[***] Results from Oinkmaster started Fri Nov 19 20:00:04 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding-malware.rules (35):
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Bundleware Spyware cab Download";
uricontent:"/counter/counter_v3.cab"; nocase; classtype:trojan-activity;
sid:2001458; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install";
uricontent:"/pr.exe"; nocase; classtype:trojan-activity; sid:2001486; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs CHM Exploit";
uricontent:"/fa/ied_s7m.chm"; nocase; sid:2001468; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install";
uricontent:"/dkprogs/dktibs.php"; nocase; sid:2001474; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install";
uricontent:"/dkprogs/mstasks3.txt"; nocase; sid:2001483; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install";
uricontent:"/x30/d.exe"; nocase; sid:2001484; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install";
uricontent:"http\://pizdato.biz/gamma-test.htm"; nocase; sid:2001476; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Overpro Spyware Games";
uricontent:"/blocks/blasterblocks"; nocase; sid:2001459; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Coolsearch Spyware Install";
content:"http\://coolsearch.biz/united.htm"; nocase; sid:2001479; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install";
uricontent:"/pa/proxyrnd.exe"; nocase; classtype:trojan-activity; sid:2001485;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware MediaTickets Spyware Install";
uricontent:"/mtrslib2.js"; nocase; classtype:trojan-activity; sid:2001481;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs";
content:"src=http\://xpire.info/i.exe"; nocase; sid:2001463; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs";
uricontent:"/dl/adv121.php"; nocase; sid:2001466; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install";
uricontent:"/dkprogs/systime.txt"; nocase; sid:2001480; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Couponage Download"; uricontent:".dl_"; nocase;
content:"couponage.com"; nocase; classtype:policy-violation; sid:2001453;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Couponage Configure"; content:".da_"; nocase;
content:"couponage.com"; nocase; classtype:policy-violation; sid:2001454;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Bundleware Spyware Download"; content:"Location\:
http\://www.bundleware.com"; nocase; uricontent:"/AppWrap.exe"; nocase;
classtype:policy-violation; sid:2001451; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Spyware Exploit";
uricontent:"/2DimensionOfExploitsEnc.php"; nocase; sid:2001471; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs Occuring";
uricontent:"/fa/?d=get"; nocase; sid:2001462; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Bundleware Spyware CHM Download";
content:"Referer\: ms-its\:mhtml\:file\://C\:counter.mht!http\://"; nocase;
content:"/counter/HELP3.CHM\:\:/help.htm"; nocase; classtype:trojan-activity;
sid:2001452; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands";
uricontent:"/xpsystem/commands.ini"; nocase; sid:2001475; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Sexmaniack Install Tracking";
uricontent:"/counted.php?ref="; nocase; content:"Host\:
counter.sexmaniack.com"; nocase; sid:2001460; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs";
uricontent:"/fa/xpl3.htm"; nocase; sid:2001470; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Wintools Download/Configure"; pcre:"/GET
\/WTools.\.cab/"; content:"adwave.com"; nocase; classtype:trojan-activity;
sid:2001450; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install";
uricontent:"/dkprogs/toolbar.txt"; nocase; sid:2001473; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs";
uricontent:"/fa/x.chm"; nocase; sid:2001469; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting";
uricontent:"/xpsystem/report.php?user_id="; nocase;
uricontent:"&status=0&country_id="; nocase; sid:2001472; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Couponage Reporting"; content:"/?keyword="; nocase;
content:"couponage.com"; nocase; classtype:policy-violation; sid:2001455;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs";
uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; sid:2001464; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install";
uricontent:"http\://newiframe.biz/ysb.exe.eeexe.exe"; nocase; sid:2001478;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs";
uricontent:"/fa/evil.html"; nocase; sid:2001461; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware ContextPanel Reporting";
uricontent:"/cplog/?logtype="; nocase; content:"contextpanel.com"; nocase;
classtype:policy-violation; sid:2001456; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs";
uricontent:"/dl/adv121/x.chm"; nocase; sid:2001467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install";
uricontent:"/pa/glx.exe"; nocase; classtype:trojan-activity; sid:2001482;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install";
uricontent:"http\://www.coolsearch.biz/c.htm"; nocase; sid:2001477; rev:1;)
-> Added to bleeding.rules (1):
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE phpBB Highlighting Remote Code Execution Attempt
HowDark.com"; flow:to_server,established; content:"/viewtopic.php?t="; nocase;
distance:0; content:"&highlight=%2527%252esystem("; nocase;
reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:3;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-malware.rules (5):
#By Matt Jonkman
#By Matt Jonkman
#By Matt Jonkman
#By Matt Jonkman
#By Matt Jonkman
-> Added to bleeding-sid-msg.map (36):
2001450 || BLEEDING-EDGE Malware Wintools Download/Configure
2001451 || BLEEDING-EDGE Malware Bundleware Spyware Download
2001452 || BLEEDING-EDGE Malware Bundleware Spyware CHM Download
2001453 || BLEEDING-EDGE Malware Couponage Download
2001454 || BLEEDING-EDGE Malware Couponage Configure
2001455 || BLEEDING-EDGE Malware Couponage Reporting
2001456 || BLEEDING-EDGE Malware ContextPanel Reporting
2001457 || BLEEDING-EDGE phpBB Highlighting Remote Code Execution
Attempt HowDark.com || url,www.howdark.com/poc/phpbb2010_hl.phps
2001458 || BLEEDING-EDGE Malware Bundleware Spyware cab Download
2001459 || BLEEDING-EDGE Malware Overpro Spyware Games
2001460 || BLEEDING-EDGE Malware Sexmaniack Install Tracking
2001461 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
2001462 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
Occuring
2001463 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
2001464 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
2001466 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
2001467 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
2001468 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
CHM Exploit
2001469 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
2001470 || BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs
2001471 || BLEEDING-EDGE Malware Xpire.info Spyware Exploit
2001472 || BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting
2001473 || BLEEDING-EDGE Malware Searchmeup Spyware Install
2001474 || BLEEDING-EDGE Malware Searchmeup Spyware Install
2001475 || BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands
2001476 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install
2001477 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install
2001478 || BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install
2001479 || BLEEDING-EDGE Malware Coolsearch Spyware Install
2001480 || BLEEDING-EDGE Malware Searchmeup Spyware Install
2001481 || BLEEDING-EDGE Malware MediaTickets Spyware Install
2001482 || BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install
2001483 || BLEEDING-EDGE Malware Searchmeup Spyware Install
2001484 || BLEEDING-EDGE Malware Searchmeup Spyware Install
2001485 || BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install
2001486 || BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install
-> Added to bleeding.rules (1):
#Submitted bu Shirkdog
[*] Added files: [*]
None.
-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
