[Emerging-Sigs] Emerging Threats Weekly Signature Changes
emerging@emergingthreats.net
emerging at emergingthreats.net
Sat Mar 8 19:00:09 EST 2008
[***] Results from Oinkmaster started Sat Mar 8 19:00:08 2008 [***]
[+++] Added rules: [+++]
2007843 - ET TROJAN Bzub2 Related RPC/Http Checkin (bleeding-virus.rules)
2007902 - ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe) (bleeding.rules)
2007903 - ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability (bleeding-exploit.rules)
2007904 - ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability (bleeding-exploit.rules)
2007905 - ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability (bleeding-exploit.rules)
2007906 - ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF (bleeding-game.rules)
2007907 - ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF (bleeding-exploit.rules)
2007908 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA) (bleeding-malware.rules)
2007909 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN) (bleeding-malware.rules)
2007910 - ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN) (bleeding-malware.rules)
2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
2007912 - ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg) (bleeding-virus.rules)
2007913 - ET TROJAN Dialer.MC(vf) HTTP Request - Checkin (bleeding-virus.rules)
2007914 - ET WORM SDBot HTTP Checkin (bleeding-virus.rules)
2007917 - ET TROJAN Dropper-497 (Yumato) Initial Checkin (bleeding-virus.rules)
2007918 - ET TROJAN Dropper-497 (Yumato) System Stats Report (bleeding-virus.rules)
2007919 - ET TROJAN Dropper-497 Yumato Reply from server (bleeding-virus.rules)
2007920 - ET TROJAN Dropper-497 (Yumato) Status Reply from server (bleeding-virus.rules)
2007921 - ET MALWARE Suspicious User Agent (Explorer) (bleeding-malware.rules)
2007922 - ET TROJAN Backdoor.Win32.VB.brg C&C Checkin (bleeding-virus.rules)
2007923 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital) (bleeding-virus.rules)
2007924 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded) (bleeding-virus.rules)
2007925 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames) (bleeding-virus.rules)
2007926 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0) (bleeding-virus.rules)
2007927 - ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey) (bleeding-malware.rules)
2007928 - ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd) (bleeding-malware.rules)
2007929 - ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible\; )) (bleeding-malware.rules)
2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report (bleeding-virus.rules)
2007931 - ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability (bleeding-exploit.rules)
2007932 - ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability (bleeding-exploit.rules)
2007933 - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability (bleeding-exploit.rules)
2007934 - ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability (bleeding-exploit.rules)
2007935 - ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fs3update) (bleeding-malware.rules)
2007936 - ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability (bleeding-web.rules)
2007937 - ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (bleeding-exploit.rules)
2007938 - ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fian3manager) (bleeding-malware.rules)
2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
2007940 - ET TROJAN Banker.ili HTTP Checkin (bleeding-virus.rules)
2007941 - ET MALWARE Invalid HTTP GET Request - Often Malware Related (bleeding-malware.rules)
2007942 - ET MALWARE Suspicious User Agent (_) (bleeding-malware.rules)
2007943 - ET MALWARE Suspicious User Agent (HTTP) (bleeding-malware.rules)
2007944 - ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008) (bleeding-malware.rules)
2007945 - ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php) (bleeding-malware.rules)
2007946 - ET MALWARE Suspicious User Agent (popup) (bleeding-malware.rules)
2007947 - ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup) (bleeding-malware.rules)
2007948 - ET MALWARE Suspicious User Agent (--) (bleeding-malware.rules)
2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (bleeding-botcc.rules)
2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2406035 - ET RBN Known Russian Business Network Monitored Domains (31) (bleeding-rbn.rules)
2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (bleeding-rbn-BLOCK.rules)
[///] Modified active rules: [///]
2002157 - ET POLICY Skype User-Agent detected (bleeding-policy.rules)
2002383 - ET SCAN Potential FTP Brute-Force attempt (bleeding-scan.rules)
2002950 - ET POLICY TOR 1.0 Server Key Retrieval (bleeding-policy.rules)
2006429 - ET MALWARE Karine.co.kr Related Spyware User Agent (chk Profile) (bleeding-malware.rules)
2006430 - ET MALWARE Karine.co.kr Related Spyware User Agent (Access down) (bleeding-malware.rules)
2007695 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (bleeding-policy.rules)
2007701 - ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1) (bleeding-virus.rules)
2007702 - ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2) (bleeding-virus.rules)
2007760 - ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe) (bleeding.rules)
2007761 - ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe) (bleeding.rules)
2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
2403000 - ET DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules)
2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules)
2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules)
2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules)
2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules)
2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules)
2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules)
2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules)
2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules)
2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules)
2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (bleeding-botcc.rules)
2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (bleeding-botcc.rules)
2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (bleeding-botcc.rules)
2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (bleeding-botcc.rules)
2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (bleeding-botcc.rules)
2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (bleeding-botcc.rules)
2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (bleeding-botcc.rules)
2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (bleeding-botcc.rules)
2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (bleeding-botcc.rules)
2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2406005 - ET RBN Known Russian Business Network Monitored Domains (1) (bleeding-rbn.rules)
2406006 - ET RBN Known Russian Business Network Monitored Domains (2) (bleeding-rbn.rules)
2406007 - ET RBN Known Russian Business Network Monitored Domains (3) (bleeding-rbn.rules)
2406008 - ET RBN Known Russian Business Network Monitored Domains (4) (bleeding-rbn.rules)
2406009 - ET RBN Known Russian Business Network Monitored Domains (5) (bleeding-rbn.rules)
2406010 - ET RBN Known Russian Business Network Monitored Domains (6) (bleeding-rbn.rules)
2406011 - ET RBN Known Russian Business Network Monitored Domains (7) (bleeding-rbn.rules)
2406012 - ET RBN Known Russian Business Network Monitored Domains (8) (bleeding-rbn.rules)
2406013 - ET RBN Known Russian Business Network Monitored Domains (9) (bleeding-rbn.rules)
2406014 - ET RBN Known Russian Business Network Monitored Domains (10) (bleeding-rbn.rules)
2406015 - ET RBN Known Russian Business Network Monitored Domains (11) (bleeding-rbn.rules)
2406016 - ET RBN Known Russian Business Network Monitored Domains (12) (bleeding-rbn.rules)
2406017 - ET RBN Known Russian Business Network Monitored Domains (13) (bleeding-rbn.rules)
2406018 - ET RBN Known Russian Business Network Monitored Domains (14) (bleeding-rbn.rules)
2406019 - ET RBN Known Russian Business Network Monitored Domains (15) (bleeding-rbn.rules)
2406020 - ET RBN Known Russian Business Network Monitored Domains (16) (bleeding-rbn.rules)
2406021 - ET RBN Known Russian Business Network Monitored Domains (17) (bleeding-rbn.rules)
2406022 - ET RBN Known Russian Business Network Monitored Domains (18) (bleeding-rbn.rules)
2406023 - ET RBN Known Russian Business Network Monitored Domains (19) (bleeding-rbn.rules)
2406024 - ET RBN Known Russian Business Network Monitored Domains (20) (bleeding-rbn.rules)
2406025 - ET RBN Known Russian Business Network Monitored Domains (21) (bleeding-rbn.rules)
2406026 - ET RBN Known Russian Business Network Monitored Domains (22) (bleeding-rbn.rules)
2406027 - ET RBN Known Russian Business Network Monitored Domains (23) (bleeding-rbn.rules)
2406028 - ET RBN Known Russian Business Network Monitored Domains (24) (bleeding-rbn.rules)
2406029 - ET RBN Known Russian Business Network Monitored Domains (25) (bleeding-rbn.rules)
2406030 - ET RBN Known Russian Business Network Monitored Domains (26) (bleeding-rbn.rules)
2406031 - ET RBN Known Russian Business Network Monitored Domains (27) (bleeding-rbn.rules)
2406032 - ET RBN Known Russian Business Network Monitored Domains (28) (bleeding-rbn.rules)
2406033 - ET RBN Known Russian Business Network Monitored Domains (29) (bleeding-rbn.rules)
2406034 - ET RBN Known Russian Business Network Monitored Domains (30) (bleeding-rbn.rules)
2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (bleeding-rbn-BLOCK.rules)
2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (bleeding-rbn-BLOCK.rules)
2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (bleeding-rbn-BLOCK.rules)
2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (bleeding-rbn-BLOCK.rules)
2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (bleeding-rbn-BLOCK.rules)
2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (bleeding-rbn-BLOCK.rules)
2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (bleeding-rbn-BLOCK.rules)
2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (bleeding-rbn-BLOCK.rules)
2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (bleeding-rbn-BLOCK.rules)
2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (bleeding-rbn-BLOCK.rules)
2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (bleeding-rbn-BLOCK.rules)
2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (bleeding-rbn-BLOCK.rules)
2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (bleeding-rbn-BLOCK.rules)
2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (bleeding-rbn-BLOCK.rules)
2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (bleeding-rbn-BLOCK.rules)
2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (bleeding-rbn-BLOCK.rules)
2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (bleeding-rbn-BLOCK.rules)
2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (bleeding-rbn-BLOCK.rules)
2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (bleeding-rbn-BLOCK.rules)
2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (bleeding-rbn-BLOCK.rules)
2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (bleeding-rbn-BLOCK.rules)
2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (bleeding-rbn-BLOCK.rules)
2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (bleeding-rbn-BLOCK.rules)
2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (bleeding-rbn-BLOCK.rules)
2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (bleeding-rbn-BLOCK.rules)
2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (bleeding-rbn-BLOCK.rules)
2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (bleeding-rbn-BLOCK.rules)
2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (bleeding-rbn-BLOCK.rules)
2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (bleeding-rbn-BLOCK.rules)
2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (bleeding-rbn-BLOCK.rules)
[///] Modified inactive rules: [///]
2006424 - ET MALWARE Karine.co.kr Related Spyware User Agent (WebUpdate) (bleeding-malware.rules)
[---] Removed rules: [---]
2007835 - ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe) (bleeding.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-drop-BLOCK.rules (2):
# VERSION 1081
# Generated 2008-03-08 01:03:00 EDT
-> Added to bleeding-drop.rules (2):
# VERSION 1081
# Generated 2008-03-08 01:03:00 EDT
-> Added to bleeding-exploit.rules (3):
#by Akash Mahajan at stillsecure
#by Akash Mahajan at Stillsecure
#by Akash Mahajan of stillsecure
-> Added to bleeding-game.rules (1):
#by Akash Mahajan at Stillsecure
-> Added to bleeding-malware.rules (5):
# Seeing several bits of malware that are creating their http get's
# incorrectly. They're adding an http://domain.com/url to the GET string,
# which should be just the uri. This will catch those
#fake av package, sigs by matt jonkman
#by victor julien
-> Added to bleeding-rbn-BLOCK.rules (2):
# VERSION 37
# Updated 2008-03-06 19:56:19
-> Added to bleeding-rbn.rules (2):
# VERSION 37
# Updated 2008-03-06 19:56:19
-> Added to bleeding-sid-msg.map (53):
2002950 || ET POLICY TOR 1.0 Server Key Retrieval || url,tor.eff.org
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
2007843 || ET TROJAN Bzub2 Related RPC/Http Checkin
2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
2007906 || ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190
2007908 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA)
2007909 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN)
2007910 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN)
2007911 || ET TROJAN Delf Download via HTTP
2007912 || ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)
2007913 || ET TROJAN Dialer.MC(vf) HTTP Request - Checkin
2007914 || ET WORM SDBot HTTP Checkin
2007917 || ET TROJAN Dropper-497 (Yumato) Initial Checkin || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007918 || ET TROJAN Dropper-497 (Yumato) System Stats Report || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007919 || ET TROJAN Dropper-497 Yumato Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007920 || ET TROJAN Dropper-497 (Yumato) Status Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007921 || ET MALWARE Suspicious User Agent (Explorer)
2007922 || ET TROJAN Backdoor.Win32.VB.brg C&C Checkin
2007923 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital)
2007924 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded)
2007925 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames)
2007926 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)
2007927 || ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey)
2007928 || ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd)
2007929 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible\; ))
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877
2007932 || ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205
2007933 || ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability || bugtraq,27940 || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
2007934 || ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability || bugtraq,27940 || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
2007935 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fs3update)
2007936 || ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability || bugtraq,27990 || cve,CVE-2008-1055 || url,aluigi.altervista.org/adv/surgemailz-adv.txt
2007937 || ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow || url,aluigi.altervista.org/adv/visibroken-adv.txt || bugtraq,28084
2007938 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fian3manager)
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007940 || ET TROJAN Banker.ili HTTP Checkin
2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941
2007942 || ET MALWARE Suspicious User Agent (_)
2007943 || ET MALWARE Suspicious User Agent (HTTP)
2007944 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
2007945 || ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)
2007946 || ET MALWARE Suspicious User Agent (popup)
2007947 || ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup)
2007948 || ET MALWARE Suspicious User Agent (--)
2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org
2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org
2406035 || ET RBN Known Russian Business Network Monitored Domains (31) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
2407035 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
-> Added to bleeding-sid-msg.map.txt (53):
2002950 || ET POLICY TOR 1.0 Server Key Retrieval || url,tor.eff.org
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (postcard.exe)
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (e-card.exe)
2007843 || ET TROJAN Bzub2 Related RPC/Http Checkin
2007902 || ET CURRENT EVENTS Likely Storm Binary Requested (ecard.exe)
2007903 || ET EXPLOIT 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
2007904 || ET EXPLOIT RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
2007905 || ET EXPLOIT D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/5193 || bugtraq,28010
2007906 || ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
2007907 || ET EXPLOIT Move Networks Quantum Streaming Player Control UploadLogs() BOF || url,www.milw0rm.com/exploits/5190
2007908 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPGETDATA)
2007909 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN)
2007910 || ET MALWARE Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN)
2007911 || ET TROJAN Delf Download via HTTP
2007912 || ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)
2007913 || ET TROJAN Dialer.MC(vf) HTTP Request - Checkin
2007914 || ET WORM SDBot HTTP Checkin
2007917 || ET TROJAN Dropper-497 (Yumato) Initial Checkin || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007918 || ET TROJAN Dropper-497 (Yumato) System Stats Report || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007919 || ET TROJAN Dropper-497 Yumato Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007920 || ET TROJAN Dropper-497 (Yumato) Status Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497
2007921 || ET MALWARE Suspicious User Agent (Explorer)
2007922 || ET TROJAN Backdoor.Win32.VB.brg C&C Checkin
2007923 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital)
2007924 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded)
2007925 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames)
2007926 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)
2007927 || ET MALWARE Donkeyhote.co.kr Spyware User Agent (UDonkey)
2007928 || ET MALWARE Gcashback.co.kr Spyware User Agent (InvokeAd)
2007929 || ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible\; ))
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007931 || ET EXPLOIT IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || cve,CVE-2007-1683 || bugtraq,23674 || url,www.milw0rm.com/exploits/3877
2007932 || ET EXPLOIT Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || bugtraq,28008 || cve,CVE-2007-6017 || url,www.milw0rm.com/exploits/5205
2007933 || ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability || bugtraq,27940 || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
2007934 || ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability || bugtraq,27940 || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt
2007935 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fs3update)
2007936 || ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability || bugtraq,27990 || cve,CVE-2008-1055 || url,aluigi.altervista.org/adv/surgemailz-adv.txt
2007937 || ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow || url,aluigi.altervista.org/adv/visibroken-adv.txt || bugtraq,28084
2007938 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User Agent (fian3manager)
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007940 || ET TROJAN Banker.ili HTTP Checkin
2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941
2007942 || ET MALWARE Suspicious User Agent (_)
2007943 || ET MALWARE Suspicious User Agent (HTTP)
2007944 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)
2007945 || ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)
2007946 || ET MALWARE Suspicious User Agent (popup)
2007947 || ET MALWARE Nguide.co.kr Fake Security Tool User Agent (nguideup)
2007948 || ET MALWARE Suspicious User Agent (--)
2404019 || ET DROP Known Bot C&C Server Traffic (group 20) || url,www.shadowserver.org
2405019 || ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE || url,www.shadowserver.org
2406035 || ET RBN Known Russian Business Network Monitored Domains (31) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
2407035 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
-> Added to bleeding-virus.rules (4):
#by Victor Julien
#Banker.ili by matt jonkman
#matt jonkman, labeled logsnif, bzub2, dopip
#discovered by victor julien, sigs by matt jonkman, interesting one. Uses an html-like tag language on 8181
[---] Removed non-rule lines: [---]
-> Removed from bleeding-drop-BLOCK.rules (2):
# VERSION 1073
# Generated 2008-02-29 01:03:00 EDT
-> Removed from bleeding-drop.rules (2):
# VERSION 1073
# Generated 2008-02-29 01:03:00 EDT
-> Removed from bleeding-rbn-BLOCK.rules (2):
# VERSION 36
# Updated 2008-02-21 10:21:51
-> Removed from bleeding-rbn.rules (2):
# VERSION 36
# Updated 2008-02-21 10:21:51
-> Removed from bleeding-sid-msg.map (4):
2002950 || ET POLICY TOR 1.0 Server Key Retrival || url,tor.eff.org
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (withlove.exe) || url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (with_love.exe) || url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
2007835 || ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)
-> Removed from bleeding-sid-msg.map.txt (4):
2002950 || ET POLICY TOR 1.0 Server Key Retrival || url,tor.eff.org
2007760 || ET CURRENT EVENTS Likely Storm Binary Requested (withlove.exe) || url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
2007761 || ET CURRENT EVENTS Likely Storm Binary Requested (with_love.exe) || url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/
2007835 || ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)
More information about the Emerging-sigs
mailing list