From schandan at secpod.com Fri Aug 1 10:31:56 2008 From: schandan at secpod.com (chandan) Date: Fri, 01 Aug 2008 20:01:56 +0530 Subject: [Emerging-Sigs] E-Ticket Email Attack Message-ID: <48931E5C.40004@secpod.com> Feedback on E-Ticket Email Attack signatures will be much appreciated. # 01/08/2008 E-Ticket alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Airline E-ticket Email Attack Malware Receive - SMTP"; content:"|0d 0a|Subject\: E-Ticket"; pcre:"/eTicket.*\.zip/i"; classtype:trojan-activity; reference:url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack; reference:url,www.sophos.com/security/blog/2008/07/1604.html; sid:9020; rev:1;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"Airline E-ticket Email Attack Malware Receive - IMAP"; content:"|0a|Subject\: E-Ticket"; pcre:"/eTicket.*\.zip/i"; classtype:trojan-activity; reference:url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack; reference:url,www.sophos.com/security/blog/2008/07/1604.html; sid:9019; rev:1;) Thanks!! Chandan www.secpod.com From jonkman at jonkmans.com Fri Aug 1 12:15:11 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 01 Aug 2008 12:15:11 -0400 Subject: [Emerging-Sigs] E-Ticket Email Attack In-Reply-To: <48931E5C.40004@secpod.com> References: <48931E5C.40004@secpod.com> Message-ID: <4893368F.3080009@jonkmans.com> Good idea Chandan. I think we can just go with the inbound 25 sig, the pop/imap stuff ought to be an after thought. Will get it posted now, thanks chandan! matt chandan wrote: > Feedback on E-Ticket Email Attack signatures will be much appreciated. > > # 01/08/2008 E-Ticket > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Airline E-ticket Email > Attack Malware Receive - SMTP"; content:"|0d 0a|Subject\: E-Ticket"; > pcre:"/eTicket.*\.zip/i"; classtype:trojan-activity; > reference:url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack; > reference:url,www.sophos.com/security/blog/2008/07/1604.html; sid:9020; > rev:1;) > > alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"Airline E-ticket > Email Attack Malware Receive - IMAP"; content:"|0a|Subject\: E-Ticket"; > pcre:"/eTicket.*\.zip/i"; classtype:trojan-activity; > reference:url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack; > reference:url,www.sophos.com/security/blog/2008/07/1604.html; sid:9019; > rev:1;) > > Thanks!! > Chandan > www.secpod.com > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Fri Aug 1 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 1 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080801200008.3669F4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Aug 1 16:00:08 2008 [***] [+++] Added rules: [+++] 2008486 - CURRENT_EVENTS Fake Airline E-ticket Email Inbound (emerging.rules) 2008487 - ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin (emerging-virus.rules) 2008488 - ET MALWARE Suspicious User-Agent (NULL) (emerging-malware.rules) 2008489 - ET MALWARE Suspicious User-Agent (dwplayer) (emerging-malware.rules) [---] Removed rules: [---] 2008480 - ET TROJAN Win32.Adload.agq Checkin (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-malware.rules (1): #by pedro marinho -> Added to emerging-sid-msg.map (4): 2008486 || CURRENT_EVENTS Fake Airline E-ticket Email Inbound || url,www.sophos.com/security/blog/2008/07/1604.html || url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack 2008487 || ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin 2008488 || ET MALWARE Suspicious User-Agent (NULL) 2008489 || ET MALWARE Suspicious User-Agent (dwplayer) -> Added to emerging-sid-msg.map.txt (4): 2008486 || CURRENT_EVENTS Fake Airline E-ticket Email Inbound || url,www.sophos.com/security/blog/2008/07/1604.html || url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack 2008487 || ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin 2008488 || ET MALWARE Suspicious User-Agent (NULL) 2008489 || ET MALWARE Suspicious User-Agent (dwplayer) -> Added to emerging-virus.rules (1): #by pedro marinho, re 1d5f4c0224a6772ec46e8aec83c7f948 -> Added to emerging.rules (2): #by Chandan at secpod.com # 01/08/2008 E-Ticket [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008480 || ET TROJAN Win32.Adload.agq Checkin -> Removed from emerging-sid-msg.map.txt (1): 2008480 || ET TROJAN Win32.Adload.agq Checkin -> Removed from emerging-virus.rules (1): #by pedro Marinho From emerging at emergingthreats.net Sat Aug 2 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 2 Aug 2008 18:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20080802220008.77CB94502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Aug 2 18:00:08 2008 [***] [+++] Added rules: [+++] 2008477 - ET TROJAN Banload POST Checkin (dados) (emerging-virus.rules) 2008481 - ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin (emerging-virus.rules) 2008482 - ET TROJAN thespybot.com installation download detected (emerging-virus.rules) 2008483 - ET TROJAN Win32/Antivirus2008 (emerging-virus.rules) 2008484 - ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate) (emerging-malware.rules) 2008485 - ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup) (emerging-malware.rules) 2008486 - CURRENT_EVENTS Fake Airline E-ticket Email Inbound (emerging.rules) 2008487 - ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin (emerging-virus.rules) 2008488 - ET MALWARE Suspicious User-Agent (NULL) (emerging-malware.rules) 2008489 - ET MALWARE Suspicious User-Agent (dwplayer) (emerging-malware.rules) 2008490 - ET TROJAN Dialer.Win32.E-Group.n Checkin (emerging-virus.rules) [///] Modified active rules: [///] 2001810 - ET EXPLOIT WEB PHP remote file include exploit attempt (emerging-web_sql_injection.rules) 2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe) (emerging.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1247 # Generated 2008-08-02 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1247 # Generated 2008-08-02 00:03:02 EDT -> Added to emerging-malware.rules (1): #by pedro marinho -> Added to emerging-sid-msg.map (12): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008477 || ET TROJAN Banload POST Checkin (dados) 2008481 || ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin 2008482 || ET TROJAN thespybot.com installation download detected 2008483 || ET TROJAN Win32/Antivirus2008 2008484 || ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate) 2008485 || ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup) 2008486 || CURRENT_EVENTS Fake Airline E-ticket Email Inbound || url,www.sophos.com/security/blog/2008/07/1604.html || url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack 2008487 || ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin 2008488 || ET MALWARE Suspicious User-Agent (NULL) 2008489 || ET MALWARE Suspicious User-Agent (dwplayer) 2008490 || ET TROJAN Dialer.Win32.E-Group.n Checkin -> Added to emerging-sid-msg.map.txt (12): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008477 || ET TROJAN Banload POST Checkin (dados) 2008481 || ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin 2008482 || ET TROJAN thespybot.com installation download detected 2008483 || ET TROJAN Win32/Antivirus2008 2008484 || ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate) 2008485 || ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup) 2008486 || CURRENT_EVENTS Fake Airline E-ticket Email Inbound || url,www.sophos.com/security/blog/2008/07/1604.html || url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack 2008487 || ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin 2008488 || ET MALWARE Suspicious User-Agent (NULL) 2008489 || ET MALWARE Suspicious User-Agent (dwplayer) 2008490 || ET TROJAN Dialer.Win32.E-Group.n Checkin -> Added to emerging-virus.rules (6): #by bojan zdrnja of ISC #by pedro marinho, re 1d5f4c0224a6772ec46e8aec83c7f948 #by pedro marinho #143fd8452113d6feb651ea89bb5f3e50 #ref: 965583b539fb59b643c7bdd83e269a7e #ref: ffab3ed23240e031ad8081b067f89cc7 -> Added to emerging.rules (2): #by Chandan at secpod.com # 01/08/2008 E-Ticket [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1240 # Generated 2008-07-26 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1240 # Generated 2008-07-26 00:03:02 EDT -> Removed from emerging-sid-msg.map (1): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 -> Removed from emerging-sid-msg.map.txt (1): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 From emerging at emergingthreats.net Sun Aug 3 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 3 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080803200008.1AA4F45026@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Aug 3 16:00:08 2008 [***] [+++] Added rules: [+++] 2008490 - ET TROJAN Dialer.Win32.E-Group.n Checkin (emerging-virus.rules) 2008491 - ET TROJAN Banker.OT Checkin (2 packet) (emerging-virus.rules) 2008492 - ET TROJAN Win32.Downloader.pgp Checkin (emerging-virus.rules) [---] Removed rules: [---] 2007988 - ET TROJAN Banker Trojan (General) HTTP Checkin (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (3): 2008490 || ET TROJAN Dialer.Win32.E-Group.n Checkin 2008491 || ET TROJAN Banker.OT Checkin (2 packet) 2008492 || ET TROJAN Win32.Downloader.pgp Checkin -> Added to emerging-sid-msg.map.txt (3): 2008490 || ET TROJAN Dialer.Win32.E-Group.n Checkin 2008491 || ET TROJAN Banker.OT Checkin (2 packet) 2008492 || ET TROJAN Win32.Downloader.pgp Checkin -> Added to emerging-virus.rules (3): #by pedro marinho #143fd8452113d6feb651ea89bb5f3e50 #1982f2f77701dfb0f26f51fc7c2978f2 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2007988 || ET TROJAN Banker Trojan (General) HTTP Checkin -> Removed from emerging-sid-msg.map.txt (1): 2007988 || ET TROJAN Banker Trojan (General) HTTP Checkin From jonkman at jonkmans.com Mon Aug 4 10:18:05 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 04 Aug 2008 10:18:05 -0400 Subject: [Emerging-Sigs] BASE 1.4.1 Released Message-ID: <48970F9D.1060708@jonkmans.com> A new release from the BASE team. This one including direct links to our Docs database for rules (http://docs.emergingthreats.net). Thanks guys: Hello, The BASE project team is proud to announce the immediate release of BASE 1.4.1 (lara) This release has fixed a large number of bugs and issues that were found in previous versions. These fixes include a number of problems with graphing and set up of the adodb libraries. Querying the database has also been improved. Please download the latest version from http://sourceforge.net/projects/secureideas Thank you, Kevin Johnson and the BASE project team -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Mon Aug 4 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 4 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080804200008.E7BFE4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Aug 4 16:00:08 2008 [***] [///] Modified active rules: [///] 2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 -> Added to emerging-sid-msg.map.txt (1): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 -> Removed from emerging-sid-msg.map.txt (1): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 From r.fulton at auckland.ac.nz Mon Aug 4 17:56:27 2008 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Tue, 5 Aug 2008 09:56:27 +1200 Subject: [Emerging-Sigs] FP for ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin 2008487 Message-ID: any visit to www.seedgenesis.net triggers this sig.... META SID CID TimeStamp Signature Sig ID 6 14758869 2008-08-05 09:52:33 ET TROJAN Trojan- Downloader.Win32.Delf.bsy Checkin 2008487 Sensor Hostname Sensor Interface monitor-dmzo.isec.auckland.ac.nz dmz sensor IP Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL chksum 130.216.76.66 209.62.72.165 4 5 0 493 30456 2 0 62 56084 Resolved Source Resolved Dest bluebottle.insec.auckland.ac.nz ev1s-209-62-72-165.theplanet.com TCP Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum Urgent Ptr 52196 80 4264551092 11782237 5 0 24 65535 24752 0 Options None Flags RB 1 RB 0 URG ACK PSH RST SYN FIN DATA GET /?dn=www.animedls.com&flrdr=yes&nxte=gif HTTP/1.1..Host: www.adxtn.com..User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/ 3.0.1..Accept: text/html,application/xhtml+xml,application/x ml;q=0.9,*/*;q=0.8..Accept-Language: en-us,en;q=0.5..Accept- Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0 .7,*;q=0.7..Keep-Alive: 300..Connection: keep-alive..Referer : http://www.seedgenesis.net/.... From jonkman at jonkmans.com Mon Aug 4 19:35:51 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 04 Aug 2008 19:35:51 -0400 Subject: [Emerging-Sigs] FP for ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin 2008487 In-Reply-To: References: Message-ID: <48979257.2050905@jonkmans.com> Had another report privately. I think we will have to dump this rule for now. Thanks for the report Russell! Matt Russell Fulton wrote: > any visit to www.seedgenesis.net triggers this sig.... > > > META > SID CID TimeStamp Signature Sig ID > 6 14758869 2008-08-05 09:52:33 ET TROJAN Trojan- > Downloader.Win32.Delf.bsy Checkin 2008487 > Sensor Hostname Sensor Interface > monitor-dmzo.isec.auckland.ac.nz dmz sensor > IP > Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL > chksum > 130.216.76.66 209.62.72.165 4 5 0 493 30456 2 0 62 56084 > Resolved Source Resolved Dest > bluebottle.insec.auckland.ac.nz ev1s-209-62-72-165.theplanet.com > TCP > Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum > Urgent Ptr > 52196 80 4264551092 11782237 5 0 24 65535 24752 0 > Options > None > Flags > RB 1 RB 0 URG ACK PSH RST SYN FIN > > DATA > > GET /?dn=www.animedls.com&flrdr=yes&nxte=gif HTTP/1.1..Host: > www.adxtn.com..User-Agent: Mozilla/5.0 (Macintosh; U; Intel > Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/ > 3.0.1..Accept: text/html,application/xhtml+xml,application/x > ml;q=0.9,*/*;q=0.8..Accept-Language: en-us,en;q=0.5..Accept- > Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0 > .7,*;q=0.7..Keep-Alive: 300..Connection: keep-alive..Referer > : http://www.seedgenesis.net/.... > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jholgui at gmail.com Tue Aug 5 06:38:47 2008 From: jholgui at gmail.com (=?ISO-8859-1?Q?Jos=E9_Miguel_Holgu=EDn_Aparicio?=) Date: Tue, 5 Aug 2008 12:38:47 +0200 Subject: [Emerging-Sigs] DNS Sigs In-Reply-To: <488891E2.1090002@jonkmans.com> References: <488891E2.1090002@jonkmans.com> Message-ID: <8f3861b10808050338o6b8293abla7fef89ef4587ef5@mail.gmail.com> hi, I have a alerts btw two servers DNS of rule sid 2008446: emerging.rules:alert udp any 53 -> $DNS_SERVERS any (msg:"ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008446; rev:8;) Can exist someone traffic legitimate btw 2 servers DNS that hit up this rule (transfer zone), etc. ? Regards. 2008/7/24 Matt Jonkman : > A couple significant updates to the DNS Poisoning sigs. If you updated > earlier this morning be sure to pull a new copy now. > > Matt > > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From jonkman at jonkmans.com Tue Aug 5 11:06:43 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Aug 2008 11:06:43 -0400 Subject: [Emerging-Sigs] SidReporter Beta Testers Message-ID: <48986C83.2020007@jonkmans.com> As mentioned a few weeks ago, we've been working to bring out tool to anonymously report IDS/IPS hits. Similar to DShield's firewall log reporting, we believe we can make some incredible data inferences with this information, as well as help improve the quality of our signatures while giving us all feedback to tune our rulesets. But that's just the start. As with DShield's data, I think we'll run into benefits to the community that we can't even imagine until we start to look at the data. Our tool to do that event collection and reporting is ready to beta test. We're looking for a few brave souls to run the tool and give us some feedback on the install and setup process. We'll migrate this tool directly into production within a week or so we expect. SidReporter works by accessing your snort database directly and extracting events. NO PAYLOADS or other sensitive data are accessed or reported. Just SID, Rev, Time and IP. You can choose to obfuscate local IP addresses if you choose, and then it's all packed up into a pgp encrypted email and sent directly to Emerging Threats. Once we have this data flowing we'll look at what reports are going to be most useful to you as the information provider. Comparisons like how your events compare to other sites, what you're seeing that others aren't, and what others are seeing that you might not be. We believe this will be a great tool to help you not only understand what trends are coming in attacks globally, but also to tune your own ruleset based on what you're not seeing, or seeing enough of, that other sites are reporting. We'll also have some publicly available analysis showing trends in signatures, ip correlation of bots and the like, the possibilities are endless. But to get the most value you'll have to contribute events completely anonymously. If you choose to log in to see your hits correlated with others you'll get the greatest benefit, but you'll just be a number there. You will remain anonymous. So please, take a few minutes to run the SidReporter and send us some data. Obfuscate if you're worried about privacy, but know that we're committed to protecting your data! This tool was written by Victor Julien, he's done a great job of building in obfuscation tools. You can download SidReporter here: http://www.emergingthreats.net/sidreporter/ http://www.emergingthreats.net/sidreporter/sidreporter-beta1.tar.gz If you'd like to beta test you can just download and try it out, or contact me off list to arrange a test. All data collected during this initial beta will be destroyed before we go live. Thanks! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From pepperjack at afferentsecurity.com Tue Aug 5 11:50:24 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Tue, 05 Aug 2008 10:50:24 -0500 Subject: [Emerging-Sigs] DNS Sigs In-Reply-To: <8f3861b10808050338o6b8293abla7fef89ef4587ef5@mail.gmail.com> References: <488891E2.1090002@jonkmans.com> <8f3861b10808050338o6b8293abla7fef89ef4587ef5@mail.gmail.com> Message-ID: <20080805105024.d0ue7q5v0gww8o0k@mail.afferentsecurity.com> Quoting Jos? Miguel Holgu?n Aparicio : > I have a alerts btw two servers DNS of rule sid 2008446: > > emerging.rules:alert udp any 53 -> $DNS_SERVERS any (msg:"ET > CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 > seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; > byte_test:2,>,0,10; threshold: type both, track by_src, count 100, > seconds 10; classtype:bad-unknown; sid:2008446; rev:8;) yeah, dns servers will do this all the time. Maybe change the source ip to !$DNS_SERVERS jp ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From gregm at econet.com Tue Aug 5 13:11:52 2008 From: gregm at econet.com (Greg Martin) Date: Tue, 5 Aug 2008 12:11:52 -0500 Subject: [Emerging-Sigs] SidReporter Beta Testers In-Reply-To: <48986C83.2020007@jonkmans.com> References: <48986C83.2020007@jonkmans.com> Message-ID: <8CEBA0F2-987F-4FDC-8F58-7A993A054C53@econet.com> Matt, This is fantastic news, I have been using a similar system I wrote just a few months ago which tracks events by SID across hundreds of sensors and I can attest that information is EXTREMELY enlightening. It allows you to track the size of botnets among other things. I would be happy to beta this tool... One question, where will the master DB be located and who owns the rights to that data? Will it be open for the community to query at will? -Greg On Aug 5, 2008, at 10:06 AM, Matt Jonkman wrote: > As mentioned a few weeks ago, we've been working to bring out tool to > anonymously report IDS/IPS hits. Similar to DShield's firewall log > reporting, we believe we can make some incredible data inferences with > this information, as well as help improve the quality of our > signatures > while giving us all feedback to tune our rulesets. > > But that's just the start. As with DShield's data, I think we'll run > into benefits to the community that we can't even imagine until we > start > to look at the data. > > Our tool to do that event collection and reporting is ready to beta > test. We're looking for a few brave souls to run the tool and give us > some feedback on the install and setup process. We'll migrate this > tool > directly into production within a week or so we expect. > > SidReporter works by accessing your snort database directly and > extracting events. NO PAYLOADS or other sensitive data are accessed or > reported. Just SID, Rev, Time and IP. You can choose to obfuscate > local > IP addresses if you choose, and then it's all packed up into a pgp > encrypted email and sent directly to Emerging Threats. > > Once we have this data flowing we'll look at what reports are going to > be most useful to you as the information provider. Comparisons like > how > your events compare to other sites, what you're seeing that others > aren't, and what others are seeing that you might not be. We believe > this will be a great tool to help you not only understand what trends > are coming in attacks globally, but also to tune your own ruleset > based > on what you're not seeing, or seeing enough of, that other sites are > reporting. > > We'll also have some publicly available analysis showing trends in > signatures, ip correlation of bots and the like, the possibilities are > endless. But to get the most value you'll have to contribute events > completely anonymously. If you choose to log in to see your hits > correlated with others you'll get the greatest benefit, but you'll > just > be a number there. You will remain anonymous. > > So please, take a few minutes to run the SidReporter and send us some > data. Obfuscate if you're worried about privacy, but know that we're > committed to protecting your data! This tool was written by Victor > Julien, he's done a great job of building in obfuscation tools. > > You can download SidReporter here: > http://www.emergingthreats.net/sidreporter/ > http://www.emergingthreats.net/sidreporter/sidreporter-beta1.tar.gz > > If you'd like to beta test you can just download and try it out, or > contact me off list to arrange a test. All data collected during this > initial beta will be destroyed before we go live. > > Thanks! > > Matt > > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Greg Martin Director InfoSecurity Econet Inc. - Sentinel IPS 972.991.5005 x102 From jonkman at jonkmans.com Tue Aug 5 13:22:51 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Aug 2008 13:22:51 -0400 Subject: [Emerging-Sigs] SidReporter Beta Testers In-Reply-To: <8CEBA0F2-987F-4FDC-8F58-7A993A054C53@econet.com> References: <48986C83.2020007@jonkmans.com> <8CEBA0F2-987F-4FDC-8F58-7A993A054C53@econet.com> Message-ID: <48988C6B.8010900@jonkmans.com> Glad you can give it a shot. Feedback on the install process is very welcome, the GnuPG module is a pain since the CPAN version is broken. Be sure to use your distro's version (via apt-get, yum, ports, etc). As for DB access: We won't be allowing direct database access to the general public, primarily to ensure privacy of submitters. But we will distributing the resulting data to the public as long as it's anonymous. This will be in the form of analysis, trending, known bad IPs (which will feed our IP rulesets), etc. Will eventually have a query interface similar to DShield to lookup trends for a sid or an attacker IP. But only after we've learned for CERTAIN how to make sure nothing source identifiable might be revealed there. I don't expect we'll have issues with keeping anonymity of submitters, but we're going to move very slowly with this just to be sure. What kinds of trends are you catching with your correlation? matt Greg Martin wrote: > Matt, > > This is fantastic news, I have been using a similar system I wrote just > a few months ago which tracks events by SID across hundreds of sensors > and I can attest that information is EXTREMELY enlightening. It allows > you to track the size of botnets among other things. I would be happy > to beta this tool... One question, where will the master DB be located > and who owns the rights to that data? Will it be open for the community > to query at will? > > -Greg > > > On Aug 5, 2008, at 10:06 AM, Matt Jonkman wrote: > >> As mentioned a few weeks ago, we've been working to bring out tool to >> anonymously report IDS/IPS hits. Similar to DShield's firewall log >> reporting, we believe we can make some incredible data inferences with >> this information, as well as help improve the quality of our signatures >> while giving us all feedback to tune our rulesets. >> >> But that's just the start. As with DShield's data, I think we'll run >> into benefits to the community that we can't even imagine until we start >> to look at the data. >> >> Our tool to do that event collection and reporting is ready to beta >> test. We're looking for a few brave souls to run the tool and give us >> some feedback on the install and setup process. We'll migrate this tool >> directly into production within a week or so we expect. >> >> SidReporter works by accessing your snort database directly and >> extracting events. NO PAYLOADS or other sensitive data are accessed or >> reported. Just SID, Rev, Time and IP. You can choose to obfuscate local >> IP addresses if you choose, and then it's all packed up into a pgp >> encrypted email and sent directly to Emerging Threats. >> >> Once we have this data flowing we'll look at what reports are going to >> be most useful to you as the information provider. Comparisons like how >> your events compare to other sites, what you're seeing that others >> aren't, and what others are seeing that you might not be. We believe >> this will be a great tool to help you not only understand what trends >> are coming in attacks globally, but also to tune your own ruleset based >> on what you're not seeing, or seeing enough of, that other sites are >> reporting. >> >> We'll also have some publicly available analysis showing trends in >> signatures, ip correlation of bots and the like, the possibilities are >> endless. But to get the most value you'll have to contribute events >> completely anonymously. If you choose to log in to see your hits >> correlated with others you'll get the greatest benefit, but you'll just >> be a number there. You will remain anonymous. >> >> So please, take a few minutes to run the SidReporter and send us some >> data. Obfuscate if you're worried about privacy, but know that we're >> committed to protecting your data! This tool was written by Victor >> Julien, he's done a great job of building in obfuscation tools. >> >> You can download SidReporter here: >> http://www.emergingthreats.net/sidreporter/ >> http://www.emergingthreats.net/sidreporter/sidreporter-beta1.tar.gz >> >> If you'd like to beta test you can just download and try it out, or >> contact me off list to arrange a test. All data collected during this >> initial beta will be destroyed before we go live. >> >> Thanks! >> >> Matt >> >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > Greg Martin > Director InfoSecurity > Econet Inc. - Sentinel IPS > 972.991.5005 x102 > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From gregm at econet.com Tue Aug 5 13:40:53 2008 From: gregm at econet.com (Greg Martin) Date: Tue, 5 Aug 2008 12:40:53 -0500 Subject: [Emerging-Sigs] SidReporter Beta Testers In-Reply-To: <48988C6B.8010900@jonkmans.com> References: <48986C83.2020007@jonkmans.com> <8CEBA0F2-987F-4FDC-8F58-7A993A054C53@econet.com> <48988C6B.8010900@jonkmans.com> Message-ID: > > > What kinds of trends are you catching with your correlation? It all started for the similar reason to create blacklists based Event type, what we found like in the case of ASPROX Botnet that one ET signature (VARCHAR SQL Injection attack) could be used to track the size and growth rate of the botnet if enough diverse sensors were used. I was able to watch ASPROX go from 11,000 nodes in early July to 66,000 that it is at today... As an experiment I hacked up an IP geomapping tool which was designed for plotting IP's from an apache access log file onto a world map or google map. I was able to essentially output a visual map of the botnet in near realtime, I would be happy to share my work with you guys if you want to incorporate this into your tool. Here is a link to the map: http://infosec20.blogspot.com/2008/07/asprox-botnet-fingerprinted-11816.html Another benefit t I found was that the power creating IP blacklists based on SID and pushing them to a firewall or IPS you can greatly minimize the threat of a botnet or worm as in the case of ASPROX. The logistical challenge is updating the list and distributing it fast enough to keep up with new infected zombies. Right now my lists update and propagate out on an hourly basis. To make that a technology a public service it would likely need to incorporate p2p distribution to minimize one parties bandwidth expense. -Greg From jonkman at jonkmans.com Tue Aug 5 13:56:40 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 05 Aug 2008 13:56:40 -0400 Subject: [Emerging-Sigs] SidReporter Beta Testers In-Reply-To: References: <48986C83.2020007@jonkmans.com> <8CEBA0F2-987F-4FDC-8F58-7A993A054C53@econet.com> <48988C6B.8010900@jonkmans.com> Message-ID: <48989458.9060502@jonkmans.com> Greg Martin wrote: > It all started for the similar reason to create blacklists based Event > type, what we found like in the case of ASPROX Botnet that one ET > signature (VARCHAR SQL Injection attack) could be used to track the > size and growth rate of the botnet if enough diverse sensors were > used. I was able to watch ASPROX go from 11,000 nodes in early July > to 66,000 that it is at today... > > As an experiment I hacked up an IP geomapping tool which was designed > for plotting IP's from an apache access log file onto a world map or > google map. I was able to essentially output a visual map of the > botnet in near realtime, I would be happy to share my work with you > guys if you want to incorporate this into your tool. > > Here is a link to the map: http://infosec20.blogspot.com/2008/07/asprox-botnet-fingerprinted-11816.html > Looks great! Yes, some geo-ip work is definitely a goal here. Not only to have the global correlation abilities, but to have that for the individual contributor on a private basis. I think that kind of thing will be a nice addition to the SOC status wall kind of displays. An uptick in hits from a region will be very interesting if seen in realtime. If you can share that it'll get us a step further down the road pretty quickly. > > Another benefit t I found was that the power creating IP blacklists > based on SID and pushing them to a firewall or IPS you can greatly > minimize the threat of a botnet or worm as in the case of ASPROX. The > logistical challenge is updating the list and distributing it fast > enough to keep up with new infected zombies. Right now my lists > update and propagate out on an hourly basis. To make that a > technology a public service it would likely need to incorporate p2p > distribution to minimize one parties bandwidth expense. > Have considered a public Snortsam feed to do this. We're definitely going to move that way, but we may have to re-engineer snortsam some, or develop something else, to handle the scale. We've done production tests with snortsam among 4 or 5 large organizations and that pushed it to it;s limits, load as well as keeping the data sane. We have a lot to learn there yet, but we're going there. Any other ideas as to how to massage this data for the submitters are very welcome! MAtt > > > -Greg > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Aug 5 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 5 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080805200008.B8B4B4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Aug 5 16:00:08 2008 [***] [+++] Added rules: [+++] 2008493 - ET TROJAN Cutwail/W32.Small.avu Dropper (emerging-virus.rules) 2008494 - ET MALWARE Suspicious User-Agent (ieagent) (emerging-malware.rules) [---] Removed rules: [---] 2008487 - ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2008493 || ET TROJAN Cutwail/W32.Small.avu Dropper 2008494 || ET MALWARE Suspicious User-Agent (ieagent) -> Added to emerging-sid-msg.map.txt (2): 2008493 || ET TROJAN Cutwail/W32.Small.avu Dropper 2008494 || ET MALWARE Suspicious User-Agent (ieagent) -> Added to emerging-virus.rules (1): #by Josh Smith [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2008487 || ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin -> Removed from emerging-sid-msg.map.txt (1): 2008487 || ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin -> Removed from emerging-virus.rules (1): #by pedro marinho, re 1d5f4c0224a6772ec46e8aec83c7f948 From emerging at emergingthreats.net Wed Aug 6 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 6 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080806200008.0BC564502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Aug 6 16:00:07 2008 [***] [+++] Added rules: [+++] 2008495 - ET MALWARE Suspicious User-Agent (antispyprogram) (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2008495 || ET MALWARE Suspicious User-Agent (antispyprogram) -> Added to emerging-sid-msg.map.txt (1): 2008495 || ET MALWARE Suspicious User-Agent (antispyprogram) [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From emerging at emergingthreats.net Thu Aug 7 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 7 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080807200008.A05234502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Aug 7 16:00:08 2008 [***] [+++] Added rules: [+++] 2008496 - ET TROJAN Unknown Initial Checkin (emerging.rules) 2008497 - ET TROJAN Unknown Checkin (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2008496 || ET TROJAN Unknown Initial Checkin 2008497 || ET TROJAN Unknown Checkin -> Added to emerging-sid-msg.map.txt (2): 2008496 || ET TROJAN Unknown Initial Checkin 2008497 || ET TROJAN Unknown Checkin -> Added to emerging.rules (1): #Another unknown, needs a name. Sig by Pedro Marinho From frank at knobbe.us Thu Aug 7 16:46:10 2008 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 07 Aug 2008 15:46:10 -0500 Subject: [Emerging-Sigs] SidReporter Beta Testers In-Reply-To: <48989458.9060502@jonkmans.com> References: <48986C83.2020007@jonkmans.com> <8CEBA0F2-987F-4FDC-8F58-7A993A054C53@econet.com> <48988C6B.8010900@jonkmans.com> <48989458.9060502@jonkmans.com> Message-ID: <1218141970.1305.158.camel@localhost> On Tue, 2008-08-05 at 13:56 -0400, Matt Jonkman wrote: > Have considered a public Snortsam feed to do this. We're definitely > going to move that way, but we may have to re-engineer snortsam some, or > develop something else, to handle the scale. We've done production tests > with snortsam among 4 or 5 large organizations and that pushed it to > it;s limits, load as well as keeping the data sane. Remember the shared Snortsam hub we ran a couple years ago? It had shown that there are limitations. First, the trust issue. You have to implicitly trust your next hop partner, which is not a problem (wasn't for us back then). But as you add more people, and blocks take a longer route, you can not rely on trusting the next-hop nodes. Instead, the block originators need to be trusted. Back then I thought about adding some sort of signature-based system that could authenticate the block originator. There are still some issues with that approach though, and a fixed-link network cloud doesn't seem to be the best transport there. I was considering doing a complete rewrite and make it DNS based :) (The reason for that is just the simplicity of the implementation :) Further, different folks have different duration settings. I had added all those options to Snortsam to address that, like upper/lower limits, SID accept/reject by link etc. Of course if you move from a by-link setup to a by-originator setup, that may need adjustment as well. I have long considered taking this further, but had come to the realization that Snortsam is just not the best tool for that. Snortsam is great for large networks within the same trust and control zone. Even though *our* network includes all of our client networks, it's doable since we are managing it. As soon as you have independent groups manage their islands, and try to work together, the current Snortsam model is not ideal. Also, from our experiment years ago I learned that the *value* of blocks actually decreases. The more dispersed nodes/people you add, the more the chances are that the IP someone observed won't hit you. Back when we snooped botnet C&C channels and blocked the zombies, it was clear that out of the 20,000+ blocked machines, only a very few would ever hit you. The same somewhat applies to the current attempts to collect botnet zombie IP's. If you have a pool of 20K IP's, how many of those are actually observed on your island? And if you have multiple islands, they all have their own segment of zombie they get hit by, but not much correlation between them. Perhaps Greg can share some statistical data on his Asprox zombies and his islands. Personally I'm of the opinion that the more IP's are out there, the lesser the value of proactively blocking them actually. Of course this applies to zombies only. Blocking of controllers, malware domains (except fast-fluxers) is still very worthwhile the effort. Likewise I'm not sure ow much value there is in providing a massive amount of share IP's. Again, the probability of an IP of reporter A actually hitting a network of consumer B decreases with an increase in amount of IP. Then there is the challenge of blocking 50,000 IP addresses on a conventional firewalls. (I've have designs for a firewall that could actually handle it, and may entertain that as another business in a couple years (unless someone beats me to it :), but current firewalls are not designed for such a large amount of hostile IP's. The reports will certainly be useful for informational purposes, such as growth time of a new infection, spreading behavior and direction and such. Great for research purposes. I'm afraid that the DNS-BH/malware-domain sorta approach will hit capacity limits very soon as well. With the rate new domains are registered, it's a challenge to keep up. One of my malware domains databases I recently created is very young but already has more than 20K domains. That's domains, not IP's... it has more IP's then domains :) If you like to see for yourself, just keep track of any changes to malware domains for example. Likewise, check out the amount of domains in Google's phish list (I think it was Google). It's a huge amount as well. I guess it comes down to the old truism: "Enumerating badness" is the wrong way to go. Look at the spectacular failure of Anti-virus. You'll have the same issue with domains and IP's. I think it's high-time for some new approaches and tools. (Or, oh yeah, we could just fix our broken IT stuff :) Cheers, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080807/1ee5577d/attachment.bin From schandan at secpod.com Fri Aug 8 08:14:06 2008 From: schandan at secpod.com (chandan) Date: Fri, 08 Aug 2008 17:44:06 +0530 Subject: [Emerging-Sigs] Xampp and New Facebook Rules Message-ID: <489C388E.80005@secpod.com> # 08/08/2008 New Facebook Malware alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Facebook Malware (picture_dl.exe)"; flow:to_server,established; content:"GET "; depth:5; uricontent:"/picture_dl.exe"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/security/blog/2008/08/1632.html; sid:9023; rev:1;) # 08/08/2008 Xampp alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XAMPP for Linux text Parameter Multiple XSS Vulnerability-1"; flow:established,to_server; content:"GET "; depth:5; uricontent:"/iart.php?"; nocase; uricontent:"text="; nocase; pcre:"/script>?.*?/Ui"; classtype:web-application-attack; reference:bugtraq,30535; reference:url,www.securityfocus.com/archive/1/495096; sid:9022; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XAMPP for Linux text Parameter Multiple XSS Vulnerability-2"; flow:established,to_server; content:"GET "; depth:5; uricontent:"/ming.php?"; nocase; uricontent:"text="; nocase; pcre:"/script>?.*?/Ui"; classtype:web-application-attack; reference:bugtraq,30535; reference:url,www.securityfocus.com/archive/1/495096; sid:9021; rev:1;) Thanks!! Chandan From jonkman at jonkmans.com Fri Aug 8 10:02:53 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 08 Aug 2008 10:02:53 -0400 Subject: [Emerging-Sigs] Xampp and New Facebook Rules In-Reply-To: <489C388E.80005@secpod.com> References: <489C388E.80005@secpod.com> Message-ID: <489C520D.5070508@jonkmans.com> The facebook one is good, hadn't thought of putting one up. Thanks Chandan. The xampp ones, I don't see where we can effectively sig the exploit there. These are going to false positive far too much I fear. Matt chandan wrote: > # 08/08/2008 New Facebook Malware > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Facebook > Malware (picture_dl.exe)"; flow:to_server,established; content:"GET "; > depth:5; uricontent:"/picture_dl.exe"; nocase; > classtype:trojan-activity; > reference:url,www.sophos.com/security/blog/2008/08/1632.html; sid:9023; > rev:1;) > > # 08/08/2008 Xampp > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XAMPP for > Linux text Parameter Multiple XSS Vulnerability-1"; > flow:established,to_server; content:"GET "; depth:5; > uricontent:"/iart.php?"; nocase; uricontent:"text="; nocase; > pcre:"/script>?.*?/Ui"; classtype:web-application-attack; > reference:bugtraq,30535; > reference:url,www.securityfocus.com/archive/1/495096; sid:9022; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XAMPP for > Linux text Parameter Multiple XSS Vulnerability-2"; > flow:established,to_server; content:"GET "; depth:5; > uricontent:"/ming.php?"; nocase; uricontent:"text="; nocase; > pcre:"/script>?.*?/Ui"; classtype:web-application-attack; > reference:bugtraq,30535; > reference:url,www.securityfocus.com/archive/1/495096; sid:9021; rev:1;) > > Thanks!! > Chandan > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Fri Aug 8 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 8 Aug 2008 16:00:09 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080808200009.3AA134502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Aug 8 16:00:09 2008 [***] [+++] Added rules: [+++] 2008498 - ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.sophos.com/security/blog/2008/08/1632.html -> Added to emerging-sid-msg.map.txt (1): 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.sophos.com/security/blog/2008/08/1632.html -> Added to emerging.rules (2): #by Chandan, for the recent worm spreading # 08/08/2008 New Facebook Malware From emerging at emergingthreats.net Sat Aug 9 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 9 Aug 2008 18:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20080809220008.71E9C4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Aug 9 18:00:08 2008 [***] [+++] Added rules: [+++] 2008491 - ET TROJAN Banker.OT Checkin (2 packet) (emerging-virus.rules) 2008492 - ET TROJAN Win32.Downloader.pgp Checkin (emerging-virus.rules) 2008493 - ET TROJAN Cutwail/W32.Small.avu Dropper (emerging-virus.rules) 2008494 - ET MALWARE Suspicious User-Agent (ieagent) (emerging-malware.rules) 2008495 - ET MALWARE Suspicious User-Agent (antispyprogram) (emerging-malware.rules) 2008496 - ET TROJAN Unknown Initial Checkin (emerging.rules) 2008497 - ET TROJAN Unknown Checkin (emerging.rules) 2008498 - ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) (emerging.rules) [///] Modified active rules: [///] 2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) (emerging.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [---] Removed rules: [---] 2007988 - ET TROJAN Banker Trojan (General) HTTP Checkin (emerging-virus.rules) 2008487 - ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin (emerging-virus.rules) 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1254 # Generated 2008-08-09 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1254 # Generated 2008-08-09 00:03:02 EDT -> Added to emerging-sid-msg.map (9): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008491 || ET TROJAN Banker.OT Checkin (2 packet) 2008492 || ET TROJAN Win32.Downloader.pgp Checkin 2008493 || ET TROJAN Cutwail/W32.Small.avu Dropper 2008494 || ET MALWARE Suspicious User-Agent (ieagent) 2008495 || ET MALWARE Suspicious User-Agent (antispyprogram) 2008496 || ET TROJAN Unknown Initial Checkin 2008497 || ET TROJAN Unknown Checkin 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.sophos.com/security/blog/2008/08/1632.html -> Added to emerging-sid-msg.map.txt (9): 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008491 || ET TROJAN Banker.OT Checkin (2 packet) 2008492 || ET TROJAN Win32.Downloader.pgp Checkin 2008493 || ET TROJAN Cutwail/W32.Small.avu Dropper 2008494 || ET MALWARE Suspicious User-Agent (ieagent) 2008495 || ET MALWARE Suspicious User-Agent (antispyprogram) 2008496 || ET TROJAN Unknown Initial Checkin 2008497 || ET TROJAN Unknown Checkin 2008498 || ET CURRENT_EVENTS Likely Facebook Malware Download (picture_dl.exe) || url,www.sophos.com/security/blog/2008/08/1632.html -> Added to emerging-virus.rules (2): #by Josh Smith #1982f2f77701dfb0f26f51fc7c2978f2 -> Added to emerging.rules (3): #by Chandan, for the recent worm spreading # 08/08/2008 New Facebook Malware #Another unknown, needs a name. Sig by Pedro Marinho [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1247 # Generated 2008-08-02 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1247 # Generated 2008-08-02 00:03:02 EDT -> Removed from emerging-sid-msg.map (5): 2007988 || ET TROJAN Banker Trojan (General) HTTP Checkin 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008487 || ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (5): 2007988 || ET TROJAN Banker Trojan (General) HTTP Checkin 2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe) || url,www.sophos.com/security/blog/2008/07/1599.html || url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146 2008487 || ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-virus.rules (1): #by pedro marinho, re 1d5f4c0224a6772ec46e8aec83c7f948 From jim.mcquaid at gmail.com Sun Aug 10 11:59:48 2008 From: jim.mcquaid at gmail.com (James McQuaid) Date: Sun, 10 Aug 2008 11:59:48 -0400 Subject: [Emerging-Sigs] RussianBusinessNetworkIPs updated Message-ID: I have updated http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt The file includes new affiliates and IP addresses. I have yet to supply Matt with the diff... Also, note that Georgia's IP space is under attack by Russia: http://rbnexploit.blogspot.com/ -- James McQuaid http://www.jamesmcquaid.com From emerging at emergingthreats.net Mon Aug 11 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 11 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080811200008.23F4A4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Aug 11 16:00:08 2008 [***] [+++] Added rules: [+++] 2008499 - ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2008499 || ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) || url,info.prevx.com/aboutprogramtext.asp?PX5=8F3D24A4003F66983457019EED05CB00A97B99D5 -> Added to emerging-sid-msg.map.txt (1): 2008499 || ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) || url,info.prevx.com/aboutprogramtext.asp?PX5=8F3D24A4003F66983457019EED05CB00A97B99D5 -> Added to emerging.rules (1): #by Will Metcalf, regarding the fake CNN alerts out there From jim.mcquaid at gmail.com Mon Aug 11 23:04:46 2008 From: jim.mcquaid at gmail.com (James McQuaid) Date: Mon, 11 Aug 2008 23:04:46 -0400 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 9, Issue 11 In-Reply-To: References: Message-ID: Hello Everyone, Dancho, Jart and I have been busy: "Real Time Cyber Attack Details Against Georgia Russia's SVR Seen Acting in Collusion with the Criminal RBN" http://securehomenetwork.blogspot.com/ http://blogs.zdnet.com/security/?p=1670 http://rbnexploit.blogspot.com/ --- James McQuaid http://www.jamesmcquaid.com From jonkman at jonkmans.com Tue Aug 12 09:59:31 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 12 Aug 2008 09:59:31 -0400 Subject: [Emerging-Sigs] SidReporter Beta 2 Message-ID: <48A19743.4040803@jonkmans.com> Thanks to all who tested beta1 of the SidReporter. Things went well, but we of course found a few things to improve. Beta2 is available here: http://www.emergingthreats.net/sidreporter/sidreporter-beta2.tar.gz With the following updates: - Added ability to select sensors by name to be included or excluded from reporting, for example to choose only your external sensor's events to be reported. - Added hard event limits to be reported per run for performance We don't want the load of a massive string of hits to be compounded by the reporting tool trying to report them all. This will limit to a max number of events per run. - -p to print config - Reporting only current and future events, not long term historical for performance Initial setups had some load issues if they stored long term historical data, the tool wanted to report them all. This will no longer be the case, only the same day's events and future will be reported. Thanks again to our initial testers. This version is very close to a production release, I don't expect many other changes. So please give this a try and we'll start getting some statistics and trends generated!! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Aug 12 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 12 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080812200008.B347D4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Aug 12 16:00:08 2008 [***] [+++] Added rules: [+++] 2008500 - ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) (emerging-malware.rules) 2008501 - ET TROJAN Peed Report to Controller (emerging-virus.rules) 2008502 - ET TROJAN Antispywareexpert.com Fake AS Install Checkin (emerging-virus.rules) 2008503 - ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software) (emerging-malware.rules) 2008504 - ET MALWARE Suspicious User-Agent (SUiCiDE/1.5) (emerging-malware.rules) 2008505 - ET MALWARE Adaware.BarACE Checkin and Update (emerging-virus.rules) [///] Modified active rules: [///] 2008279 - ET MALWARE ZenoSearch Spyware User-Agent (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (6): 2008500 || ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) 2008501 || ET TROJAN Peed Report to Controller 2008502 || ET TROJAN Antispywareexpert.com Fake AS Install Checkin 2008503 || ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software) 2008504 || ET MALWARE Suspicious User-Agent (SUiCiDE/1.5) 2008505 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2 -> Added to emerging-sid-msg.map.txt (6): 2008500 || ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) 2008501 || ET TROJAN Peed Report to Controller 2008502 || ET TROJAN Antispywareexpert.com Fake AS Install Checkin 2008503 || ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software) 2008504 || ET MALWARE Suspicious User-Agent (SUiCiDE/1.5) 2008505 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2 -> Added to emerging-virus.rules (1): #by matt jonkman, www.antispywareexpert.com From markus.lude at gmx.de Wed Aug 13 07:59:47 2008 From: markus.lude at gmx.de (Markus Lude) Date: Wed, 13 Aug 2008 13:59:47 +0200 Subject: [Emerging-Sigs] sids 2400005/2401005: empty list Message-ID: <20080813115947.GA25141@fuseki.my.domain> Hello, the source network list in sids 2400005 and 2401005 is empty: alert tcp [] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound"; flow:established; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2400005; rev:1258;) alert tcp [] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE"; flow:established; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2401005; rev:1258; fwsam: src, 30 days;) Regards, Markus From jonkman at jonkmans.com Wed Aug 13 10:11:38 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 13 Aug 2008 10:11:38 -0400 Subject: [Emerging-Sigs] sids 2400005/2401005: empty list In-Reply-To: <20080813115947.GA25141@fuseki.my.domain> References: <20080813115947.GA25141@fuseki.my.domain> Message-ID: <48A2EB9A.2040403@jonkmans.com> Fixed up, thanks Markus! Matt Markus Lude wrote: > Hello, > the source network list in sids 2400005 and 2401005 is empty: > > alert tcp [] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed > Traffic Inbound"; flow:established; > reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, > track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2400005; > rev:1258;) > alert tcp [] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed > Traffic Inbound - BLOCKING SOURCE"; flow:established; > reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, > track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2401005; > rev:1258; fwsam: src, 30 days;) > > Regards, > Markus > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Wed Aug 13 16:00:09 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 13 Aug 2008 16:00:09 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080813200009.133AB4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Aug 13 16:00:08 2008 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (6): 2400005 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400006 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400007 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401005 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401006 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401007 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to emerging-sid-msg.map.txt (6): 2400005 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400006 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400007 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401005 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401006 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401007 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso From jsteffens at ioactive.com Wed Aug 13 19:15:38 2008 From: jsteffens at ioactive.com (Jennifer Steffens) Date: Wed, 13 Aug 2008 16:15:38 -0700 (PDT) Subject: [Emerging-Sigs] Defcon Freakshow Thanks Message-ID: <5569009.331218669338307.OPEN-XCHANGE.WebMail.tomcat@nexus.ioactive.com> Hey all, Great turn out by the emerging community at our Freakshow. You guys rock! Hopefully everyone had a freaktastic time and I lived up to my reputation for "working" a corporate credit card (now if only someone would give me an actual corporate credit card I'd be all set). Extra big thanks to everyone who tracked me down at Black Hat or Defcon to say hello...it was great to finally meet so many folks face to face. This is only the first of many so if anyone has any feedback or ideas on how we can make it even bigger and better next year, let me know. Or other cons that could use a little more freak in their schedule! Cheers, Sunshine a.k.a. Jennifer -- Jennifer Steffens Senior Manager IOActive, Inc C: 202.409.7707 www.ioactive.com From emerging at emergingthreats.net Thu Aug 14 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 14 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080814200008.8BF1D4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Aug 14 16:00:08 2008 [***] [///] Modified active rules: [///] 2008453 - ET SCAN Tomcat Auth Brute Force attempt (admin) (emerging-scan.rules) 2008454 - ET SCAN Tomcat Auth Brute Force attempt (tomcat) (emerging-scan.rules) 2008455 - ET SCAN Tomcat Auth Brute Force attempt (manager) (emerging-scan.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Added to emerging-sid-msg.map.txt (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From jim.mcquaid at gmail.com Fri Aug 15 22:46:03 2008 From: jim.mcquaid at gmail.com (James McQuaid) Date: Fri, 15 Aug 2008 22:46:03 -0400 Subject: [Emerging-Sigs] regarding the cyber attack on Georgia attribution debate Message-ID: There is now a debate underway regarding who to attribute the cyber attacks on Georgia to. The attacks which originated from RBN IP space in Turkish Telekom were RBN: there is no question about the facts, and there is no compelling reason to doubt the implications. There were also attacks from nationalist mania stricken Russian citizens (the so called hacktivists) originating from Russia. We should think carefully about the motivations of those who prefer to focus on the hacktivists, but who do not want to consider the RBN activity: - Presumably, the hacktivists are unsophisticated, uncontrollable, and should be ignored as simpleton fanatics. - By refusing to acknowledge the RBN action, the effect is to ignore the potential linkage between the SVR and the RBN. It should be noted that the hacktivist attacks took place after the military events reached public awareness. Contrastingly, the RBN attacks from Turkey took place * prior * to the military events. Analysts should coldly look at the facts. Those bearing some other agenda will always defer to that agenda. Clearly, there is a lot of spin control underway... -- James McQuaid http://www.jamesmcquaid.com From emerging at emergingthreats.net Sat Aug 16 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 16 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080816200008.AB5204502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Aug 16 16:00:08 2008 [***] [+++] Added rules: [+++] 2008506 - ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2008506 || ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected -> Added to emerging-sid-msg.map.txt (1): 2008506 || ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected -> Added to emerging-virus.rules (1): #ref: 5b0db5cfe1699345f3a077b8f62aaaff [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from emerging-sid-msg.map.txt (2): 2404020 || ET DROP Known Bot C&C Server Traffic (group 21) || url,www.shadowserver.org 2405020 || ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE || url,www.shadowserver.org From emerging at emergingthreats.net Sat Aug 16 18:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 16 Aug 2008 18:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20080816220008.E94304502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Aug 16 18:00:08 2008 [***] [+++] Added rules: [+++] 2008499 - ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) (emerging.rules) 2008500 - ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) (emerging-malware.rules) 2008501 - ET TROJAN Peed Report to Controller (emerging-virus.rules) 2008502 - ET TROJAN Antispywareexpert.com Fake AS Install Checkin (emerging-virus.rules) 2008503 - ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software) (emerging-malware.rules) 2008504 - ET MALWARE Suspicious User-Agent (SUiCiDE/1.5) (emerging-malware.rules) 2008505 - ET MALWARE Adaware.BarACE Checkin and Update (emerging-virus.rules) 2008506 - ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected (emerging-virus.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) [///] Modified active rules: [///] 2008279 - ET MALWARE ZenoSearch Spyware User-Agent (emerging-malware.rules) 2008453 - ET SCAN Tomcat Auth Brute Force attempt (admin) (emerging-scan.rules) 2008454 - ET SCAN Tomcat Auth Brute Force attempt (tomcat) (emerging-scan.rules) 2008455 - ET SCAN Tomcat Auth Brute Force attempt (manager) (emerging-scan.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1267 # Generated 2008-08-16 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1267 # Generated 2008-08-16 00:03:02 EDT -> Added to emerging-sid-msg.map (14): 2008499 || ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) || url,info.prevx.com/aboutprogramtext.asp?PX5=8F3D24A4003F66983457019EED05CB00A97B99D5 2008500 || ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) 2008501 || ET TROJAN Peed Report to Controller 2008502 || ET TROJAN Antispywareexpert.com Fake AS Install Checkin 2008503 || ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software) 2008504 || ET MALWARE Suspicious User-Agent (SUiCiDE/1.5) 2008505 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2 2008506 || ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected 2400005 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400006 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400007 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401005 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401006 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401007 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to emerging-sid-msg.map.txt (14): 2008499 || ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) || url,info.prevx.com/aboutprogramtext.asp?PX5=8F3D24A4003F66983457019EED05CB00A97B99D5 2008500 || ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) 2008501 || ET TROJAN Peed Report to Controller 2008502 || ET TROJAN Antispywareexpert.com Fake AS Install Checkin 2008503 || ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software) 2008504 || ET MALWARE Suspicious User-Agent (SUiCiDE/1.5) 2008505 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2 2008506 || ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected 2400005 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400006 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400007 || ET DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401005 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401006 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401007 || ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to emerging-virus.rules (2): #by matt jonkman, www.antispywareexpert.com #ref: 5b0db5cfe1699345f3a077b8f62aaaff -> Added to emerging.rules (1): #by Will Metcalf, regarding the fake CNN alerts out there [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1254 # Generated 2008-08-09 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1254 # Generated 2008-08-09 00:03:02 EDT From emerging at emergingthreats.net Sun Aug 17 16:00:08 2008 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 17 Aug 2008 16:00:08 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20080817200008.D75EA4502B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Aug 17 16:00:08 2008 [***] [+++] Added rules: [+++] 2008507 - ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (1): 2008507 || ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller -> Added to emerging-sid-msg.map.txt (1): 2008507 || ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller -> Added to emerging-virus.rules (1): #matt jonkman, re 0ec9e59de960ec4a7d585a9ad7fc5719 From jim.mcquaid at gmail.com Sun Aug 17 21:45:57 2008 From: jim.mcquaid at gmail.com (James McQuaid) Date: Sun, 17 Aug 2008 21:45:57 -0400 Subject: [Emerging-Sigs] Frank Knobbe's suggestion Message-ID: At Frank Knobbe's suggestion I have added: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBNExploitDomains.txt to the Snort Config Samples Project. This parseable file lists 11,741 hostile RBN domains. Among those added this week are: 69.41.183.74/32 ns2.malwaredestructor.net 69.41.183.75/32 mail.red-host.com ns3.malwarecrush.com red-host.com 69.41.183.76/32 ns3.fantasticdollars.com ns3.malwarecrush2008.com ns2.privacyguarantor.net 69.41.183.77/32 ns4.contravirus.biz 69.41.183.78/32 ns3.pyroantispy.com 69.41.183.98/32 malwaredestructor.com *.malwaredestructor.com mail.pyroantispy.com 69.41.183.101/32 mail.pyroantispy.com 69.50.160.211/32 contravirus.biz contraviruspro.com 69.50.189.34/32 ns1.privacyguarantor.net 74.54.56.227/32 b.teamvii.com 77.73.98.2/32 ns3.pcprivacycleaner.com 77.244.220.134/32 avxp-08.com antivirus-xp-08.com antivirusxp-08.com antivirusxp08.net antivirxp08.com av-xp-2008.com avxp2008.com ip-77-244-220-134.user.rsspnet.ru mail.antivirus-xp-08.com mail.antivirusxp-08.com mail.antivirusxp08.net mail.antivirxp08.com mail.av-xp-2008.com mail.avxp-08.com mail.avxp2008.com ns1.antivirus-xp-08.com ns1.antivirusxp-08.com ns1.antivirusxp-2008.com ns1.antivirusxp08.net ns1.antivirxp08.com ns1.av-xp-2008.com ns1.avxp-08.com ns1.avxp08.com ns1.avxp2008.com ns1.axpfixer.com ns2.antivirus-xp-08.com ns2.antivirusxp-08.com ns2.av-xp-2008.com ns2.avxp-08.com www.antivirusxp08.net 78.47.168.82/32 antispyware2008.name 78.157.142.7/32 *.antivir64.com antivir64.com antivirus-2008a-pro.com antivirus-2008y-pro.com scanner.antivir64.com 78.157.143.163/32 *.atubez.info www.atubez.info 78.157.143.164/32 antivirusdoc-scanner.net ns1.antivirusdoc-scanner.net ns2.antivirusdoc-scanner.net 78.157.143.190/32 mail.myfavoritetube.net ns.mysoftupdate.com 78.157.143.191/32 myfavoritetube.net mysoftupdate.com ns.myfavoritetube.net ns0.myfavoritetube.net 78.157.143.192/32 ns1.myadultcube.com ns2.hqvideoporn.com ns2.pornotube8.net 78.157.143.198/32 *.updatecube.com ns.updatecube.com ns0.softnode.info ns1.updatecube.com ns2.updatecube.com updatecube.com 78.157.143.199/32 *.softnode.info ns.softnode.info ns0.updatecube.com softnode.info softupdatesite.com 78.157.143.217/32 *.hqvideoporn.com *.myadultcube.com *.pornotube8.net hqvideoporn.com myadultcube.com ns1.hqvideoporn.com ns1.pornotube8.net ns2.myadultcube.com pornotube8.net 78.157.143.250/32 *.anti-spy-ware-2008.com *.antispyware-2008-download.com *.antispyware-2008.info *.antispyware2008-download.com *.antispyware2008.name *.antispyware2008y.com *.megabestsoftnah-08.com *.ns1.antispyware2008y.com anti-spy-ware-2008.com mail.anti-spy-ware-2008.com mail.antispyware-2008-download.com mail.antispyware-2008.info mail.antispyware2008-download.com mail.antispyware2008y.com mail.ns1.antispyware2008y.com megabestsoftnah-08.com ns1.anti-spy-ware-2008.com ns1.megabestsoftnah-08.com ns2.anti-spy-ware-2008.com ns2.megabestsoftnah-08.com ns2.megabestsoftnah2008.com www.anti-spy-ware-2008.com www.antispyware-2008-download.com www.antispyware-2008.info www.antispyware2008-download.com www.antispyware2008y.com 85.17.45.3/32 sharevirus.com mail.sharevirus.com ns1.sharevirus.com animezona.net mail.animezona.net swaplin.com mail.swaplin.com 85.17.45.50/32 axpdefender08.com www.axpfixer.com axpfixer.com mail.axpfixer.com ns2.axpfixer.com 85.17.45.51/32 spider2.ljpoisk.com www.avxp08.com stat.av-xp-2008.com ns7.axpdefender08.com 91.208.0.249/32 watcher-scan.com ns1.watcher-scan.com mail.watcher-scan.com 92.62.100.64/32 pcprivacycleaner.com 206.161.193.66/32 hotsexbombs.com maturedistrict.com maturefreak.com momsdeluxe.com momsdistrict.com momsgame.com 207.226.182.178/32 malwaredestructor.net ns1.malwaredestructor.net 207.226.182.181/32 privacyguarantor.net 208.79.82.50/32 ns1.pcprivacycleaner.com 208.79.82.66/32 ns2.pcprivacycleaner.com 209.8.24.212/32 arrowscan.net 216.255.177.61/32 ns3.malwaredestructor.net --- James McQuaid http://www.jamesmcquaid.com From pepperjack at afferentsecurity.com Mon Aug 18 09:54:05 2008 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Mon, 18 Aug 2008 08:54:05 -0500 Subject: [Emerging-Sigs] Asprox js filename change Message-ID: <20080818085405.ke2yn5zasco888og@mail.afferentsecurity.com> We are now seeing fgg.js, 1.js, f.js, etc. I have added a PCRE to the rule since we have to expect more changes in the future. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Inside user has visted a site that is spreading ASPROX "; content:"