[***] Results from Oinkmaster started Sun Mar 23 17:00:09 2008 [***]
[+++] Added rules: [+++]
2002976 - ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner
(bleeding-virus.rules)
2002978 - ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to
Owner (bleeding-virus.rules)
2002980 - ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to
Owner (bleeding-virus.rules)
2002981 - ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to
Owner (bleeding-virus.rules)
2003931 - ET TROJAN Banker.Delf User-Agent (Varlok_11000)
(bleeding-virus.rules)
2003933 - ET TROJAN Banker.Delf User-Agent (Ms) (bleeding-virus.rules)
2004442 - ET TROJAN Banker.Delf User-Agent (hhh) (bleeding-virus.rules)
2007594 - ET TROJAN Banker.Delf User-Agent (MzApp) (bleeding-virus.rules)
2007699 - ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
(bleeding-virus.rules)
2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
2007858 - ET TROJAN Delf Keylog FTP Upload (bleeding-virus.rules)
2007867 - ET TROJAN Delf HTTP Post Checkin (1) (bleeding-virus.rules)
2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report
(bleeding-virus.rules)
2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
2008006 - ET TROJAN Delf CnC Channel Packet 1 (bleeding-virus.rules)
2008007 - ET TROJAN Delf CnC Channel Packet 1 reply (bleeding-virus.rules)
2008008 - ET TROJAN Delf CnC Channel Checkin Replies (bleeding-virus.rules)
2008009 - ET TROJAN Delf CnC Channel Keepalive Pong (bleeding-virus.rules)
2008010 - ET TROJAN Delf CnC Channel Keepalive Ping (bleeding-virus.rules)
2008041 - ET TROJAN Hupigon CnC init (variant abb) (bleeding-virus.rules)
2008042 - ET TROJAN Hupigon CnC Data Post (variant abb) (bleeding-virus.rules)
2008044 - ET TROJAN Delf Checkin via HTTP (5) (bleeding-virus.rules)
2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious -
Possible Trojan Report (bleeding.rules)
2008046 - ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1
[account verification]) (bleeding-malware.rules)
2008047 - ET TROJAN Egspy Infection Report via HTTP (bleeding-virus.rules)
2008048 - ET MALWARE Suspicious User-Agent (Version 1.23)
(bleeding-malware.rules)
[///] Modified active rules: [///]
2008038 - ET MALWARE Suspicious User Agent (Mozilla/4.0 (compatible\; ICS))
(bleeding-malware.rules)
[---] Removed rules: [---]
2008006 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1
(bleeding.rules)
2008007 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 reply
(bleeding.rules)
2008008 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Checkin Replies
(bleeding.rules)
2008009 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Pong
(bleeding.rules)
2008010 - ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Ping
(bleeding.rules)
20078041 - ET TROJAN Hupigon CnC init (variant abb) (bleeding-virus.rules)
20078042 - ET TROJAN Hupigon CnC Data Post (variant abb) (bleeding-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-sid-msg.map (27):
2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to
Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003933 || ET TROJAN Banker.Delf User-Agent (Ms) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2004442 || ET TROJAN Banker.Delf User-Agent (hhh) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
2007838 || ET TROJAN Delf HTTP Checkin (1)
2007858 || ET TROJAN Delf Keylog FTP Upload
2007867 || ET TROJAN Delf HTTP Post Checkin (1)
2007911 || ET TROJAN Delf Download via HTTP
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2008006 || ET TROJAN Delf CnC Channel Packet 1
2008007 || ET TROJAN Delf CnC Channel Packet 1 reply
2008008 || ET TROJAN Delf CnC Channel Checkin Replies
2008009 || ET TROJAN Delf CnC Channel Keepalive Pong
2008010 || ET TROJAN Delf CnC Channel Keepalive Ping
2008041 || ET TROJAN Hupigon CnC init (variant abb)
2008042 || ET TROJAN Hupigon CnC Data Post (variant abb)
2008044 || ET TROJAN Delf Checkin via HTTP (5)
2008045 || ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST -
Suspicious - Possible Trojan Report ||
url,doc.emergingthreats.net/bin/view/Main/GzipdPOST
2008046 || ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop
v.1.1 [account verification])
2008047 || ET TROJAN Egspy Infection Report via HTTP ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410
2008048 || ET MALWARE Suspicious User-Agent (Version 1.23)
-> Added to bleeding-sid-msg.map.txt (27):
2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to
Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial
Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003933 || ET TROJAN Banker.Delf User-Agent (Ms) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2004442 || ET TROJAN Banker.Delf User-Agent (hhh) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
2007838 || ET TROJAN Delf HTTP Checkin (1)
2007858 || ET TROJAN Delf Keylog FTP Upload
2007867 || ET TROJAN Delf HTTP Post Checkin (1)
2007911 || ET TROJAN Delf Download via HTTP
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2008006 || ET TROJAN Delf CnC Channel Packet 1
2008007 || ET TROJAN Delf CnC Channel Packet 1 reply
2008008 || ET TROJAN Delf CnC Channel Checkin Replies
2008009 || ET TROJAN Delf CnC Channel Keepalive Pong
2008010 || ET TROJAN Delf CnC Channel Keepalive Ping
2008041 || ET TROJAN Hupigon CnC init (variant abb)
2008042 || ET TROJAN Hupigon CnC Data Post (variant abb)
2008044 || ET TROJAN Delf Checkin via HTTP (5)
2008045 || ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST -
Suspicious - Possible Trojan Report ||
url,doc.emergingthreats.net/bin/view/Main/GzipdPOST
2008046 || ET MALWARE Rf-cheats.ru Trojan Related User-Agent (RFRudokop
v.1.1 [account verification])
2008047 || ET TROJAN Egspy Infection Report via HTTP ||
url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410
2008048 || ET MALWARE Suspicious User-Agent (Version 1.23)
-> Added to bleeding-virus.rules (7):
# This thing send out an email to it's owner with stats and such. This
ought to catch it..
#another variant
#Yet another
#yet another c&c method, by matt jonkman
#delf keylog upload, kinda flimsy but works
#by Victor Julien
#re sample 41c62970ea34413c4011b220724bf029
-> Added to bleeding.rules (2):
#experimental, see
#by william metcalf
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (7):
2008006 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1
2008007 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 reply
2008008 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Checkin Replies
2008009 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Pong
2008010 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Ping
20078041 || ET TROJAN Hupigon CnC init (variant abb)
20078042 || ET TROJAN Hupigon CnC Data Post (variant abb)
-> Removed from bleeding-sid-msg.map.txt (7):
2008006 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1
2008007 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Packet 1 reply
2008008 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Checkin Replies
2008009 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Pong
2008010 || ET CURRENT_EVENTS Unknown Trojan CnC Channel Keepalive Ping
20078041 || ET TROJAN Hupigon CnC init (variant abb)
20078042 || ET TROJAN Hupigon CnC Data Post (variant abb)
-> Removed from bleeding.rules (3):
#by matt jonkman
#holding here till the malware gets a name, so far unknown by AV other
than heuristically bad
#re sample 41c62970ea34413c4011b220724bf029
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
