[Emerging-Sigs] Emerging Threats Daily Signature Changes

emerging@emergingthreats.net emerging at emergingthreats.net
Fri Mar 14 16:00:07 EST 2008 

[***] Results from Oinkmaster started Fri Mar 14 17:00:07 2008 [***]

[+++]          Added rules:          [+++]

 2007995 - ET MALWARE Vaccine-program.co.kr Related Spyware Checkin (bleeding-malware.rules)
 2007996 - ET MALWARE Sears.com/Kmart.com My SHC Community spyware download (bleeding-malware.rules)
 2007998 - ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution (bleeding-web.rules)
 2007999 - ET TROJAN Banker Trojan (General) HTTP Checkin (vit) (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2001562 - ET MALWARE MarketScore.com Spyware User Configuration and Setup Access (bleeding-malware.rules)


[---]         Removed rules:         [---]

 2002976 - ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner (bleeding-virus.rules)
 2002978 - ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002980 - ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner (bleeding-virus.rules)
 2002981 - ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner (bleeding-virus.rules)
 2003931 - ET TROJAN Banker.Delf User-Agent (Varlok_11000) (bleeding-virus.rules)
 2003933 - ET TROJAN Banker.Delf User-Agent (Ms) (bleeding-virus.rules)
 2004442 - ET TROJAN Banker.Delf User-Agent (hhh) (bleeding-virus.rules)
 2007594 - ET TROJAN Banker.Delf User-Agent (MzApp) (bleeding-virus.rules)
 2007699 - ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS) (bleeding-virus.rules)
 2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
 2007858 - ET TROJAN Delf Keylog FTP Upload (bleeding-virus.rules)
 2007867 - ET TROJAN Delf HTTP Post Checkin (1) (bleeding-virus.rules)
 2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
 2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report (bleeding-virus.rules)
 2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-malware.rules (1):
        #by Akash Mahajan

     -> Added to bleeding-sid-msg.map (4):
        2007995 || ET MALWARE Vaccine-program.co.kr Related Spyware Checkin
        2007996 || ET MALWARE Sears.com/Kmart.com My SHC Community spyware download || url,www.benedelman.org/news/010108-1.html || url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx
        2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838
        2007999 || ET TROJAN Banker Trojan (General) HTTP Checkin (vit)

     -> Added to bleeding-sid-msg.map.txt (4):
        2007995 || ET MALWARE Vaccine-program.co.kr Related Spyware Checkin
        2007996 || ET MALWARE Sears.com/Kmart.com My SHC Community spyware download || url,www.benedelman.org/news/010108-1.html || url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx
        2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838
        2007999 || ET TROJAN Banker Trojan (General) HTTP Checkin (vit)

     -> Added to bleeding-web.rules (1):
        #by akash mahajan of Stillsecure

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (15):
        2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007858 || ET TROJAN Delf Keylog FTP Upload
        2007867 || ET TROJAN Delf HTTP Post Checkin (1)
        2007911 || ET TROJAN Delf Download via HTTP
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007939 || ET TROJAN Delf Checkin via HTTP (up)

     -> Removed from bleeding-sid-msg.map.txt (15):
        2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
        2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
        2007838 || ET TROJAN Delf HTTP Checkin (1)
        2007858 || ET TROJAN Delf Keylog FTP Upload
        2007867 || ET TROJAN Delf HTTP Post Checkin (1)
        2007911 || ET TROJAN Delf Download via HTTP
        2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
        2007939 || ET TROJAN Delf Checkin via HTTP (up)

     -> Removed from bleeding-virus.rules (6):
        # This thing send out an email to it's owner with stats and such. This ought to catch it..
        #another variant
        #Yet another
        #yet another c&c method, by matt jonkman
        #delf keylog upload, kinda flimsy but works
        #by Victor Julien

More information about the Emerging-sigs mailing list