Network Security: Detailed info on [Snort-sigs] Emerging Threats Daily Signature Changes

Subject:	[Snort-sigs] Emerging Threats Daily Signature Changes
Date:	Fri, 14 Mar 2008 17:00:07 -0400 (EDT)


[***] Results from Oinkmaster started Fri Mar 14 17:00:07 2008 [***]

[+++]          Added rules:          [+++]

 2007995 - ET MALWARE Vaccine-program.co.kr Related Spyware Checkin 
(bleeding-malware.rules)
 2007996 - ET MALWARE Sears.com/Kmart.com My SHC Community spyware download 
(bleeding-malware.rules)
 2007998 - ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution 
(bleeding-web.rules)
 2007999 - ET TROJAN Banker Trojan (General) HTTP Checkin (vit) 
(bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001562 - ET MALWARE MarketScore.com Spyware User Configuration and Setup 
Access (bleeding-malware.rules)


[---]         Removed rules:         [---]

 2002976 - ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner 
(bleeding-virus.rules)
 2002978 - ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to 
Owner (bleeding-virus.rules)
 2002980 - ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to 
Owner (bleeding-virus.rules)
 2002981 - ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to 
Owner (bleeding-virus.rules)
 2003931 - ET TROJAN Banker.Delf User-Agent (Varlok_11000) 
(bleeding-virus.rules)
 2003933 - ET TROJAN Banker.Delf User-Agent (Ms) (bleeding-virus.rules)
 2004442 - ET TROJAN Banker.Delf User-Agent (hhh) (bleeding-virus.rules)
 2007594 - ET TROJAN Banker.Delf User-Agent (MzApp) (bleeding-virus.rules)
 2007699 - ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS) 
(bleeding-virus.rules)
 2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
 2007858 - ET TROJAN Delf Keylog FTP Upload (bleeding-virus.rules)
 2007867 - ET TROJAN Delf HTTP Post Checkin (1) (bleeding-virus.rules)
 2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
 2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report 
(bleeding-virus.rules)
 2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #by Akash Mahajan

     -> Added to bleeding-sid-msg.map (4):
        2007995 || ET MALWARE Vaccine-program.co.kr Related Spyware Checkin
        2007996 || ET MALWARE Sears.com/Kmart.com My SHC Community spyware 
download || url,www.benedelman.org/news/010108-1.html || 
url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx
        2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code 
Execution || 
url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || 
bugtraq,21831 || cve,CVE-2006-6838
        2007999 || ET TROJAN Banker Trojan (General) HTTP Checkin (vit)

     -> Added to bleeding-sid-msg.map.txt (4):
        2007995 || ET MALWARE Vaccine-program.co.kr Related Spyware Checkin
        2007996 || ET MALWARE Sears.com/Kmart.com My SHC Community spyware 
download || url,www.benedelman.org/news/010108-1.html || 
url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx
        2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code 
Execution || 
url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || 
bugtraq,21831 || cve,CVE-2006-6838
        2007999 || ET TROJAN Banker Trojan (General) HTTP Checkin (vit)

     -> Added to bleeding-web.rules (1):
        #by akash mahajan of Stillsecure

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (15):
        2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to 
Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial 
Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial 
Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial 
Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007858 || ET TROJAN Delf Keylog FTP Upload
        2007867 || ET TROJAN Delf HTTP Post Checkin (1)
        2007911 || ET TROJAN Delf Download via HTTP
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007939 || ET TROJAN Delf Checkin via HTTP (up)

     -> Removed from bleeding-sid-msg.map.txt (15):
        2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to 
Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial 
Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial 
Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial 
Email to Owner || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || 
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007858 || ET TROJAN Delf Keylog FTP Upload
        2007867 || ET TROJAN Delf HTTP Post Checkin (1)
        2007911 || ET TROJAN Delf Download via HTTP
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007939 || ET TROJAN Delf Checkin via HTTP (up)

     -> Removed from bleeding-virus.rules (6):
        # This thing send out an email to it's owner with stats and such. This 
ought to catch it..
        #another variant
        #Yet another
        #yet another c&c method, by matt jonkman
        #delf keylog upload, kinda flimsy but works
        #by Victor Julien


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] Emerging Threats Daily Signature Changes, (continued) [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging <= [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging [Snort-sigs] Emerging Threats Daily Signature Changes, emerging

Previous by Date:	[Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Next by Date:	[Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Previous by Thread:	[Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Next by Thread:	[Snort-sigs] Emerging Threats Daily Signature Changes, emerging
Indexes:	[Date] [Thread] [Top] [All Lists]