[***] Results from Oinkmaster started Sat Feb 16 19:00:08 2008 [***]
[+++] Added rules: [+++]
2007831 - ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id
push) (bleeding-virus.rules)
2007832 - ET TROJAN Theoreon.com Related Trojan Checkin (bleeding-virus.rules)
2007833 - ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5)
(bleeding-virus.rules)
2007834 - ET TROJAN Renos/ssd.com HTTP Checkin (bleeding-virus.rules)
2007835 - ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)
(bleeding.rules)
2007836 - ET TROJAN Downloader General Bot Checking In - Possible
Win32.Small.htz related (bleeding-virus.rules)
2007837 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(WinInet) (bleeding-virus.rules)
2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
2007839 - ET MALWARE Drpcclean.com Related Spyware User Agent (DrPCClean
Transmit) (bleeding-malware.rules)
2007840 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell)
(bleeding-virus.rules)
2007841 - ET TROJAN W32.Downloader Tibs.ek Reporting to C&C
(bleeding-virus.rules)
2007842 - ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin
(bleeding-malware.rules)
2007844 - ET TROJAN Downloader Agent.isd Checkin (bleeding-virus.rules)
2007845 - ET MALWARE Errclean.com Related Spyware User Agent (Locus
NetInstaller) (bleeding-malware.rules)
2007846 - ET MALWARE Berlinads3.com Related Spyware User Agent (StixAero
Engine v1.5) (bleeding-malware.rules)
2007847 - ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX
Buffer Overflow Exploit (bleeding-exploit.rules)
2007848 - ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll
4.0.4.3303) remote BoF exploit (bleeding.rules)
2007849 - ET TROJAN Kpang.com Related Trojan User-Agent (alertup)
(bleeding-virus.rules)
2007850 - ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX Control
Buffer Overflow Vulnerability (bleeding-exploit.rules)
2007851 - ET EXPLOIT Citrix Presentation Server Client WFICA.OCX ActiveX
Component Heap Buffer Overflow Exploit (bleeding-exploit.rules)
2007852 - ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure Method
Exploit (bleeding-exploit.rules)
2007853 - ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX Control
Insecure Method Vulnerability (bleeding-exploit.rules)
2007854 - ET MALWARE Suspicious User Agent - Possible Playmp3z or other
Spyware Related (Mozilla) (bleeding-malware.rules)
2404017 - ET DROP Known Bot C&C Server Traffic (group 18)
(bleeding-botcc.rules)
2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
[///] Modified active rules: [///]
2003238 - ET TROJAN W32.Downloader Tibs.jy Reporting to C&C
(bleeding-virus.rules)
2003239 - ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2)
(bleeding-virus.rules)
2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or
Non-Updated System (bleeding-policy.rules)
2007724 - ET TROJAN Prg Trojan HTTP POST version 2 (bleeding-virus.rules)
2007758 - ET TROJAN Eldorado.BHO User-Agent Detected (netcfg)
(bleeding-virus.rules)
2007779 - ET TROJAN Kpang.com Related Trojan User-Agent (kpangupdate)
(bleeding-virus.rules)
2007815 - ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx ActiveX
Control Buffer Overflow Attempt (bleeding.rules)
2007816 - ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in
Use (bleeding.rules)
2007817 - ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit
(bleeding.rules)
2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
2403000 - ET DROP Dshield Block Listed Source - BLOCKING
(bleeding-dshield-BLOCK.rules)
2404000 - ET DROP Known Bot C&C Server Traffic (group 1)
(bleeding-botcc.rules)
2404001 - ET DROP Known Bot C&C Server Traffic (group 2)
(bleeding-botcc.rules)
2404002 - ET DROP Known Bot C&C Server Traffic (group 3)
(bleeding-botcc.rules)
2404003 - ET DROP Known Bot C&C Server Traffic (group 4)
(bleeding-botcc.rules)
2404004 - ET DROP Known Bot C&C Server Traffic (group 5)
(bleeding-botcc.rules)
2404005 - ET DROP Known Bot C&C Server Traffic (group 6)
(bleeding-botcc.rules)
2404006 - ET DROP Known Bot C&C Server Traffic (group 7)
(bleeding-botcc.rules)
2404007 - ET DROP Known Bot C&C Server Traffic (group 8)
(bleeding-botcc.rules)
2404008 - ET DROP Known Bot C&C Server Traffic (group 9)
(bleeding-botcc.rules)
2404009 - ET DROP Known Bot C&C Server Traffic (group 10)
(bleeding-botcc.rules)
2404010 - ET DROP Known Bot C&C Server Traffic (group 11)
(bleeding-botcc.rules)
2404011 - ET DROP Known Bot C&C Server Traffic (group 12)
(bleeding-botcc.rules)
2404012 - ET DROP Known Bot C&C Server Traffic (group 13)
(bleeding-botcc.rules)
2404013 - ET DROP Known Bot C&C Server Traffic (group 14)
(bleeding-botcc.rules)
2404014 - ET DROP Known Bot C&C Server Traffic (group 15)
(bleeding-botcc.rules)
2404015 - ET DROP Known Bot C&C Server Traffic (group 16)
(bleeding-botcc.rules)
2404016 - ET DROP Known Bot C&C Server Traffic (group 17)
(bleeding-botcc.rules)
2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
[---] Removed rules: [---]
2007830 - ET MALWARE Maxthom/Myie2.com Related Spyware User Agent (MyIE2)
(bleeding-malware.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-drop-BLOCK.rules (2):
# VERSION 1060
# Generated 2008-02-16 01:03:00 EDT
-> Added to bleeding-drop.rules (2):
# VERSION 1060
# Generated 2008-02-16 01:03:00 EDT
-> Added to bleeding-exploit.rules (5):
#by Akash Mahajan of Stillsecure
#by Akash Mahajan of Stillsecure
#by Akash Mahajan of Stillsecure
#by Akash Mahajan of Stillsecure
#by Akash Mahajan of Stillsecure
-> Added to bleeding-malware.rules (5):
#another fake antispyware package, by matt jonkman
#drpcclean.com by matt jonkman
#errclean.com related, by matt jonkman
#berlinads3.com related
#playmp3z adware seen using this
-> Added to bleeding-sid-msg.map (33):
2003238 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C
2003239 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2)
2007724 || ET TROJAN Prg Trojan HTTP POST version 2 ||
url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2007758 || ET TROJAN Eldorado.BHO User-Agent Detected (netcfg)
2007779 || ET TROJAN Kpang.com Related Trojan User-Agent (kpangupdate)
2007815 || ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx
ActiveX Control Buffer Overflow Attempt ||
url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27539
2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX
CLSID in Use || url,isc.sans.org/diary.html?storyid=3929 ||
url,www.milw0rm.com/exploits/5049
2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow
Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 ||
url,www.milw0rm.com/exploits/5102 || url,www.milw0rm.com/exploits/5049
2007831 || ET TROJAN Downloader General Bot Checking In via HTTP Post
(bot_id push)
2007832 || ET TROJAN Theoreon.com Related Trojan Checkin
2007833 || ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5)
2007834 || ET TROJAN Renos/ssd.com HTTP Checkin
2007835 || ET CURRENT EVENTS Likely Storm Binary Requested
(valentine.exe)
2007836 || ET TROJAN Downloader General Bot Checking In - Possible
Win32.Small.htz related
2007837 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(WinInet)
2007838 || ET TROJAN Delf HTTP Checkin (1)
2007839 || ET MALWARE Drpcclean.com Related Spyware User Agent
(DrPCClean Transmit)
2007840 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(Shell)
2007841 || ET TROJAN W32.Downloader Tibs.ek Reporting to C&C
2007842 || ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin
2007844 || ET TROJAN Downloader Agent.isd Checkin
2007845 || ET MALWARE Errclean.com Related Spyware User Agent (Locus
NetInstaller)
2007846 || ET MALWARE Berlinads3.com Related Spyware User Agent
(StixAero Engine v1.5)
2007847 || ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38)
ActiveX Buffer Overflow Exploit || url,www.milw0rm.com/exploits/5100 ||
url,www.milw0rm.com/exploits/5086
2007848 || ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module
(XVoice.dll 4.0.4.3303) remote BoF exploit || bugtraq,24426 ||
url,www.milw0rm.com/exploits/5087
2007849 || ET TROJAN Kpang.com Related Trojan User-Agent (alertup)
2007850 || ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX
Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 ||
bugtraq,27438
2007851 || ET EXPLOIT Citrix Presentation Server Client WFICA.OCX
ActiveX Component Heap Buffer Overflow Exploit || cve,CVE-2006-6334 ||
bugtraq,21458 || url,www.milw0rm.com/exploits/5106
2007852 || ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure
Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982
2007853 || ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX
Control Insecure Method Vulnerability || bugtraq,27439 ||
url,www.milw0rm.com/exploits/4981
2007854 || ET MALWARE Suspicious User Agent - Possible Playmp3z or
other Spyware Related (Mozilla)
2404017 || ET DROP Known Bot C&C Server Traffic (group 18) ||
url,www.shadowserver.org
2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE
|| url,www.shadowserver.org
-> Added to bleeding-sid-msg.map.txt (33):
2003238 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C
2003239 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2)
2007724 || ET TROJAN Prg Trojan HTTP POST version 2 ||
url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2007758 || ET TROJAN Eldorado.BHO User-Agent Detected (netcfg)
2007779 || ET TROJAN Kpang.com Related Trojan User-Agent (kpangupdate)
2007815 || ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx
ActiveX Control Buffer Overflow Attempt ||
url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27539
2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX
CLSID in Use || url,isc.sans.org/diary.html?storyid=3929 ||
url,www.milw0rm.com/exploits/5049
2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow
Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 ||
url,www.milw0rm.com/exploits/5102 || url,www.milw0rm.com/exploits/5049
2007831 || ET TROJAN Downloader General Bot Checking In via HTTP Post
(bot_id push)
2007832 || ET TROJAN Theoreon.com Related Trojan Checkin
2007833 || ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5)
2007834 || ET TROJAN Renos/ssd.com HTTP Checkin
2007835 || ET CURRENT EVENTS Likely Storm Binary Requested
(valentine.exe)
2007836 || ET TROJAN Downloader General Bot Checking In - Possible
Win32.Small.htz related
2007837 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(WinInet)
2007838 || ET TROJAN Delf HTTP Checkin (1)
2007839 || ET MALWARE Drpcclean.com Related Spyware User Agent
(DrPCClean Transmit)
2007840 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(Shell)
2007841 || ET TROJAN W32.Downloader Tibs.ek Reporting to C&C
2007842 || ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin
2007844 || ET TROJAN Downloader Agent.isd Checkin
2007845 || ET MALWARE Errclean.com Related Spyware User Agent (Locus
NetInstaller)
2007846 || ET MALWARE Berlinads3.com Related Spyware User Agent
(StixAero Engine v1.5)
2007847 || ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.0.38)
ActiveX Buffer Overflow Exploit || url,www.milw0rm.com/exploits/5100 ||
url,www.milw0rm.com/exploits/5086
2007848 || ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module
(XVoice.dll 4.0.4.3303) remote BoF exploit || bugtraq,24426 ||
url,www.milw0rm.com/exploits/5087
2007849 || ET TROJAN Kpang.com Related Trojan User-Agent (alertup)
2007850 || ET EXPLOIT Move Networks Media Player QMPUpgrade.dll ActiveX
Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/4979 ||
bugtraq,27438
2007851 || ET EXPLOIT Citrix Presentation Server Client WFICA.OCX
ActiveX Component Heap Buffer Overflow Exploit || cve,CVE-2006-6334 ||
bugtraq,21458 || url,www.milw0rm.com/exploits/5106
2007852 || ET EXPLOIT Gateway Weblaunch2.ocx ActiveX Control Insecure
Method Exploit || bugtraq,27193 || url,www.milw0rm.com/exploits/4982
2007853 || ET EXPLOIT ImageShack Toolbar ImageShackToolbar.dll ActiveX
Control Insecure Method Vulnerability || bugtraq,27439 ||
url,www.milw0rm.com/exploits/4981
2007854 || ET MALWARE Suspicious User Agent - Possible Playmp3z or
other Spyware Related (Mozilla)
2404017 || ET DROP Known Bot C&C Server Traffic (group 18) ||
url,www.shadowserver.org
2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE
|| url,www.shadowserver.org
-> Added to bleeding-virus.rules (5):
#yet another c&c method, by matt jonkman
#matt jonkman, sample marked Trojan-Downloader.Win32.Small.htz by
fsecure
#Matt Jonkman, Kaspersky Trojan-Proxy.Win32.Agent.ty
#Matt Jonkman, Kaspersky Trojan-Proxy.Win32.Agent.blm
#matt jonkman, downloader Agent.isd
-> Added to bleeding.rules (2):
#by Akash Mahajan of Stillsecure
#by Akash Mahajan of Stillsecure
[---] Removed non-rule lines: [---]
-> Removed from bleeding-drop-BLOCK.rules (2):
# VERSION 1052
# Generated 2008-02-08 01:03:03 EDT
-> Removed from bleeding-drop.rules (2):
# VERSION 1052
# Generated 2008-02-08 01:03:03 EDT
-> Removed from bleeding-malware.rules (1):
#maxthon related, by matt jonkman
-> Removed from bleeding-sid-msg.map (9):
2003238 || ET TROJAN W32.Downloader-388
(Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C
2003239 || ET TROJAN W32.Downloader-388
(Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C (2)
2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url,
ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2007758 || ET TROJAN Eldorado.BHO User-Agent Detected
2007779 || ET TROJAN Kpang.com Related Trojan User-Agent
2007815 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader4 ActiveX
CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX
CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow
Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 ||
url,www.milw0rm.com/exploits/5049
2007830 || ET MALWARE Maxthom/Myie2.com Related Spyware User Agent
(MyIE2)
-> Removed from bleeding-sid-msg.map.txt (9):
2003238 || ET TROJAN W32.Downloader-388
(Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C
2003239 || ET TROJAN W32.Downloader-388
(Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C (2)
2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url,
ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2007758 || ET TROJAN Eldorado.BHO User-Agent Detected
2007779 || ET TROJAN Kpang.com Related Trojan User-Agent
2007815 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader4 ActiveX
CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX
CLSID in Use || url,isc.sans.org/diary.html?storyid=3929
2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow
Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 ||
url,www.milw0rm.com/exploits/5049
2007830 || ET MALWARE Maxthom/Myie2.com Related Spyware User Agent
(MyIE2)
-> Removed from bleeding-virus.rules (1):
#first found by ClamAV
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
