[***] Results from Oinkmaster started Sat Mar 22 19:00:12 2008 [***]
[+++] Added rules: [+++]
2002976 - ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner
(bleeding-virus.rules)
2002978 - ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to
Owner (bleeding-virus.rules)
2002980 - ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to
Owner (bleeding-virus.rules)
2002981 - ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to
Owner (bleeding-virus.rules)
2003931 - ET TROJAN Banker.Delf User-Agent (Varlok_11000)
(bleeding-virus.rules)
2003933 - ET TROJAN Banker.Delf User-Agent (Ms) (bleeding-virus.rules)
2004442 - ET TROJAN Banker.Delf User-Agent (hhh) (bleeding-virus.rules)
2007594 - ET TROJAN Banker.Delf User-Agent (MzApp) (bleeding-virus.rules)
2007699 - ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
(bleeding-virus.rules)
2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
2007858 - ET TROJAN Delf Keylog FTP Upload (bleeding-virus.rules)
2007867 - ET TROJAN Delf HTTP Post Checkin (1) (bleeding-virus.rules)
2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report
(bleeding-virus.rules)
2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
2008003 - ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin
(bleeding-virus.rules)
2008004 - ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)
(bleeding-virus.rules)
2008005 - ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload via FTP
(bleeding-virus.rules)
2008006 - ET TROJAN Delf CnC Channel Packet 1 (bleeding-virus.rules)
2008007 - ET TROJAN Delf CnC Channel Packet 1 reply (bleeding-virus.rules)
2008008 - ET TROJAN Delf CnC Channel Checkin Replies (bleeding-virus.rules)
2008009 - ET TROJAN Delf CnC Channel Keepalive Pong (bleeding-virus.rules)
2008010 - ET TROJAN Delf CnC Channel Keepalive Ping (bleeding-virus.rules)
2008011 - ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports
(bleeding-virus.rules)
2008012 - ET MALWARE Winquickupdates.com Related Trojan Install Report
(bleeding-malware.rules)
2008013 - ET MALWARE Suspicious User Agent (Internet) (bleeding-malware.rules)
2008014 - ET CURRENT_EVENTS Suspicious Download (drv32.data) (bleeding.rules)
2008015 - ET MALWARE Suspicious User Agent (Win95) (bleeding-malware.rules)
2008016 - ET MALWARE Servicepack.kr Fake Patch Software Checkin
(bleeding-malware.rules)
2008017 - ET TROJAN Philis.J ICMP Sweep (Payload Hello,World)
(bleeding-virus.rules)
2008018 - ET MALWARE Beautyscreens.com Related Spyware Install Success Report
(bleeding-malware.rules)
2008019 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https)
(bleeding-virus.rules)
2008020 - ET WORM Win32.Socks.s HTTP Post Checkin (bleeding-virus.rules)
2008021 - ET TROJAN Turkojan C&C Initial Checkin (ams) (bleeding-virus.rules)
2008022 - ET TROJAN Turkojan C&C Info Command (MINFO) (bleeding-virus.rules)
2008023 - ET TROJAN Turkojan C&C Info Command Response (MINFO)
(bleeding-virus.rules)
2008024 - ET TROJAN Turkojan C&C Logs Parse Command (LOGS1)
(bleeding-virus.rules)
2008025 - ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1)
(bleeding-virus.rules)
2008026 - ET TROJAN Turkojan C&C Keepalive (BAGLANTI) (bleeding-virus.rules)
2008027 - ET TROJAN Turkojan C&C Browse Drive Command (BROWSC)
(bleeding-virus.rules)
2008028 - ET TROJAN Turkojan C&C Browse Drive Command Response (metin)
(bleeding-virus.rules)
2008029 - ET TROJAN Turkojan C&C nxt Command (nxt) (bleeding-virus.rules)
2008030 - ET TROJAN Turkojan C&C nxt Command Response (nxt)
(bleeding-virus.rules)
2008031 - ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound
(bleeding-virus.rules)
2008032 - ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound
(bleeding-virus.rules)
2008033 - ET TROJAN Banker.maf SMTP Checkin (Not in the Control...)
(bleeding-virus.rules)
2008034 - ET TROJAN LDPinch SMTP Password Report (bleeding-virus.rules)
2008035 - ET TROJAN System.Poser HTTP Checkin (bleeding-virus.rules)
2008036 - ET MALWARE 360safe.com related Fake Security Product Update
(bleeding-malware.rules)
2008037 - ET POLICY Gteko User-Agent Detected - Dell Remote Access
(bleeding-policy.rules)
2008038 - ET MALWARE Suspicious User Agent (Mozilla/4.0 (compatible\; ICS))
(bleeding-malware.rules)
2008039 - ET TROJAN Egspy Infection Report Email (bleeding-virus.rules)
2008040 - ET MALWARE Privacyprotector Related Spyware User-Agent (Ssol
NetInstaller) (bleeding-malware.rules)
2008041 - ET TROJAN Hupigon CnC init (variant abb) (bleeding-virus.rules)
2008042 - ET TROJAN Hupigon CnC Data Post (variant abb) (bleeding-virus.rules)
2008043 - ET MALWARE Suspicious User-Agent (c\:\windows)
(bleeding-malware.rules)
2008044 - ET TROJAN Delf Checkin via HTTP (5) (bleeding-virus.rules)
2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious -
Possible Trojan Report (bleeding.rules)
2008046 - ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1
[account verification]) (bleeding-malware.rules)
2008047 - ET TROJAN Egspy Infection Report via HTTP (bleeding-virus.rules)
2406037 - ET RBN Known Russian Business Network Monitored Domains (33)
(bleeding-rbn.rules)
2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(33) (bleeding-rbn-BLOCK.rules)
[///] Modified active rules: [///]
2003649 - ET TROJAN Hupigon User Agent Detected (SykO) (bleeding-virus.rules)
2003932 - ET TROJAN Hupigon User Agent Detected (IE_7.0) (bleeding-virus.rules)
2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or
Non-Updated System (bleeding-policy.rules)
2007828 - ET TROJAN LDPinch Checkin (2) (bleeding-virus.rules)
2007862 - ET TROJAN LDPinch Checkin (3) (bleeding-virus.rules)
2007949 - ET TROJAN Medbod UDP Phone Home Packet (bleeding-virus.rules)
2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE
(bleeding-drop-BLOCK.rules)
2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
2403000 - ET DROP Dshield Block Listed Source - BLOCKING
(bleeding-dshield-BLOCK.rules)
2404000 - ET DROP Known Bot C&C Server Traffic (group 1)
(bleeding-botcc.rules)
2404001 - ET DROP Known Bot C&C Server Traffic (group 2)
(bleeding-botcc.rules)
2404002 - ET DROP Known Bot C&C Server Traffic (group 3)
(bleeding-botcc.rules)
2404003 - ET DROP Known Bot C&C Server Traffic (group 4)
(bleeding-botcc.rules)
2404004 - ET DROP Known Bot C&C Server Traffic (group 5)
(bleeding-botcc.rules)
2404005 - ET DROP Known Bot C&C Server Traffic (group 6)
(bleeding-botcc.rules)
2404006 - ET DROP Known Bot C&C Server Traffic (group 7)
(bleeding-botcc.rules)
2404007 - ET DROP Known Bot C&C Server Traffic (group 8)
(bleeding-botcc.rules)
2404008 - ET DROP Known Bot C&C Server Traffic (group 9)
(bleeding-botcc.rules)
2404009 - ET DROP Known Bot C&C Server Traffic (group 10)
(bleeding-botcc.rules)
2404010 - ET DROP Known Bot C&C Server Traffic (group 11)
(bleeding-botcc.rules)
2404011 - ET DROP Known Bot C&C Server Traffic (group 12)
(bleeding-botcc.rules)
2404012 - ET DROP Known Bot C&C Server Traffic (group 13)
(bleeding-botcc.rules)
2404013 - ET DROP Known Bot C&C Server Traffic (group 14)
(bleeding-botcc.rules)
2404014 - ET DROP Known Bot C&C Server Traffic (group 15)
(bleeding-botcc.rules)
2404015 - ET DROP Known Bot C&C Server Traffic (group 16)
(bleeding-botcc.rules)
2404016 - ET DROP Known Bot C&C Server Traffic (group 17)
(bleeding-botcc.rules)
2404017 - ET DROP Known Bot C&C Server Traffic (group 18)
(bleeding-botcc.rules)
2404018 - ET DROP Known Bot C&C Server Traffic (group 19)
(bleeding-botcc.rules)
2404019 - ET DROP Known Bot C&C Server Traffic (group 20)
(bleeding-botcc.rules)
2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE
(bleeding-botcc-BLOCK.rules)
2406005 - ET RBN Known Russian Business Network Monitored Domains (1)
(bleeding-rbn.rules)
2406006 - ET RBN Known Russian Business Network Monitored Domains (2)
(bleeding-rbn.rules)
2406007 - ET RBN Known Russian Business Network Monitored Domains (3)
(bleeding-rbn.rules)
2406008 - ET RBN Known Russian Business Network Monitored Domains (4)
(bleeding-rbn.rules)
2406009 - ET RBN Known Russian Business Network Monitored Domains (5)
(bleeding-rbn.rules)
2406010 - ET RBN Known Russian Business Network Monitored Domains (6)
(bleeding-rbn.rules)
2406011 - ET RBN Known Russian Business Network Monitored Domains (7)
(bleeding-rbn.rules)
2406012 - ET RBN Known Russian Business Network Monitored Domains (8)
(bleeding-rbn.rules)
2406013 - ET RBN Known Russian Business Network Monitored Domains (9)
(bleeding-rbn.rules)
2406014 - ET RBN Known Russian Business Network Monitored Domains (10)
(bleeding-rbn.rules)
2406015 - ET RBN Known Russian Business Network Monitored Domains (11)
(bleeding-rbn.rules)
2406016 - ET RBN Known Russian Business Network Monitored Domains (12)
(bleeding-rbn.rules)
2406017 - ET RBN Known Russian Business Network Monitored Domains (13)
(bleeding-rbn.rules)
2406018 - ET RBN Known Russian Business Network Monitored Domains (14)
(bleeding-rbn.rules)
2406019 - ET RBN Known Russian Business Network Monitored Domains (15)
(bleeding-rbn.rules)
2406020 - ET RBN Known Russian Business Network Monitored Domains (16)
(bleeding-rbn.rules)
2406021 - ET RBN Known Russian Business Network Monitored Domains (17)
(bleeding-rbn.rules)
2406022 - ET RBN Known Russian Business Network Monitored Domains (18)
(bleeding-rbn.rules)
2406023 - ET RBN Known Russian Business Network Monitored Domains (19)
(bleeding-rbn.rules)
2406024 - ET RBN Known Russian Business Network Monitored Domains (20)
(bleeding-rbn.rules)
2406025 - ET RBN Known Russian Business Network Monitored Domains (21)
(bleeding-rbn.rules)
2406026 - ET RBN Known Russian Business Network Monitored Domains (22)
(bleeding-rbn.rules)
2406027 - ET RBN Known Russian Business Network Monitored Domains (23)
(bleeding-rbn.rules)
2406028 - ET RBN Known Russian Business Network Monitored Domains (24)
(bleeding-rbn.rules)
2406029 - ET RBN Known Russian Business Network Monitored Domains (25)
(bleeding-rbn.rules)
2406030 - ET RBN Known Russian Business Network Monitored Domains (26)
(bleeding-rbn.rules)
2406031 - ET RBN Known Russian Business Network Monitored Domains (27)
(bleeding-rbn.rules)
2406032 - ET RBN Known Russian Business Network Monitored Domains (28)
(bleeding-rbn.rules)
2406033 - ET RBN Known Russian Business Network Monitored Domains (29)
(bleeding-rbn.rules)
2406034 - ET RBN Known Russian Business Network Monitored Domains (30)
(bleeding-rbn.rules)
2406035 - ET RBN Known Russian Business Network Monitored Domains (31)
(bleeding-rbn.rules)
2406036 - ET RBN Known Russian Business Network Monitored Domains (32)
(bleeding-rbn.rules)
2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(1) (bleeding-rbn-BLOCK.rules)
2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(2) (bleeding-rbn-BLOCK.rules)
2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(3) (bleeding-rbn-BLOCK.rules)
2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(4) (bleeding-rbn-BLOCK.rules)
2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(5) (bleeding-rbn-BLOCK.rules)
2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(6) (bleeding-rbn-BLOCK.rules)
2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(7) (bleeding-rbn-BLOCK.rules)
2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(8) (bleeding-rbn-BLOCK.rules)
2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(9) (bleeding-rbn-BLOCK.rules)
2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(10) (bleeding-rbn-BLOCK.rules)
2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(11) (bleeding-rbn-BLOCK.rules)
2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(12) (bleeding-rbn-BLOCK.rules)
2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(13) (bleeding-rbn-BLOCK.rules)
2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(14) (bleeding-rbn-BLOCK.rules)
2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(15) (bleeding-rbn-BLOCK.rules)
2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(16) (bleeding-rbn-BLOCK.rules)
2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(17) (bleeding-rbn-BLOCK.rules)
2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(18) (bleeding-rbn-BLOCK.rules)
2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(19) (bleeding-rbn-BLOCK.rules)
2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(20) (bleeding-rbn-BLOCK.rules)
2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(21) (bleeding-rbn-BLOCK.rules)
2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(22) (bleeding-rbn-BLOCK.rules)
2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(23) (bleeding-rbn-BLOCK.rules)
2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(24) (bleeding-rbn-BLOCK.rules)
2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(25) (bleeding-rbn-BLOCK.rules)
2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(26) (bleeding-rbn-BLOCK.rules)
2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(27) (bleeding-rbn-BLOCK.rules)
2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(28) (bleeding-rbn-BLOCK.rules)
2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(29) (bleeding-rbn-BLOCK.rules)
2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(30) (bleeding-rbn-BLOCK.rules)
2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(31) (bleeding-rbn-BLOCK.rules)
2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING
(32) (bleeding-rbn-BLOCK.rules)
[---] Removed rules: [---]
2007983 - ET TROJAN LDPinch Checkin (4) (bleeding-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-drop-BLOCK.rules (2):
# VERSION 1095
# Generated 2008-03-22 01:03:02 EDT
-> Added to bleeding-drop.rules (2):
# VERSION 1095
# Generated 2008-03-22 01:03:02 EDT
-> Added to bleeding-policy.rules (1):
#by Jack Pepper
-> Added to bleeding-rbn-BLOCK.rules (2):
# VERSION 39
# Updated 2008-03-16 00:25:31
-> Added to bleeding-rbn.rules (2):
# VERSION 39
# Updated 2008-03-16 00:25:31
-> Added to bleeding-sid-msg.map (65):
2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to
Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003649 || ET TROJAN Hupigon User Agent Detected (SykO)
2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003932 || ET TROJAN Hupigon User Agent Detected (IE_7.0)
2003933 || ET TROJAN Banker.Delf User-Agent (Ms) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2004442 || ET TROJAN Banker.Delf User-Agent (hhh) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
2007838 || ET TROJAN Delf HTTP Checkin (1)
2007858 || ET TROJAN Delf Keylog FTP Upload
2007867 || ET TROJAN Delf HTTP Post Checkin (1)
2007911 || ET TROJAN Delf Download via HTTP
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007949 || ET TROJAN Medbod UDP Phone Home Packet
2008003 || ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin
2008004 || ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)
2008005 || ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload
via FTP
2008006 || ET TROJAN Delf CnC Channel Packet 1
2008007 || ET TROJAN Delf CnC Channel Packet 1 reply
2008008 || ET TROJAN Delf CnC Channel Checkin Replies
2008009 || ET TROJAN Delf CnC Channel Keepalive Pong
2008010 || ET TROJAN Delf CnC Channel Keepalive Ping
2008011 || ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports
2008012 || ET MALWARE Winquickupdates.com Related Trojan Install Report
2008013 || ET MALWARE Suspicious User Agent (Internet)
2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data)
2008015 || ET MALWARE Suspicious User Agent (Win95)
2008016 || ET MALWARE Servicepack.kr Fake Patch Software Checkin
2008017 || ET TROJAN Philis.J ICMP Sweep (Payload Hello,World) ||
url,vil.nai.com/vil/content/v_141203.htm
2008018 || ET MALWARE Beautyscreens.com Related Spyware Install Success
Report
2008019 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(https)
2008020 || ET WORM Win32.Socks.s HTTP Post Checkin
2008021 || ET TROJAN Turkojan C&C Initial Checkin (ams)
2008022 || ET TROJAN Turkojan C&C Info Command (MINFO)
2008023 || ET TROJAN Turkojan C&C Info Command Response (MINFO)
2008024 || ET TROJAN Turkojan C&C Logs Parse Command (LOGS1)
2008025 || ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1)
2008026 || ET TROJAN Turkojan C&C Keepalive (BAGLANTI)
2008027 || ET TROJAN Turkojan C&C Browse Drive Command (BROWSC)
2008028 || ET TROJAN Turkojan C&C Browse Drive Command Response (metin)
2008029 || ET TROJAN Turkojan C&C nxt Command (nxt)
2008030 || ET TROJAN Turkojan C&C nxt Command Response (nxt)
2008031 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound
2008032 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound
2008033 || ET TROJAN Banker.maf SMTP Checkin (Not in the Control...)
2008034 || ET TROJAN LDPinch SMTP Password Report
2008035 || ET TROJAN System.Poser HTTP Checkin
2008036 || ET MALWARE 360safe.com related Fake Security Product Update
2008037 || ET POLICY Gteko User-Agent Detected - Dell Remote Access ||
url,doc.emergingthreats.net/bin/view/Main/Windows98UA
2008038 || ET MALWARE Suspicious User Agent (Mozilla/4.0 (compatible\;
ICS))
2008039 || ET TROJAN Egspy Infection Report Email ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410
2008040 || ET MALWARE Privacyprotector Related Spyware User-Agent (Ssol
NetInstaller)
2008041 || ET TROJAN Hupigon CnC init (variant abb)
2008042 || ET TROJAN Hupigon CnC Data Post (variant abb)
2008043 || ET MALWARE Suspicious User-Agent (c\:\windows)
2008044 || ET TROJAN Delf Checkin via HTTP (5)
2008045 || ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST -
Suspicious - Possible Trojan Report ||
url,doc.emergingthreats.net/bin/view/Main/GzipdPOST
2008046 || ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop
v.1.1 [account verification])
2008047 || ET TROJAN Egspy Infection Report via HTTP ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410
2406037 || ET RBN Known Russian Business Network Monitored Domains (33)
|| url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
2407037 || ET RBN Known Russian Business Network Monitored Domains -
BLOCKING (33) ||
url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
-> Added to bleeding-sid-msg.map.txt (65):
2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to
Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003649 || ET TROJAN Hupigon User Agent Detected (SykO)
2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003932 || ET TROJAN Hupigon User Agent Detected (IE_7.0)
2003933 || ET TROJAN Banker.Delf User-Agent (Ms) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2004442 || ET TROJAN Banker.Delf User-Agent (hhh) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
2007838 || ET TROJAN Delf HTTP Checkin (1)
2007858 || ET TROJAN Delf Keylog FTP Upload
2007867 || ET TROJAN Delf HTTP Post Checkin (1)
2007911 || ET TROJAN Delf Download via HTTP
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007949 || ET TROJAN Medbod UDP Phone Home Packet
2008003 || ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin
2008004 || ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)
2008005 || ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload
via FTP
2008006 || ET TROJAN Delf CnC Channel Packet 1
2008007 || ET TROJAN Delf CnC Channel Packet 1 reply
2008008 || ET TROJAN Delf CnC Channel Checkin Replies
2008009 || ET TROJAN Delf CnC Channel Keepalive Pong
2008010 || ET TROJAN Delf CnC Channel Keepalive Ping
2008011 || ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports
2008012 || ET MALWARE Winquickupdates.com Related Trojan Install Report
2008013 || ET MALWARE Suspicious User Agent (Internet)
2008014 || ET CURRENT_EVENTS Suspicious Download (drv32.data)
2008015 || ET MALWARE Suspicious User Agent (Win95)
2008016 || ET MALWARE Servicepack.kr Fake Patch Software Checkin
2008017 || ET TROJAN Philis.J ICMP Sweep (Payload Hello,World) ||
url,vil.nai.com/vil/content/v_141203.htm
2008018 || ET MALWARE Beautyscreens.com Related Spyware Install Success
Report
2008019 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(https)
2008020 || ET WORM Win32.Socks.s HTTP Post Checkin
2008021 || ET TROJAN Turkojan C&C Initial Checkin (ams)
2008022 || ET TROJAN Turkojan C&C Info Command (MINFO)
2008023 || ET TROJAN Turkojan C&C Info Command Response (MINFO)
2008024 || ET TROJAN Turkojan C&C Logs Parse Command (LOGS1)
2008025 || ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1)
2008026 || ET TROJAN Turkojan C&C Keepalive (BAGLANTI)
2008027 || ET TROJAN Turkojan C&C Browse Drive Command (BROWSC)
2008028 || ET TROJAN Turkojan C&C Browse Drive Command Response (metin)
2008029 || ET TROJAN Turkojan C&C nxt Command (nxt)
2008030 || ET TROJAN Turkojan C&C nxt Command Response (nxt)
2008031 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound
2008032 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound
2008033 || ET TROJAN Banker.maf SMTP Checkin (Not in the Control...)
2008034 || ET TROJAN LDPinch SMTP Password Report
2008035 || ET TROJAN System.Poser HTTP Checkin
2008036 || ET MALWARE 360safe.com related Fake Security Product Update
2008037 || ET POLICY Gteko User-Agent Detected - Dell Remote Access ||
url,doc.emergingthreats.net/bin/view/Main/Windows98UA
2008038 || ET MALWARE Suspicious User Agent (Mozilla/4.0 (compatible\;
ICS))
2008039 || ET TROJAN Egspy Infection Report Email ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410
2008040 || ET MALWARE Privacyprotector Related Spyware User-Agent (Ssol
NetInstaller)
2008041 || ET TROJAN Hupigon CnC init (variant abb)
2008042 || ET TROJAN Hupigon CnC Data Post (variant abb)
2008043 || ET MALWARE Suspicious User-Agent (c\:\windows)
2008044 || ET TROJAN Delf Checkin via HTTP (5)
2008045 || ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST -
Suspicious - Possible Trojan Report ||
url,doc.emergingthreats.net/bin/view/Main/GzipdPOST
2008046 || ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop
v.1.1 [account verification])
2008047 || ET TROJAN Egspy Infection Report via HTTP ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410
2406037 || ET RBN Known Russian Business Network Monitored Domains (33)
|| url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
2407037 || ET RBN Known Russian Business Network Monitored Domains -
BLOCKING (33) ||
url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
-> Added to bleeding-virus.rules (14):
# This thing send out an email to it's owner with stats and such. This
ought to catch it..
#another variant
#Yet another
#yet another c&c method, by matt jonkman
#delf keylog upload, kinda flimsy but works
#by Victor Julien
#re sample 41c62970ea34413c4011b220724bf029
#slso called Trojan.Dropper.RRM and Trojan.Win32.Inject.adt
#Backdoor.Win32.Hupigon.abb
#win32.philis.J here
#by matt jonkman. Win32 Trojan-System.Poser
# Backdoor.Win32.Turkojan.jv or Turkojan.gen1 or
GenPack:Trojan.Agent.AHAB
#c&c session 2
#by matt jonkman. Win32.Socks.s
-> Added to bleeding.rules (4):
#experimental, see
#by william metcalf
#by Victor Julien
# Just testing to see if it works well. lots of bad stuff use this uri
and an IP
[---] Removed non-rule lines: [---]
-> Removed from bleeding-drop-BLOCK.rules (2):
# VERSION 1087
# Generated 2008-03-14 01:03:02 EDT
-> Removed from bleeding-drop.rules (2):
# VERSION 1087
# Generated 2008-03-14 01:03:02 EDT
-> Removed from bleeding-rbn-BLOCK.rules (2):
# VERSION 38
# Updated 2008-03-12 13:33:38
-> Removed from bleeding-rbn.rules (2):
# VERSION 38
# Updated 2008-03-12 13:33:38
-> Removed from bleeding-sid-msg.map (4):
2003649 || ET TROJAN Hupinon User Agent Detected (SykO)
2003932 || ET TROJAN Hupinon User Agent Detected (IE_7.0)
2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits
to emerging@emergingthreats.net for analysis
2007983 || ET TROJAN LDPinch Checkin (4)
-> Removed from bleeding-sid-msg.map.txt (4):
2003649 || ET TROJAN Hupinon User Agent Detected (SykO)
2003932 || ET TROJAN Hupinon User Agent Detected (IE_7.0)
2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits
to emerging@emergingthreats.net for analysis
2007983 || ET TROJAN LDPinch Checkin (4)
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
