[Emerging-Sigs] Emerging Threats Daily Signature Changes
emerging@emergingthreats.net
emerging at emergingthreats.net
Sat Mar 8 17:00:08 EST 2008
[***] Results from Oinkmaster started Sat Mar 8 17:00:08 2008 [***]
[+++] Added rules: [+++]
2007941 - ET MALWARE Invalid HTTP GET Request - Often Malware Related (bleeding-malware.rules)
2007942 - ET MALWARE Suspicious User Agent (_) (bleeding-malware.rules)
2007943 - ET MALWARE Suspicious User Agent (HTTP) (bleeding-malware.rules)
2007944 - ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008) (bleeding-malware.rules)
2007945 - ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php) (bleeding-malware.rules)
2007946 - ET MALWARE Suspicious User Agent (popup) (bleeding-malware.rules)
2007947 - ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup) (bleeding-malware.rules)
2007948 - ET MALWARE Suspicious User Agent (--) (bleeding-malware.rules)
[///] Modified active rules: [///]
2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
2007940 - ET TROJAN Banker.ili HTTP Checkin (bleeding-virus.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-malware.rules (4):
# Seeing several bits of malware that are creating their http get's
# incorrectly. They're adding an http://domain.com/url to the GET string,
# which should be just the uri. This will catch those
#fake av package, sigs by matt jonkman
-> Added to bleeding-sid-msg.map (12):
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007940 || ET TROJAN Banker.ili HTTP Checkin
2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941
2007942 || ET MALWARE Suspicious User Agent (_)
2007943 || ET MALWARE Suspicious User Agent (HTTP)
2007944 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
2007945 || ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)
2007946 || ET MALWARE Suspicious User Agent (popup)
2007947 || ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup)
2007948 || ET MALWARE Suspicious User Agent (--)
2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org
2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org
-> Added to bleeding-sid-msg.map.txt (12):
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007940 || ET TROJAN Banker.ili HTTP Checkin
2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941
2007942 || ET MALWARE Suspicious User Agent (_)
2007943 || ET MALWARE Suspicious User Agent (HTTP)
2007944 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
2007945 || ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)
2007946 || ET MALWARE Suspicious User Agent (popup)
2007947 || ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup)
2007948 || ET MALWARE Suspicious User Agent (--)
2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org
2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org
[---] Removed non-rule lines: [---]
-> Removed from bleeding-attack_response.rules (1):
# $Id: bleeding-attack_response.rules $
-> Removed from bleeding-dos.rules (1):
# $Id: bleeding-dos.rules $
-> Removed from bleeding-exploit.rules (1):
# $Id: bleeding-exploit.rules $
-> Removed from bleeding-game.rules (1):
# $Id: bleeding-game.rules $
-> Removed from bleeding-inappropriate.rules (1):
# $Id: bleeding-inappropriate.rules $
-> Removed from bleeding-malware.rules (1):
# $Id: bleeding-malware.rules $
-> Removed from bleeding-p2p.rules (1):
# $Id: bleeding-p2p.rules $
-> Removed from bleeding-policy.rules (1):
# $Id: bleeding-policy.rules $
-> Removed from bleeding-scan.rules (1):
# $Id: bleeding-scan.rules $
-> Removed from bleeding-sid-msg.map (2):
2007939 || ET TROJAN Delf Checkin via HTTP
2007940 || ET TROJAN Banker.li HTTP Checkin
-> Removed from bleeding-sid-msg.map.txt (2):
2007939 || ET TROJAN Delf Checkin via HTTP
2007940 || ET TROJAN Banker.li HTTP Checkin
-> Removed from bleeding-virus.rules (1):
# $Id: bleeding-virus.rules $
-> Removed from bleeding-voip.rules (1):
# $Id: bleeding-voip.rules $
-> Removed from bleeding-web.rules (1):
# $Id: bleeding-web.rules $
-> Removed from bleeding-web_sql_injection.rules (1):
# $Id: bleeding-web_sql_injection.rules $
-> Removed from bleeding.rules (1):
# $Id: bleeding.rules $
More information about the Emerging-sigs
mailing list