[***] Results from Oinkmaster started Sat Mar 8 19:00:08 2008 [***]
[+++] Added rules: [+++]
2007843 - ET TROJAN Bzub2 Related RPC/Http Checkin (bleeding-virus.rules)
2007902 - ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
(bleeding.rules)
2007903 - ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url
Property Buffer Overflow Vulnerability (bleeding-exploit.rules)
2007904 - ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer
Overflow Vulnerability (bleeding-exploit.rules)
2007905 - ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url
Property Buffer Overflow Vulnerability (bleeding-exploit.rules)
2007906 - ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame()
ActiveX BoF (bleeding-game.rules)
2007907 - ET EXPLOIT Move Networks Quantum Streaming Player Control
UploadLogs() BOF (bleeding-exploit.rules)
2007908 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA)
(bleeding-malware.rules)
2007909 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN)
(bleeding-malware.rules)
2007910 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN)
(bleeding-malware.rules)
2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
2007912 - ET TROJAN Suspicious User-Agent - Possible
Trojan-Dropper.Win32.Agent.eut (Yhrbg) (bleeding-virus.rules)
2007913 - ET TROJAN Dialer.MC(vf) HTTP Request - Checkin (bleeding-virus.rules)
2007914 - ET WORM SDBot HTTP Checkin (bleeding-virus.rules)
2007917 - ET TROJAN Dropper-497 (Yumato) Initial Checkin (bleeding-virus.rules)
2007918 - ET TROJAN Dropper-497 (Yumato) System Stats Report
(bleeding-virus.rules)
2007919 - ET TROJAN Dropper-497 Yumato Reply from server (bleeding-virus.rules)
2007920 - ET TROJAN Dropper-497 (Yumato) Status Reply from server
(bleeding-virus.rules)
2007921 - ET MALWARE Suspicious User Agent (Explorer) (bleeding-malware.rules)
2007922 - ET TROJAN Backdoor.Win32.VB.brg C&C Checkin (bleeding-virus.rules)
2007923 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(Digital) (bleeding-virus.rules)
2007924 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(downloaded) (bleeding-virus.rules)
2007925 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(wnames) (bleeding-virus.rules)
2007926 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(cv_v5.0.0) (bleeding-virus.rules)
2007927 - ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey)
(bleeding-malware.rules)
2007928 - ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd)
(bleeding-malware.rules)
2007929 - ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0
(compatible\; )) (bleeding-malware.rules)
2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report
(bleeding-virus.rules)
2007931 - ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer
Overflow Vulnerability (bleeding-exploit.rules)
2007932 - ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF
Vulnerability (bleeding-exploit.rules)
2007933 - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow
Vulnerability (bleeding-exploit.rules)
2007934 - ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF
Vulnerability (bleeding-exploit.rules)
2007935 - ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fs3update)
(bleeding-malware.rules)
2007936 - ET WEB Netwin Webmail SurgeMail Mail Server Format String
Vulnerability (bleeding-web.rules)
2007937 - ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow
(bleeding-exploit.rules)
2007938 - ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fian3manager)
(bleeding-malware.rules)
2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
2007940 - ET TROJAN Banker.ili HTTP Checkin (bleeding-virus.rules)
2007941 - ET MALWARE Invalid HTTP GET Request - Often Malware Related
(bleeding-malware.rules)
2007942 - ET MALWARE Suspicious User Agent (_) (bleeding-malware.rules)
2007943 - ET MALWARE Suspicious User Agent (HTTP) (bleeding-malware.rules)
2007944 - ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
(bleeding-malware.rules)
2007945 - ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)
(bleeding-malware.rules)
2007946 - ET MALWARE Suspicious User Agent (popup) (bleeding-malware.rules)
2007947 - ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup)
(bleeding-malware.rules)
2007948 - ET MALWARE Suspicious User Agent (--) (bleeding-malware.rules)
2404019 - ET DROP Known Bot C&C Server Traffic (group 20)
(bleeding-botcc.rules)
2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2406035 - ET RBN Known Russian Business Network Monitored Domains (31)
(bleeding-rbn.rules)
2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(31) (bleeding-rbn-BLOCK.rules)
[///] Modified active rules: [///]
2002157 - ET POLICY Skype User-Agent detected (bleeding-policy.rules)
2002383 - ET SCAN Potential FTP Brute-Force attempt (bleeding-scan.rules)
2002950 - ET POLICY TOR 1.0 Server Key Retrieval (bleeding-policy.rules)
2006429 - ET MALWARE Karine.co.kr Related Spyware User Agent (chk Profile)
(bleeding-malware.rules)
2006430 - ET MALWARE Karine.co.kr Related Spyware User Agent (Access down)
(bleeding-malware.rules)
2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or
Non-Updated System (bleeding-policy.rules)
2007701 - ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)
(bleeding-virus.rules)
2007702 - ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)
(bleeding-virus.rules)
2007760 - ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
(bleeding.rules)
2007761 - ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
(bleeding.rules)
2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
2403000 - ET DROP Dshield Block Listed Source - BLOCKING
(bleeding-dshield-BLOCK.rules)
2404000 - ET DROP Known Bot C&C Server Traffic (group 1)
(bleeding-botcc.rules)
2404001 - ET DROP Known Bot C&C Server Traffic (group 2)
(bleeding-botcc.rules)
2404002 - ET DROP Known Bot C&C Server Traffic (group 3)
(bleeding-botcc.rules)
2404003 - ET DROP Known Bot C&C Server Traffic (group 4)
(bleeding-botcc.rules)
2404004 - ET DROP Known Bot C&C Server Traffic (group 5)
(bleeding-botcc.rules)
2404005 - ET DROP Known Bot C&C Server Traffic (group 6)
(bleeding-botcc.rules)
2404006 - ET DROP Known Bot C&C Server Traffic (group 7)
(bleeding-botcc.rules)
2404007 - ET DROP Known Bot C&C Server Traffic (group 8)
(bleeding-botcc.rules)
2404008 - ET DROP Known Bot C&C Server Traffic (group 9)
(bleeding-botcc.rules)
2404009 - ET DROP Known Bot C&C Server Traffic (group 10)
(bleeding-botcc.rules)
2404010 - ET DROP Known Bot C&C Server Traffic (group 11)
(bleeding-botcc.rules)
2404011 - ET DROP Known Bot C&C Server Traffic (group 12)
(bleeding-botcc.rules)
2404012 - ET DROP Known Bot C&C Server Traffic (group 13)
(bleeding-botcc.rules)
2404013 - ET DROP Known Bot C&C Server Traffic (group 14)
(bleeding-botcc.rules)
2404014 - ET DROP Known Bot C&C Server Traffic (group 15)
(bleeding-botcc.rules)
2404015 - ET DROP Known Bot C&C Server Traffic (group 16)
(bleeding-botcc.rules)
2404016 - ET DROP Known Bot C&C Server Traffic (group 17)
(bleeding-botcc.rules)
2404017 - ET DROP Known Bot C&C Server Traffic (group 18)
(bleeding-botcc.rules)
2404018 - ET DROP Known Bot C&C Server Traffic (group 19)
(bleeding-botcc.rules)
2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2406005 - ET RBN Known Russian Business Network Monitored Domains (1)
(bleeding-rbn.rules)
2406006 - ET RBN Known Russian Business Network Monitored Domains (2)
(bleeding-rbn.rules)
2406007 - ET RBN Known Russian Business Network Monitored Domains (3)
(bleeding-rbn.rules)
2406008 - ET RBN Known Russian Business Network Monitored Domains (4)
(bleeding-rbn.rules)
2406009 - ET RBN Known Russian Business Network Monitored Domains (5)
(bleeding-rbn.rules)
2406010 - ET RBN Known Russian Business Network Monitored Domains (6)
(bleeding-rbn.rules)
2406011 - ET RBN Known Russian Business Network Monitored Domains (7)
(bleeding-rbn.rules)
2406012 - ET RBN Known Russian Business Network Monitored Domains (8)
(bleeding-rbn.rules)
2406013 - ET RBN Known Russian Business Network Monitored Domains (9)
(bleeding-rbn.rules)
2406014 - ET RBN Known Russian Business Network Monitored Domains (10)
(bleeding-rbn.rules)
2406015 - ET RBN Known Russian Business Network Monitored Domains (11)
(bleeding-rbn.rules)
2406016 - ET RBN Known Russian Business Network Monitored Domains (12)
(bleeding-rbn.rules)
2406017 - ET RBN Known Russian Business Network Monitored Domains (13)
(bleeding-rbn.rules)
2406018 - ET RBN Known Russian Business Network Monitored Domains (14)
(bleeding-rbn.rules)
2406019 - ET RBN Known Russian Business Network Monitored Domains (15)
(bleeding-rbn.rules)
2406020 - ET RBN Known Russian Business Network Monitored Domains (16)
(bleeding-rbn.rules)
2406021 - ET RBN Known Russian Business Network Monitored Domains (17)
(bleeding-rbn.rules)
2406022 - ET RBN Known Russian Business Network Monitored Domains (18)
(bleeding-rbn.rules)
2406023 - ET RBN Known Russian Business Network Monitored Domains (19)
(bleeding-rbn.rules)
2406024 - ET RBN Known Russian Business Network Monitored Domains (20)
(bleeding-rbn.rules)
2406025 - ET RBN Known Russian Business Network Monitored Domains (21)
(bleeding-rbn.rules)
2406026 - ET RBN Known Russian Business Network Monitored Domains (22)
(bleeding-rbn.rules)
2406027 - ET RBN Known Russian Business Network Monitored Domains (23)
(bleeding-rbn.rules)
2406028 - ET RBN Known Russian Business Network Monitored Domains (24)
(bleeding-rbn.rules)
2406029 - ET RBN Known Russian Business Network Monitored Domains (25)
(bleeding-rbn.rules)
2406030 - ET RBN Known Russian Business Network Monitored Domains (26)
(bleeding-rbn.rules)
2406031 - ET RBN Known Russian Business Network Monitored Domains (27)
(bleeding-rbn.rules)
2406032 - ET RBN Known Russian Business Network Monitored Domains (28)
(bleeding-rbn.rules)
2406033 - ET RBN Known Russian Business Network Monitored Domains (29)
(bleeding-rbn.rules)
2406034 - ET RBN Known Russian Business Network Monitored Domains (30)
(bleeding-rbn.rules)
2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(1) (bleeding-rbn-BLOCK.rules)
2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(2) (bleeding-rbn-BLOCK.rules)
2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(3) (bleeding-rbn-BLOCK.rules)
2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(4) (bleeding-rbn-BLOCK.rules)
2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(5) (bleeding-rbn-BLOCK.rules)
2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(6) (bleeding-rbn-BLOCK.rules)
2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(7) (bleeding-rbn-BLOCK.rules)
2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(8) (bleeding-rbn-BLOCK.rules)
2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(9) (bleeding-rbn-BLOCK.rules)
2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(10) (bleeding-rbn-BLOCK.rules)
2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(11) (bleeding-rbn-BLOCK.rules)
2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(12) (bleeding-rbn-BLOCK.rules)
2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(13) (bleeding-rbn-BLOCK.rules)
2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(14) (bleeding-rbn-BLOCK.rules)
2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(15) (bleeding-rbn-BLOCK.rules)
2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(16) (bleeding-rbn-BLOCK.rules)
2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(17) (bleeding-rbn-BLOCK.rules)
2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(18) (bleeding-rbn-BLOCK.rules)
2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(19) (bleeding-rbn-BLOCK.rules)
2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(20) (bleeding-rbn-BLOCK.rules)
2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(21) (bleeding-rbn-BLOCK.rules)
2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(22) (bleeding-rbn-BLOCK.rules)
2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(23) (bleeding-rbn-BLOCK.rules)
2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(24) (bleeding-rbn-BLOCK.rules)
2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(25) (bleeding-rbn-BLOCK.rules)
2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(26) (bleeding-rbn-BLOCK.rules)
2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(27) (bleeding-rbn-BLOCK.rules)
2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(28) (bleeding-rbn-BLOCK.rules)
2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(29) (bleeding-rbn-BLOCK.rules)
2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(30) (bleeding-rbn-BLOCK.rules)
[///] Modified inactive rules: [///]
2006424 - ET MALWARE Karine.co.kr Related Spyware User Agent (WebUpdate)
(bleeding-malware.rules)
[---] Removed rules: [---]
2007835 - ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)
(bleeding.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-drop-BLOCK.rules (2):
# VERSION 1081
# Generated 2008-03-08 01:03:00 EDT
-> Added to bleeding-drop.rules (2):
# VERSION 1081
# Generated 2008-03-08 01:03:00 EDT
-> Added to bleeding-exploit.rules (3):
#by Akash Mahajan at stillsecure
#by Akash Mahajan at Stillsecure
#by Akash Mahajan of stillsecure
-> Added to bleeding-game.rules (1):
#by Akash Mahajan at Stillsecure
-> Added to bleeding-malware.rules (5):
# Seeing several bits of malware that are creating their http get's
# incorrectly. They're adding an http://domain.com/url to the GET
string,
# which should be just the uri. This will catch those
#fake av package, sigs by matt jonkman
#by victor julien
-> Added to bleeding-rbn-BLOCK.rules (2):
# VERSION 37
# Updated 2008-03-06 19:56:19
-> Added to bleeding-rbn.rules (2):
# VERSION 37
# Updated 2008-03-06 19:56:19
-> Added to bleeding-sid-msg.map (53):
2002950 || ET POLICY TOR 1.0 Server Key Retrieval || url,tor.eff.org
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested
(postcard.exe)
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
2007843 || ET TROJAN Bzub2 Related RPC/Http Checkin
2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url
Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 ||
bugtraq,28010
2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url
Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 ||
bugtraq,28010
2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control
Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193
|| bugtraq,28010
2007906 || ET GAME Ourgame GLWorld 2.x
hgs_startNotify()/hgs_startGame() ActiveX BoF ||
url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html
|| cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control
UploadLogs() BOF || url,www.milw0rm.com/exploits/5190
2007908 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA)
2007909 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN)
2007910 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN)
2007911 || ET TROJAN Delf Download via HTTP
2007912 || ET TROJAN Suspicious User-Agent - Possible
Trojan-Dropper.Win32.Agent.eut (Yhrbg)
2007913 || ET TROJAN Dialer.MC(vf) HTTP Request - Checkin
2007914 || ET WORM SDBot HTTP Checkin
2007917 || ET TROJAN Dropper-497 (Yumato) Initial Checkin ||
url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007918 || ET TROJAN Dropper-497 (Yumato) System Stats Report ||
url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007919 || ET TROJAN Dropper-497 Yumato Reply from server ||
url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007920 || ET TROJAN Dropper-497 (Yumato) Status Reply from server ||
url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007921 || ET MALWARE Suspicious User Agent (Explorer)
2007922 || ET TROJAN Backdoor.Win32.VB.brg C&C Checkin
2007923 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(Digital)
2007924 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(downloaded)
2007925 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(wnames)
2007926 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(cv_v5.0.0)
2007927 || ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey)
2007928 || ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd)
2007929 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0
(compatible\; ))
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer
Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 ||
url,www.milw0rm.com/exploits/3877
2007932 || ET EXPLOIT Symantec BackupExec Calendar Control
(PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 ||
url,www.milw0rm.com/exploits/5205
2007933 || ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow
Vulnerability || bugtraq,27940 ||
url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
2007934 || ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF
Vulnerability || bugtraq,27940 ||
url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
2007935 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent
(fs3update)
2007936 || ET WEB Netwin Webmail SurgeMail Mail Server Format String
Vulnerability || bugtraq,27990 || cve,CVE-2008-1055 ||
url,aluigi.altervista.org/adv/surgemailz-adv.txt
2007937 || ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow ||
url,aluigi.altervista.org/adv/visibroken-adv.txt || bugtraq,28084
2007938 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent
(fian3manager)
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007940 || ET TROJAN Banker.ili HTTP Checkin
2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related
|| url,doc.emergingthreats.net/2007941
2007942 || ET MALWARE Suspicious User Agent (_)
2007943 || ET MALWARE Suspicious User Agent (HTTP)
2007944 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
2007945 || ET MALWARE SysVenFak Fake AV Package Victim Checkin
(victim.php)
2007946 || ET MALWARE Suspicious User Agent (popup)
2007947 || ET MALWARE Nguide.co.kr Fake Security Tool User Agent
(nguideup)
2007948 || ET MALWARE Suspicious User Agent (--)
2404019 || ET DROP Known Bot C&C Server Traffic (group 20) ||
url,www.shadowserver.org
2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE
|| url,www.shadowserver.org
2406035 || ET RBN Known Russian Business Network Monitored Domains (31)
|| url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
2407035 || ET RBN Known Russian Business Network Monitored Domains -
BLOCKING (31) ||
url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
-> Added to bleeding-sid-msg.map.txt (53):
2002950 || ET POLICY TOR 1.0 Server Key Retrieval || url,tor.eff.org
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested
(postcard.exe)
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
2007843 || ET TROJAN Bzub2 Related RPC/Http Checkin
2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url
Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 ||
bugtraq,28010
2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url
Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 ||
bugtraq,28010
2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control
Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193
|| bugtraq,28010
2007906 || ET GAME Ourgame GLWorld 2.x
hgs_startNotify()/hgs_startGame() ActiveX BoF ||
url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html
|| cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control
UploadLogs() BOF || url,www.milw0rm.com/exploits/5190
2007908 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA)
2007909 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN)
2007910 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN)
2007911 || ET TROJAN Delf Download via HTTP
2007912 || ET TROJAN Suspicious User-Agent - Possible
Trojan-Dropper.Win32.Agent.eut (Yhrbg)
2007913 || ET TROJAN Dialer.MC(vf) HTTP Request - Checkin
2007914 || ET WORM SDBot HTTP Checkin
2007917 || ET TROJAN Dropper-497 (Yumato) Initial Checkin ||
url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007918 || ET TROJAN Dropper-497 (Yumato) System Stats Report ||
url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007919 || ET TROJAN Dropper-497 Yumato Reply from server ||
url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007920 || ET TROJAN Dropper-497 (Yumato) Status Reply from server ||
url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007921 || ET MALWARE Suspicious User Agent (Explorer)
2007922 || ET TROJAN Backdoor.Win32.VB.brg C&C Checkin
2007923 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(Digital)
2007924 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(downloaded)
2007925 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(wnames)
2007926 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(cv_v5.0.0)
2007927 || ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey)
2007928 || ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd)
2007929 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0
(compatible\; ))
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer
Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 ||
url,www.milw0rm.com/exploits/3877
2007932 || ET EXPLOIT Symantec BackupExec Calendar Control
(PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 ||
url,www.milw0rm.com/exploits/5205
2007933 || ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow
Vulnerability || bugtraq,27940 ||
url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
2007934 || ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF
Vulnerability || bugtraq,27940 ||
url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
2007935 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent
(fs3update)
2007936 || ET WEB Netwin Webmail SurgeMail Mail Server Format String
Vulnerability || bugtraq,27990 || cve,CVE-2008-1055 ||
url,aluigi.altervista.org/adv/surgemailz-adv.txt
2007937 || ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow ||
url,aluigi.altervista.org/adv/visibroken-adv.txt || bugtraq,28084
2007938 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent
(fian3manager)
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007940 || ET TROJAN Banker.ili HTTP Checkin
2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related
|| url,doc.emergingthreats.net/2007941
2007942 || ET MALWARE Suspicious User Agent (_)
2007943 || ET MALWARE Suspicious User Agent (HTTP)
2007944 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
2007945 || ET MALWARE SysVenFak Fake AV Package Victim Checkin
(victim.php)
2007946 || ET MALWARE Suspicious User Agent (popup)
2007947 || ET MALWARE Nguide.co.kr Fake Security Tool User Agent
(nguideup)
2007948 || ET MALWARE Suspicious User Agent (--)
2404019 || ET DROP Known Bot C&C Server Traffic (group 20) ||
url,www.shadowserver.org
2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE
|| url,www.shadowserver.org
2406035 || ET RBN Known Russian Business Network Monitored Domains (31)
|| url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
2407035 || ET RBN Known Russian Business Network Monitored Domains -
BLOCKING (31) ||
url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
-> Added to bleeding-virus.rules (4):
#by Victor Julien
#Banker.ili by matt jonkman
#matt jonkman, labeled logsnif, bzub2, dopip
#discovered by victor julien, sigs by matt jonkman, interesting one.
Uses an html-like tag language on 8181
[---] Removed non-rule lines: [---]
-> Removed from bleeding-drop-BLOCK.rules (2):
# VERSION 1073
# Generated 2008-02-29 01:03:00 EDT
-> Removed from bleeding-drop.rules (2):
# VERSION 1073
# Generated 2008-02-29 01:03:00 EDT
-> Removed from bleeding-rbn-BLOCK.rules (2):
# VERSION 36
# Updated 2008-02-21 10:21:51
-> Removed from bleeding-rbn.rules (2):
# VERSION 36
# Updated 2008-02-21 10:21:51
-> Removed from bleeding-sid-msg.map (4):
2002950 || ET POLICY TOR 1.0 Server Key Retrival || url,tor.eff.org
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested
(withlove.exe) ||
url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested
(with_love.exe) ||
url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
2007835 || ET CURRENT EVENTS Likely Storm Binary Requested
(valentine.exe)
-> Removed from bleeding-sid-msg.map.txt (4):
2002950 || ET POLICY TOR 1.0 Server Key Retrival || url,tor.eff.org
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested
(withlove.exe) ||
url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested
(with_love.exe) ||
url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
2007835 || ET CURRENT EVENTS Likely Storm Binary Requested
(valentine.exe)
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
