[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Sep 20 18:00:08 EDT 2008


[***] Results from Oinkmaster started Sat Sep 20 18:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2008551 - ET TROJAN Banito/Agent.pb Pass Stealer Email Report Outbound (emerging-virus.rules)
 2008552 - ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely (emerging.rules)
 2008553 - ET WEB WordPress Random Password Generation Insufficient Entropy Attack (emerging-web.rules)
 2008554 - ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan (emerging.rules)
 2008555 - ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan (emerging.rules)
 2008556 - ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious (emerging-attack_response.rules)
 2008557 - ET TROJAN Likely EXE Cryptor Packed Binary - Likely Malware (emerging-virus.rules)
 2008558 - ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper) (emerging-malware.rules)
 2008559 - ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection (emerging-attack_response.rules)
 2008560 - ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack (emerging-scan.rules)
 2008561 - ET POLICY External Unencrypted Connection To Aanval Console (emerging-policy.rules)
 2008562 - ET Suspicious SMTP handshake outbound (emerging.rules)
 2008563 - ET Suspicious SMTP handshake reply (emerging.rules)
 2008564 - ET MALWARE Suspicious User-Agent (Internet HTTP Request) (emerging-malware.rules)
 2008565 - ET MALWARE Macrovision.com Spyware Related User-Agent (Macrovision_DM_2.19) (emerging-malware.rules)
 2008567 - ET TROJAN Win32.Crypt.nc Checkin (emerging-virus.rules)
 2008568 - ET SCAN Voiper Toolkit Torturer Scan (emerging-scan.rules)
 2008569 - ET POLICY External Unencrypted Connection to Ossec WUI (emerging-policy.rules)
 2008570 - ET POLICY External Unencrypted Connection to BASE Console (emerging-policy.rules)
 2008571 - ET SCAN Acunetix Web Vulnerability Scan (emerging-scan.rules)
 2008572 - ET POLICY External MYSQL Server Connection (emerging-policy.rules)
 2008573 - ET TROJAN Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch) (emerging-virus.rules)
 2008574 - ET MALWARE AutoIt User-Agent Detected - Often used by Malware (AutoIt) (emerging-malware.rules)
 2008575 - ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile (emerging-virus.rules)
 2008576 - ET TROJAN TinyPE Binary - Possibly Hostile (emerging-virus.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (emerging-botcc.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[///]     Modified active rules:     [///]

 2001219 - ET SCAN Potential SSH Scan (emerging-scan.rules)
 2003068 - ET SCAN Potential SSH Scan OUTBOUND (emerging-scan.rules)
 2008276 - ET MALWARE Suspicious User-Agent (contains loader) (emerging-malware.rules)
 2008334 - ET TROJAN Beizhu/Womble/Vipdataend Checking with Controller (emerging-virus.rules)
 2008335 - ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive (emerging-virus.rules)
 2008547 - ET TROJAN PECompact2 Packed Binary - Likely Hostile (emerging-virus.rules)
 2008549 - ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP) (emerging-malware.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-attack_response.rules (1):
        #matt jonkman, info from qru

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1302
        #  Generated 2008-09-20 00:03:02 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1302
        #  Generated 2008-09-20 00:03:02 EDT

     -> Added to emerging-policy.rules (1):
        # sets a flowbit for viruscatch.co.kr related, win32.small.hvd and others

     -> Added to emerging-sid-msg.map (28):
        2008549 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP) || url,www.wiki-security.com/wiki/Parasite/Antivirus2008
        2008551 || ET TROJAN Banito/Agent.pb Pass Stealer Email Report Outbound
        2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7
        2008553 || ET WEB WordPress Random Password Generation Insufficient Entropy Attack || url,downloads.securityfocus.com/vulnerabilities/exploits/31115.php || bugtraq,31115
        2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email
        2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access
        2008556 || ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious
        2008557 || ET TROJAN Likely EXE Cryptor Packed Binary - Likely Malware || url,bits.packetninjas.org
        2008558 || ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)
        2008559 || ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection
        2008560 || ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack || url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html
        2008561 || ET POLICY External Unencrypted Connection To Aanval Console || url,www.aanval.com
        2008562 || ET Suspicious SMTP handshake outbound
        2008563 || ET Suspicious SMTP handshake reply
        2008564 || ET MALWARE Suspicious User-Agent (Internet HTTP Request)
        2008565 || ET MALWARE Macrovision.com Spyware Related User-Agent (Macrovision_DM_2.19)
        2008567 || ET TROJAN Win32.Crypt.nc Checkin
        2008568 || ET SCAN Voiper Toolkit Torturer Scan || url,sourceforge.net/projects/voiper
        2008569 || ET POLICY External Unencrypted Connection to Ossec WUI || url,www.ossec.net
        2008570 || ET POLICY External Unencrypted Connection to BASE Console || url,base.secureideas.net
        2008571 || ET SCAN Acunetix Web Vulnerability Scan || url,www.acunetix.com/vulnerability-scanner/
        2008572 || ET POLICY External MYSQL Server Connection
        2008573 || ET TROJAN Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch)
        2008574 || ET MALWARE AutoIt User-Agent Detected - Often used by Malware (AutoIt) || url,www.autoitscript.com/autoit3
        2008575 || ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile || url,bits.packetninjas.org/eblog/ || url,www.aspack.com/downloads.aspx
        2008576 || ET TROJAN TinyPE Binary - Possibly Hostile || url,bits.packetninjas.org/eblog/?p=316 || url,www.phreedom.org/solar/code/tinype/
        2404020 || ET DROP Known Bot C&C Server Traffic (group 21)  || url,www.shadowserver.org
        2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to emerging-sid-msg.map.txt (28):
        2008549 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP) || url,www.wiki-security.com/wiki/Parasite/Antivirus2008
        2008551 || ET TROJAN Banito/Agent.pb Pass Stealer Email Report Outbound
        2008552 || ET CURRENT_EVENTS Malware Word doc Email - Fordo Trojan Likely || url,isc.sans.org/diary.html?storyid=5029 || url,www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7
        2008553 || ET WEB WordPress Random Password Generation Insufficient Entropy Attack || url,downloads.securityfocus.com/vulnerabilities/exploits/31115.php || bugtraq,31115
        2008554 || ET CURRENT_EVENTS Nuclear Email Malware Inbound - Likely Trojan || url,www.computerweekly.com/Articles/2008/09/12/232290/london-nuclear-explosion-in-malware-spam-campaign.htm || url,www.sophos.com/blogs/gc/g/2008/09/11/nuclear-email
        2008555 || ET CURRENT_EVENTS Your internet access is going to get suspended Email Inbound - Likely Trojan || url,forum.bitdefender.com/index.php?showtopic=7861 || url,blog.threatfire.com/2008/09/your-internet-access-is-going-to-get.html || url,blog.mxlab.be/2008/09/11/your-internet-access-is-going-to-get-suspended-virus/ || url,www.sophos.com/blogs/gc/g/2008/09/12/your-internet-access
        2008556 || ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious
        2008557 || ET TROJAN Likely EXE Cryptor Packed Binary - Likely Malware || url,bits.packetninjas.org
        2008558 || ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)
        2008559 || ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection
        2008560 || ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack || url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html
        2008561 || ET POLICY External Unencrypted Connection To Aanval Console || url,www.aanval.com
        2008562 || ET Suspicious SMTP handshake outbound
        2008563 || ET Suspicious SMTP handshake reply
        2008564 || ET MALWARE Suspicious User-Agent (Internet HTTP Request)
        2008565 || ET MALWARE Macrovision.com Spyware Related User-Agent (Macrovision_DM_2.19)
        2008567 || ET TROJAN Win32.Crypt.nc Checkin
        2008568 || ET SCAN Voiper Toolkit Torturer Scan || url,sourceforge.net/projects/voiper
        2008569 || ET POLICY External Unencrypted Connection to Ossec WUI || url,www.ossec.net
        2008570 || ET POLICY External Unencrypted Connection to BASE Console || url,base.secureideas.net
        2008571 || ET SCAN Acunetix Web Vulnerability Scan || url,www.acunetix.com/vulnerability-scanner/
        2008572 || ET POLICY External MYSQL Server Connection
        2008573 || ET TROJAN Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch)
        2008574 || ET MALWARE AutoIt User-Agent Detected - Often used by Malware (AutoIt) || url,www.autoitscript.com/autoit3
        2008575 || ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile || url,bits.packetninjas.org/eblog/ || url,www.aspack.com/downloads.aspx
        2008576 || ET TROJAN TinyPE Binary - Possibly Hostile || url,bits.packetninjas.org/eblog/?p=316 || url,www.phreedom.org/solar/code/tinype/
        2404020 || ET DROP Known Bot C&C Server Traffic (group 21)  || url,www.shadowserver.org
        2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Added to emerging-virus.rules (2):
        #by Jeffrey Brown, re 35546d9972aed2a5fec2c4e1136730a3
        #flowbit set by 2008572 in policy ruleset

     -> Added to emerging-web.rules (2):
        #by Chandan at secpod
        # 15/09/2008 Wordpress

     -> Added to emerging.rules (6):
        #by Veerendra at secpod.org
        # 16/09/2008 Nuclear Email Malware Attack
        # 16/09/2008 Internet Trojan
        #by Chandan at secpod
        # 15/09/2008 Malware Word doc
        # Unknown handshake over SMTP discovered by Thierry Chich and reported on mail list. Added by Frank Knobbe 2008-09-17.

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1295
        #  Generated 2008-09-13 00:03:02 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1295
        #  Generated 2008-09-13 00:03:02 EDT

     -> Removed from emerging-sid-msg.map (1):
        2008549 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)

     -> Removed from emerging-sid-msg.map.txt (1):
        2008549 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)





More information about the Snort-sigs mailing list