[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Sun Mar 23 17:00:09 EDT 2008


[***] Results from Oinkmaster started Sun Mar 23 17:00:09 2008 [***]

[+++]          Added rules:          [+++]

 2002976 - ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner (bleeding-virus.rules)
 2002978 - ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002980 - ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002981 - ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner (bleeding-virus.rules)
 2003931 - ET TROJAN Banker.Delf User-Agent (Varlok_11000) (bleeding-virus.rules)
 2003933 - ET TROJAN Banker.Delf User-Agent (Ms) (bleeding-virus.rules)
 2004442 - ET TROJAN Banker.Delf User-Agent (hhh) (bleeding-virus.rules)
 2007594 - ET TROJAN Banker.Delf User-Agent (MzApp) (bleeding-virus.rules)
 2007699 - ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS) (bleeding-virus.rules)
 2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
 2007858 - ET TROJAN Delf Keylog FTP Upload (bleeding-virus.rules)
 2007867 - ET TROJAN Delf HTTP Post Checkin (1) (bleeding-virus.rules)
 2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
 2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report (bleeding-virus.rules)
 2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
 2008006 - ET TROJAN Delf CnC Channel Packet 1 (bleeding-virus.rules)
 2008007 - ET TROJAN Delf CnC Channel Packet 1 reply (bleeding-virus.rules)
 2008008 - ET TROJAN Delf CnC Channel Checkin Replies (bleeding-virus.rules)
 2008009 - ET TROJAN Delf CnC Channel Keepalive Pong (bleeding-virus.rules)
 2008010 - ET TROJAN Delf CnC Channel Keepalive Ping (bleeding-virus.rules)
 2008041 - ET TROJAN Hupigon CnC init (variant abb) (bleeding-virus.rules)
 2008042 - ET TROJAN Hupigon CnC Data Post (variant abb) (bleeding-virus.rules)
 2008044 - ET TROJAN Delf Checkin via HTTP (5) (bleeding-virus.rules)
 2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report (bleeding.rules)
 2008046 - ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 [account verification]) (bleeding-malware.rules)
 2008047 - ET TROJAN Egspy Infection Report via HTTP (bleeding-virus.rules)
 2008048 - ET MALWARE Suspicious User-Agent (Version 1.23) (bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2008038 - ET MALWARE Suspicious User Agent (Mozilla/4.0 (compatible\; ICS)) (bleeding-malware.rules)


[---]         Removed rules:         [---]

 2008006 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 (bleeding.rules)
 2008007 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 reply (bleeding.rules)
 2008008 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Checkin Replies (bleeding.rules)
 2008009 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Pong (bleeding.rules)
 2008010 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Ping (bleeding.rules)
20078041 - ET TROJAN Hupigon CnC init (variant abb) (bleeding-virus.rules)
20078042 - ET TROJAN Hupigon CnC Data Post (variant abb) (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (27):
        2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007858 || ET TROJAN Delf Keylog FTP Upload
        2007867 || ET TROJAN Delf HTTP Post Checkin (1)
        2007911 || ET TROJAN Delf Download via HTTP
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007939 || ET TROJAN Delf Checkin via HTTP (up)
        2008006 || ET TROJAN Delf CnC Channel Packet 1
        2008007 || ET TROJAN Delf CnC Channel Packet 1 reply
        2008008 || ET TROJAN Delf CnC Channel Checkin Replies
        2008009 || ET TROJAN Delf CnC Channel Keepalive Pong
        2008010 || ET TROJAN Delf CnC Channel Keepalive Ping
        2008041 || ET TROJAN Hupigon CnC init (variant abb)
        2008042 || ET TROJAN Hupigon CnC Data Post (variant abb)
        2008044 || ET TROJAN Delf Checkin via HTTP (5)
        2008045 || ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report || url,doc.emergingthreats.net/bin/view/Main/GzipdPOST
        2008046 || ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 [account verification])
        2008047 || ET TROJAN Egspy Infection Report via HTTP || url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410
        2008048 || ET MALWARE Suspicious User-Agent (Version 1.23)

     -> Added to bleeding-sid-msg.map.txt (27):
        2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007858 || ET TROJAN Delf Keylog FTP Upload
        2007867 || ET TROJAN Delf HTTP Post Checkin (1)
        2007911 || ET TROJAN Delf Download via HTTP
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007939 || ET TROJAN Delf Checkin via HTTP (up)
        2008006 || ET TROJAN Delf CnC Channel Packet 1
        2008007 || ET TROJAN Delf CnC Channel Packet 1 reply
        2008008 || ET TROJAN Delf CnC Channel Checkin Replies
        2008009 || ET TROJAN Delf CnC Channel Keepalive Pong
        2008010 || ET TROJAN Delf CnC Channel Keepalive Ping
        2008041 || ET TROJAN Hupigon CnC init (variant abb)
        2008042 || ET TROJAN Hupigon CnC Data Post (variant abb)
        2008044 || ET TROJAN Delf Checkin via HTTP (5)
        2008045 || ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report || url,doc.emergingthreats.net/bin/view/Main/GzipdPOST
        2008046 || ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 [account verification])
        2008047 || ET TROJAN Egspy Infection Report via HTTP || url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410
        2008048 || ET MALWARE Suspicious User-Agent (Version 1.23)

     -> Added to bleeding-virus.rules (7):
        # This thing send out an email to it's owner with stats and such. This ought to catch it..
        #another variant
        #Yet another
        #yet another c&c method, by matt jonkman
        #delf keylog upload, kinda flimsy but works
        #by Victor Julien
        #re sample 41c62970ea34413c4011b220724bf029

     -> Added to bleeding.rules (2):
        #experimental, see
        #by william metcalf

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (7):
        2008006 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1
        2008007 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 reply
        2008008 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Checkin Replies
        2008009 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Pong
        2008010 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Ping
        20078041 || ET TROJAN Hupigon CnC init (variant abb)
        20078042 || ET TROJAN Hupigon CnC Data Post (variant abb)

     -> Removed from bleeding-sid-msg.map.txt (7):
        2008006 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1
        2008007 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 reply
        2008008 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Checkin Replies
        2008009 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Pong
        2008010 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Ping
        20078041 || ET TROJAN Hupigon CnC init (variant abb)
        20078042 || ET TROJAN Hupigon CnC Data Post (variant abb)

     -> Removed from bleeding.rules (3):
        #by matt jonkman
        #holding here till the malware gets a name, so far unknown by AV other than heuristically bad
        #re sample 41c62970ea34413c4011b220724bf029





More information about the Snort-sigs mailing list