[Emerging-Sigs] Emerging Threats Weekly Signature Changes
emerging@emergingthreats.net
emerging at emergingthreats.net
Sat Jul 12 18:00:08 EDT 2008
[***] Results from Oinkmaster started Sat Jul 12 18:00:08 2008 [***]
[+++] Added rules: [+++]
2008370 - ET MALWARE Shopcenter.co.kr Spyware Install Report (emerging-malware.rules)
2008371 - ET MALWARE Likely Ad-ware installation phoning home (success and NSISDL User-Agent) (emerging-malware.rules)
2008372 - ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2) (emerging-malware.rules)
2008373 - ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request (emerging.rules)
2008374 - ET MALWARE Suspicious User-Agent (InetURL) (emerging-malware.rules)
2008375 - ET MALWARE Gooochi Related Spyware Ad pull (emerging-malware.rules)
2008376 - ET TROJAN RegHelper Installation (emerging-virus.rules)
2008377 - ET TROJAN Virtumod/Agent.ufv/Virtumonde Get Request (emerging-virus.rules)
2008378 - ET MALWARE Suspicious User-Agent (ErrCode) (emerging-malware.rules)
2008379 - ET MALWARE Swizzor Checkin (kgen_up) (emerging-virus.rules)
2008380 - ET TROJAN Poison Ivy Key Exchange with CnC Init (emerging-virus.rules)
2008381 - ET TROJAN Poison Ivy Key Exchange with CnC Response (emerging-virus.rules)
2008382 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1) (emerging.rules)
2008383 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2) (emerging.rules)
2008384 - ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3) (emerging.rules)
2008386 - ET TROJAN Zlob HTTP Checkin (emerging-virus.rules)
2008387 - ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) (emerging.rules)
2008388 - ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) (emerging.rules)
2008389 - ET TROJAN Likely Hupigon Post to Controller (emerging-virus.rules)
2008390 - ET TROJAN Hupigon Response from Controller (YES - ~~@@) (emerging-virus.rules)
2008391 - ET MALWARE Suspicious User-Agent (svchost) (emerging-malware.rules)
2008393 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (2) (emerging-virus.rules)
2008394 - ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) (emerging.rules)
2008395 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (3) (emerging-virus.rules)
2008396 - ET TROJAN Zlob Initial Check-in Version 2 (confirm.php?sid=) (emerging-virus.rules)
2008397 - ET TROJAN Fullspace.cc or Related Checkin (1) (emerging-virus.rules)
2008398 - ET TROJAN Fullspace.cc or Related Checkin (2) (emerging-virus.rules)
2008399 - ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid) (emerging-virus.rules)
2008400 - ET MALWARE Suspicious User-Agent (ReadFileURL) (emerging-malware.rules)
[///] Modified active rules: [///]
2001891 - ET MALWARE Suspicious User Agent (agent) (emerging-malware.rules)
2001984 - ET POLICY SSH session in progress on Unusual Port (emerging-policy.rules)
2002872 - ET POLICY Myspace Login Attempt (emerging-policy.rules)
2003182 - ET TROJAN Prg Trojan v0.1-v0.3 Data Upload (emerging-virus.rules)
2003183 - ET TROJAN Prg Trojan Server Reply (emerging-virus.rules)
2003184 - ET TROJAN Prg Trojan v0.1 Binary In Transit (emerging-virus.rules)
2003185 - ET TROJAN Prg Trojan v0.2 Binary In Transit (emerging-virus.rules)
2003186 - ET TROJAN Prg Trojan v0.3 Binary In Transit (emerging-virus.rules)
2003337 - ET MALWARE Suspicious User Agent (Autoupdate) (emerging-malware.rules)
2003466 - ET WEB PHP Attack Tool Morfeus F Scanner (emerging-web.rules)
2003497 - ET MALWARE Suspicious User-Agent (ms) (emerging-malware.rules)
2007688 - ET TROJAN Prg Trojan HTTP POST v1 (emerging-virus.rules)
2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (emerging-policy.rules)
2007724 - ET TROJAN Prg Trojan HTTP POST version 2 (emerging-virus.rules)
2007771 - ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected (emerging-virus.rules)
2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (form.exe) (emerging.rules)
2008083 - ET TROJAN Suspicious User Agent (Zlob Related) (UA00000) (emerging-virus.rules)
2008100 - ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download (emerging-virus.rules)
2008232 - ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely) (emerging-virus.rules)
2008280 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (emerging-virus.rules)
2008288 - ET CURRENT_EVENTS Possible Storm Worm URL Request (iran_occupation.exe) (emerging.rules)
2008324 - ET TROJAN Socks/Sality manda.php Checkin (emerging-virus.rules)
2008325 - ET TROJAN Socks/Sality HTTP Checkin (emerging-virus.rules)
2008326 - ET TROJAN Banker Infostealer/PRG POST on High Port (emerging-virus.rules)
2008367 - ET MALWARE Possible Windows executable sent when remote host claims to send Javascript (emerging-malware.rules)
2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules)
2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules)
2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules)
2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules)
2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules)
2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules)
2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules)
2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules)
2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules)
2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules)
2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules)
2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules)
2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules)
2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules)
2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules)
2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules)
2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules)
2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules)
2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules)
2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules)
2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules)
2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
[---] Removed rules: [---]
2008290 - ET TROJAN Socks.ae Related Checkin URL (emerging-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to emerging-drop-BLOCK.rules (2):
# VERSION 1226
# Generated 2008-07-12 00:03:02 EDT
-> Added to emerging-drop.rules (2):
# VERSION 1226
# Generated 2008-07-12 00:03:02 EDT
-> Added to emerging-malware.rules (6):
#by Jeremy at sudosecure
# ref: 9ab0b5608af7c2c7fb3b631f27ee79c6
#Bojan Zdrnja
#marcus at unsober
#by Jose Miguel
#by Marcus at unsober, re d0915da634aa8340de90c51d7f52f17a
-> Added to emerging-policy.rules (1):
#by dajackman, updated by Mike Wall at BLCPro, LLC
-> Added to emerging-sid-msg.map (43):
2001891 || ET MALWARE Suspicious User Agent (agent)
2003182 || ET TROJAN Prg Trojan v0.1-v0.3 Data Upload || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003183 || ET TROJAN Prg Trojan Server Reply || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003184 || ET TROJAN Prg Trojan v0.1 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003185 || ET TROJAN Prg Trojan v0.2 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003186 || ET TROJAN Prg Trojan v0.3 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003497 || ET MALWARE Suspicious User-Agent (ms)
2007688 || ET TROJAN Prg Trojan HTTP POST v1 || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (form.exe) || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146
2008288 || ET CURRENT_EVENTS Possible Storm Worm URL Request (iran_occupation.exe) || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146
2008324 || ET TROJAN Socks/Sality manda.php Checkin
2008325 || ET TROJAN Socks/Sality HTTP Checkin
2008326 || ET TROJAN Banker Infostealer/PRG POST on High Port || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2008370 || ET MALWARE Shopcenter.co.kr Spyware Install Report
2008371 || ET MALWARE Likely Ad-ware installation phoning home (success and NSISDL User-Agent)
2008372 || ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2)
2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,infosec20.blogspot.com/
2008374 || ET MALWARE Suspicious User-Agent (InetURL)
2008375 || ET MALWARE Gooochi Related Spyware Ad pull || url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz
2008376 || ET TROJAN RegHelper Installation
2008377 || ET TROJAN Virtumod/Agent.ufv/Virtumonde Get Request
2008378 || ET MALWARE Suspicious User-Agent (ErrCode)
2008379 || ET MALWARE Swizzor Checkin (kgen_up)
2008380 || ET TROJAN Poison Ivy Key Exchange with CnC Init
2008381 || ET TROJAN Poison Ivy Key Exchange with CnC Response
2008382 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)
2008383 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)
2008384 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)
2008386 || ET TROJAN Zlob HTTP Checkin
2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)
2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)
2008389 || ET TROJAN Likely Hupigon Post to Controller || url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
2008390 || ET TROJAN Hupigon Response from Controller (YES - ~~@@) || url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
2008391 || ET MALWARE Suspicious User-Agent (svchost)
2008393 || ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (2)
2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt)
2008395 || ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (3)
2008396 || ET TROJAN Zlob Initial Check-in Version 2 (confirm.php?sid=)
2008397 || ET TROJAN Fullspace.cc or Related Checkin (1)
2008398 || ET TROJAN Fullspace.cc or Related Checkin (2)
2008399 || ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid)
2008400 || ET MALWARE Suspicious User-Agent (ReadFileURL)
-> Added to emerging-sid-msg.map.txt (43):
2001891 || ET MALWARE Suspicious User Agent (agent)
2003182 || ET TROJAN Prg Trojan v0.1-v0.3 Data Upload || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003183 || ET TROJAN Prg Trojan Server Reply || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003184 || ET TROJAN Prg Trojan v0.1 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003185 || ET TROJAN Prg Trojan v0.2 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003186 || ET TROJAN Prg Trojan v0.3 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2003497 || ET MALWARE Suspicious User-Agent (ms)
2007688 || ET TROJAN Prg Trojan HTTP POST v1 || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (form.exe) || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146
2008288 || ET CURRENT_EVENTS Possible Storm Worm URL Request (iran_occupation.exe) || url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading || url,www.sudosecure.net/archives/146
2008324 || ET TROJAN Socks/Sality manda.php Checkin
2008325 || ET TROJAN Socks/Sality HTTP Checkin
2008326 || ET TROJAN Banker Infostealer/PRG POST on High Port || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
2008370 || ET MALWARE Shopcenter.co.kr Spyware Install Report
2008371 || ET MALWARE Likely Ad-ware installation phoning home (success and NSISDL User-Agent)
2008372 || ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2)
2008373 || ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request || url,infosec20.blogspot.com/
2008374 || ET MALWARE Suspicious User-Agent (InetURL)
2008375 || ET MALWARE Gooochi Related Spyware Ad pull || url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz
2008376 || ET TROJAN RegHelper Installation
2008377 || ET TROJAN Virtumod/Agent.ufv/Virtumonde Get Request
2008378 || ET MALWARE Suspicious User-Agent (ErrCode)
2008379 || ET MALWARE Swizzor Checkin (kgen_up)
2008380 || ET TROJAN Poison Ivy Key Exchange with CnC Init
2008381 || ET TROJAN Poison Ivy Key Exchange with CnC Response
2008382 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)
2008383 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)
2008384 || ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)
2008386 || ET TROJAN Zlob HTTP Checkin
2008387 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)
2008388 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)
2008389 || ET TROJAN Likely Hupigon Post to Controller || url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
2008390 || ET TROJAN Hupigon Response from Controller (YES - ~~@@) || url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
2008391 || ET MALWARE Suspicious User-Agent (svchost)
2008393 || ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (2)
2008394 || ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt)
2008395 || ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (3)
2008396 || ET TROJAN Zlob Initial Check-in Version 2 (confirm.php?sid=)
2008397 || ET TROJAN Fullspace.cc or Related Checkin (1)
2008398 || ET TROJAN Fullspace.cc or Related Checkin (2)
2008399 || ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid)
2008400 || ET MALWARE Suspicious User-Agent (ReadFileURL)
-> Added to emerging-virus.rules (9):
#by Philipp Bescht
#by Philipp Bescht
#by Pedro Marinho
#by Lance James and Michael Ligh, referenced in paper at http://www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
#by Matt Jonkman, Analsis by Michael Hale Ligh
#ref: fc6926b25b1df52729f7e206b461e8ef
# ref: 196df30f6f8a8a1b42ee19ac58404553
#by Philipp Betch
#by Steven Adair
-> Added to emerging.rules (4):
#by Philipp Bescht
#by Philipp Bescht
#Greg Martin
#by Jack Pepper
[---] Removed non-rule lines: [---]
-> Removed from emerging-drop-BLOCK.rules (2):
# VERSION 1218
# Generated 2008-07-04 00:03:02 EDT
-> Removed from emerging-drop.rules (2):
# VERSION 1218
# Generated 2008-07-04 00:03:02 EDT
-> Removed from emerging-policy.rules (1):
#by dajackman
-> Removed from emerging-sid-msg.map (15):
2001891 || ET MALWARE ToolbarPartner User Agent Activity
2003182 || ET TROJAN Prg Trojan v0.1-v0.3 Data Upload || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003183 || ET TROJAN Prg Trojan Server Reply || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003184 || ET TROJAN Prg Trojan v0.1 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003185 || ET TROJAN Prg Trojan v0.2 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003186 || ET TROJAN Prg Trojan v0.3 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003497 || ET MALWARE 180Solutions Related Spyware User-Agent (msbb) || url,www.auditmypc.com/process/msbb.asp
2007688 || ET TROJAN Prg Trojan HTTP POST v1 || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (fireworks.exe) || url,www.sudosecure.net/archives/119
2008288 || ET CURRENT_EVENTS Possible Storm Worm URL Request (mylove.exe)
2008290 || ET TROJAN Socks.ae Related Checkin URL
2008324 || ET TROJAN Socks/Sality manda.php POST
2008325 || ET TROJAN Socks/Sality manda.php GET
2008326 || ET TROJAN Banker Infostealer/PRG POST on High Port || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
-> Removed from emerging-sid-msg.map.txt (15):
2001891 || ET MALWARE ToolbarPartner User Agent Activity
2003182 || ET TROJAN Prg Trojan v0.1-v0.3 Data Upload || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003183 || ET TROJAN Prg Trojan Server Reply || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003184 || ET TROJAN Prg Trojan v0.1 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003185 || ET TROJAN Prg Trojan v0.2 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003186 || ET TROJAN Prg Trojan v0.3 Binary In Transit || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2003497 || ET MALWARE 180Solutions Related Spyware User-Agent (msbb) || url,www.auditmypc.com/process/msbb.asp
2007688 || ET TROJAN Prg Trojan HTTP POST v1 || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2007724 || ET TROJAN Prg Trojan HTTP POST version 2 || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (fireworks.exe) || url,www.sudosecure.net/archives/119
2008288 || ET CURRENT_EVENTS Possible Storm Worm URL Request (mylove.exe)
2008290 || ET TROJAN Socks.ae Related Checkin URL
2008324 || ET TROJAN Socks/Sality manda.php POST
2008325 || ET TROJAN Socks/Sality manda.php GET
2008326 || ET TROJAN Banker Infostealer/PRG POST on High Port || url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
-> Removed from emerging-virus.rules (1):
#by Lance James and Michael Ligh, referenced in paper at http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
More information about the Emerging-sigs
mailing list