Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleeding Edge Threats Weekly Signature Changes

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes
Date: Fri, 13 Apr 2007 02:00:05 -0400 (EDT) 

[***] Results from Oinkmaster started Fri Apr 13 02:00:05 2007 [***]

[+++]          Added rules:          [+++]

 2003155 - BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling 
(bleeding-policy.rules)
 2003514 - BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer 
ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding-exploit.rules)
 2003537 - TROJAN Trojan.Duntek establishing remote connection 
(bleeding-virus.rules)
 2003538 - BLEEDING-EDGE TROJAN Klom.A Connecting to Controller 
(bleeding-virus.rules)
 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - 
Please report any hits to bleeding@bleedingthreats.net (bleeding.rules)
 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - 
Please report any hits to bleeding@bleedingthreats.net (bleeding.rules)
 2003541 - BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Updating 
(bleeding-malware.rules)
 2003542 - BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake 
Antispyware Reporting (bleeding-malware.rules)
 2003543 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware Install 
(bleeding-malware.rules)
 2003544 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent 
(WinFixMaster) (bleeding-malware.rules)
 2003545 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent 
2 (WinFix Master) (bleeding-malware.rules)
 2003546 - BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - Used by 
Winfixmaster.com Fake Anti-Spyware and Others (bleeding-malware.rules)
 2003547 - BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Install 
(bleeding-malware.rules)
 2003548 - BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Checkin 
(bleeding-malware.rules)
 2003549 - BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report 
(bleeding-virus.rules)
 2003550 - BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes 
(bleeding-virus.rules)
 2003551 - BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command 
(bleeding-virus.rules)
 2003552 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active 
(bleeding-virus.rules)
 2003553 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off 
(bleeding-virus.rules)
 2003554 - BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply 
(bleeding-virus.rules)
 2003555 - BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report 
(bleeding-virus.rules)
 2003556 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send 
(bleeding-virus.rules)
 2003557 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply 
(bleeding-virus.rules)
 2003558 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send 
(bleeding-virus.rules)
 2003559 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send 
(bleeding-virus.rules)
 2003560 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send 
(bleeding-virus.rules)
 2003561 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply 
(bleeding-virus.rules)
 2003562 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send 
(bleeding-virus.rules)
 2003563 - BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send 
(bleeding-virus.rules)
 2003564 - BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply 
(bleeding-virus.rules)
 2003565 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply 
(bleeding-virus.rules)
 2003566 - BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) 
(bleeding-malware.rules)
 2003567 - BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS 
Extractor) (bleeding-malware.rules)
 2003568 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating 
(bleeding-malware.rules)
 2003569 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware 
User-Agent (EVNUKER) (bleeding-malware.rules)
 2003570 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) 
(bleeding-malware.rules)


[///]     Modified active rules:     [///]

 2001537 - BLEEDING-EDGE Malware Spyspotter.com Access (bleeding-malware.rules)
 2001663 - BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host) 
(bleeding-malware.rules)
 2002160 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat) 
(bleeding-malware.rules)
 2002388 - BLEEDING-EDGE WEB vBulletin misc.php Template Name Arbitrary Code 
Execution (bleeding-web.rules)
 2002954 - BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download 
(bleeding-malware.rules)
 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound 
(bleeding-drop.rules)
 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING 
SOURCE (bleeding-drop-BLOCK.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source 
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING 
(bleeding-dshield-BLOCK.rules)
 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)  
(bleeding-botcc.rules)
 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)  
(bleeding-botcc.rules)
 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)  
(bleeding-botcc.rules)
 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)  
(bleeding-botcc.rules)
 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)  
(bleeding-botcc.rules)
 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6)  
(bleeding-botcc.rules)
 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7)  
(bleeding-botcc.rules)
 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)
 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE 
(bleeding-botcc-BLOCK.rules)


[---]         Disabled rules:        [---]

 2003191 - BLEEDING-EDGE CURRENT EVENTS Acer LunchApp.Aplunch ActiveX control 
access (bleeding.rules)


[---]         Removed rules:         [---]

 2002198 - BLEEDING-EDGE MALWARE Bidclix.com Spyware (bleeding-malware.rules)
 2002204 - BLEEDING-EDGE MALWARE Websponsors.com Spyware 
(bleeding-malware.rules)
 2002930 - BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit 
(bleeding-virus.rules)
 2003155 - BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling 
(bleeding.rules)
 2003177 - BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft 
Agent Memory Corruption) (bleeding.rules)
 2003178 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip 
FileView ActiveX Control Access (bleeding.rules)
 2003181 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip 
FolderView ActiveX Control Access (bleeding.rules)
 2003213 - BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function 
Memory Corruption - There are many legitimate uses of the normalize function 
(bleeding.rules)
 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS 
(bleeding.rules)
 2003373 - BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In 
(bleeding.rules)
 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded 
Exploit traveling to client browser (bleeding.rules)
 2003430 - BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt 
(bleeding.rules)
 2003460 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet 
(bleeding.rules)
 2003461 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet 
(bleeding.rules)
 2003514 - BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer 
ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-drop-BLOCK.rules (1):
        #  VERSION 151

     -> Added to bleeding-drop.rules (1):
        #  VERSION 151

     -> Added to bleeding-exploit.rules (1):
        # steven@securityzone

     -> Added to bleeding-malware.rules (5):
        #matt Jonkman from Spyware LP Data
        #By Matt Jonkman from spyware listening post data
        #Matt Jonkman, from spyware lp data and Castlecops
        #from spyware LP Data
        #By Matt Jonkman from spyware listening post data

     -> Added to bleeding-policy.rules (2):
        #by Jeff Kell
        # Microsoft teredo tunnel

     -> Added to bleeding-sid-msg.map (37):
        2002954 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware 
Download || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152
 || url,www.bravesentry.com
        2003155 || BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling
        2003514 || BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer 
ADODB.Redcordset Double Free Memory Exploit - MS07-009 || 
url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || 
url,www.milw0rm.com/exploits/3577
        2003537 || TROJAN Trojan.Duntek establishing remote connection || 
url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99
        2003538 || BLEEDING-EDGE TROJAN Klom.A Connecting to Controller || 
url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html
        2003539 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit 
udp - Please report any hits to bleeding@bleedingthreats.net || 
url,www.dshield.org/diary.html?storyid=2584
        2003540 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit 
tcp - Please report any hits to bleeding@bleedingthreats.net || 
url,www.dshield.org/diary.html?storyid=2584
        2003541 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware 
Updating || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152
 || url,www.bravesentry.com
        2003542 || BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake 
Antispyware Reporting || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152
 || url,www.bravesentry.com
        2003543 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware 
Install
        2003544 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware 
User-Agent (WinFixMaster)
        2003545 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware 
User-Agent 2 (WinFix Master)
        2003546 || BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - 
Used by Winfixmaster.com Fake Anti-Spyware and Others
        2003547 || BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware 
Install
        2003548 || BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware 
Checkin
        2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and 
Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy 
Active || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off 
|| url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and 
Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key 
Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command 
Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send 
|| url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || 
url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command 
Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy 
Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start 
Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command 
Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || 
url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408
 || url,www.nuclearwintercrew.com
        2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || 
url,doc.bleedingthreats.net/2003566
        2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent 
(DNS Extractor) || url,doc.bleedingthreats.net/2003567
        2003568 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating || 
url,www.evidencenuker.com
        2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware 
User-Agent (EVNUKER) || url,doc.bleedingthreats.net/2003567
        2003570 || BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent 
(iefeatsl) || url,www.applicationsignatures.com/backend/index.php

     -> Added to bleeding-virus.rules (3):
        #Bandook 1.2
        #Bandook 1.35
        # Submitted 4-6-07 Mark Warren

     -> Added to bleeding.rules (4):
        # Threat has mostly passed. Leaving in but commented out for now.
        #by Michael Schidell
        # ISC reports a possible active MS DNS exploit. Please report any hits. 
More info as we get it.
        ### Commenting out for now. More information hasn't surfaced yet. Will 
update when we can

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-drop-BLOCK.rules (1):
        #  VERSION 144

     -> Removed from bleeding-drop.rules (1):
        #  VERSION 144

     -> Removed from bleeding-malware.rules (2):
        #Matt Jonkman from Spyware listening post data
        #disabling for now, seems only to be hitting on ad pulls, not a spyware 
infection

     -> Removed from bleeding-sid-msg.map (16):
        2002198 || BLEEDING-EDGE MALWARE Bidclix.com Spyware
        2002204 || BLEEDING-EDGE MALWARE Websponsors.com Spyware
        2002930 || BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit
        2002954 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware 
Download || url,www.bravesentry.com
        2003155 || BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling
        2003177 || BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access 
(Microsoft Agent Memory Corruption) || 
url,www.microsoft.com/technet/security/bulletin/ms06-068.mspx
        2003178 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer 
WinZip FileView ActiveX Control Access || cve,2006-5198
        2003181 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer 
WinZip FolderView ActiveX Control Access || cve,2006-5198
        2003213 || BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script 
Function Memory Corruption - There are many legitimate uses of the normalize 
function || url,osvdb/30814 || cve,2006-5581
        2003252 || BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS || 
url,www.milw0rm.com/exploits/3111 || 
url,determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
        2003373 || BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan 
Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733
        2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish 
Encoded Exploit traveling to client browser || 
url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
 || url,isc.sans.org/diary.html?n&storyid=2277 || 
url,asert.arbornetworks.com/2007/02/phpwebguard-and-aspwebguard-attacks/
        2003430 || BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop 
Attempt || url,isc.sans.org/diary.html?n&storyid=2277 || 
url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/
        2003460 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet 
|| url,doc.bleedingthreats.net/2003460
        2003461 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet 
|| url,doc.bleedingthreats.net/2003460
        2003514 || BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet 
Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || 
url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || 
url,www.milw0rm.com/exploits/3577

     -> Removed from bleeding-virus.rules (2):
        #by Jamie Riden
        #disabling, redundant

     -> Removed from bleeding.rules (18):
        #This is being sent to many victims under the pretense of being a 
securityt audit script for colocated customers
        #These should catch it in it's current form. More information coming 
soon
        #Analysis by Jose Nazario
        # These are coming in zips asking you to run on the server. This will 
hit on the html coming FROM the infected server to a client browser, NOT the 
zip in transit
        #The email drop is dead, but phishes are still going out with this 
address. If you see it, someone ran the script... follow up!
        #by Shirkdog
        # steven@securityzone
        #by Christian Siefert
        # There are many legit uses for this, so we're disabling by default. 
Use where appropriate
        #by Blake Hartstein of Demarc
        #by shirkdog
        #by Jeff Kell
        # Microsoft teredo tunnel
        #So far unidentified bot and c&c channel. Working on it. These are 
crude sigs,
        # please let me know if you get hits. Need more information on this one.
        #Matt Jonkman
        #Matt Jonkman. As yet unnamed downloader in a few high profile spots
        #by Mr Magic Pants


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Previous by Thread:  [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding
Next by Thread:  [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]