2008026 - ET TROJAN Turkojan C&C Keepalive (BAGLANTI) (bleeding-virus.rules)
 2008027 - ET TROJAN Turkojan C&C Browse Drive Command (BROWSC) (bleeding-virus.rules)
 2008028 - ET TROJAN Turkojan C&C Browse Drive Command Response (metin) (bleeding-virus.rules)
 2008029 - ET TROJAN Turkojan C&C nxt Command (nxt) (bleeding-virus.rules)
 2008030 - ET TROJAN Turkojan C&C nxt Command Response (nxt) (bleeding-virus.rules)
 2008031 - ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound (bleeding-virus.rules)
 2008032 - ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound (bleeding-virus.rules)
 2008033 - ET TROJAN Banker.maf SMTP Checkin (Not in the Control...) (bleeding-virus.rules)
 2008034 - ET TROJAN LDPinch SMTP Password Report (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2007828 - ET TROJAN LDPinch Checkin (2) (bleeding-virus.rules)
 2007862 - ET TROJAN LDPinch Checkin (3) (bleeding-virus.rules)
 2007949 - ET TROJAN Medbod UDP Phone Home Packet (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (20):
        2007949 || ET TROJAN Medbod UDP Phone Home Packet
        2008016 || ET MALWARE Servicepack.kr Fake Patch Software Checkin
        2008017 || ET TROJAN Philis.J ICMP Sweep (Payload Hello,World) || url,vil.nai.com/vil/content/v_141203.htm
        2008018 || ET MALWARE Beautyscreens.com Related Spyware Install Success Report
        2008019 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https)
        2008020 || ET WORM Win32.Socks.s HTTP Post Checkin
        2008021 || ET TROJAN Turkojan C&C Initial Checkin (ams)
        2008022 || ET TROJAN Turkojan C&C Info Command (MINFO)
        2008023 || ET TROJAN Turkojan C&C Info Command Response (MINFO)
        2008024 || ET TROJAN Turkojan C&C Logs Parse Command (LOGS1)
        2008025 || ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1)
        2008026 || ET TROJAN Turkojan C&C Keepalive (BAGLANTI)
        2008027 || ET TROJAN Turkojan C&C Browse Drive Command (BROWSC)
        2008028 || ET TROJAN Turkojan C&C Browse Drive Command Response (metin)
        2008029 || ET TROJAN Turkojan C&C nxt Command (nxt)
        2008030 || ET TROJAN Turkojan C&C nxt Command Response (nxt)
        2008031 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound
        2008032 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound
        2008033 || ET TROJAN Banker.maf SMTP Checkin (Not in the Control...)
        2008034 || ET TROJAN LDPinch SMTP Password Report

     -> Added to bleeding-sid-msg.map.txt (20):
        2007949 || ET TROJAN Medbod UDP Phone Home Packet
        2008016 || ET MALWARE Servicepack.kr Fake Patch Software Checkin
        2008017 || ET TROJAN Philis.J ICMP Sweep (Payload Hello,World) || url,vil.nai.com/vil/content/v_141203.htm
        2008018 || ET MALWARE Beautyscreens.com Related Spyware Install Success Report
        2008019 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https)
        2008020 || ET WORM Win32.Socks.s HTTP Post Checkin
        2008021 || ET TROJAN Turkojan C&C Initial Checkin (ams)
        2008022 || ET TROJAN Turkojan C&C Info Command (MINFO)
        2008023 || ET TROJAN Turkojan C&C Info Command Response (MINFO)
        2008024 || ET TROJAN Turkojan C&C Logs Parse Command (LOGS1)
        2008025 || ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1)
        2008026 || ET TROJAN Turkojan C&C Keepalive (BAGLANTI)
        2008027 || ET TROJAN Turkojan C&C Browse Drive Command (BROWSC)
        2008028 || ET TROJAN Turkojan C&C Browse Drive Command Response (metin)
        2008029 || ET TROJAN Turkojan C&C nxt Command (nxt)
        2008030 || ET TROJAN Turkojan C&C nxt Command Response (nxt)
        2008031 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound
        2008032 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound
        2008033 || ET TROJAN Banker.maf SMTP Checkin (Not in the Control...)
        2008034 || ET TROJAN LDPinch SMTP Password Report

     -> Added to bleeding-virus.rules (5):
        #slso called Trojan.Dropper.RRM and Trojan.Win32.Inject.adt
        #win32.philis.J here
        #  Backdoor.Win32.Turkojan.jv or Turkojan.gen1 or  GenPack:Trojan.Agent.AHAB
        #c&c session 2
        #by matt jonkman. Win32.Socks.s

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at ...3335... for analysis

     -> Removed from bleeding-sid-msg.map.txt (1):
        2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at ...3335... for analysis





More information about the Snort-sigs mailing list