[Emerging-Sigs] Emerging Threats Weekly Signature Changes
emerging@emergingthreats.net
emerging at emergingthreats.net
Sat Mar 15 18:00:09 EST 2008
[***] Results from Oinkmaster started Sat Mar 15 19:00:09 2008 [***]
[+++] Added rules: [+++]
2002167 - ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related (bleeding-policy.rules)
2002959 - ET TROJAN Tibs Checkin (bleeding-virus.rules)
2002960 - ET TROJAN Tibs Download (bleeding-virus.rules)
2002961 - ET TROJAN Tibs Checkin 2 (bleeding-virus.rules)
2002962 - ET TROJAN Tibs Code Download (bleeding-virus.rules)
2002963 - ET TROJAN Generic Spambot-Spyware Access (bleeding-virus.rules)
2002964 - ET TROJAN Generic Spyware Update Download (bleeding-virus.rules)
2002965 - ET TROJAN Generic Spambot Spam Download (bleeding-virus.rules)
2007611 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 (bleeding-virus.rules)
2007612 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 (bleeding-virus.rules)
2007613 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (bleeding-virus.rules)
2007614 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (bleeding-virus.rules)
2007949 - ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at emergingthreats.net for analysis (bleeding-virus.rules)
2007950 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body (bleeding-virus.rules)
2007951 - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware (bleeding-malware.rules)
2007952 - ET TROJAN Downloader.49651 Checkin (bleeding-virus.rules)
2007953 - ET TROJAN Downloader.49651 Install Report (bleeding-virus.rules)
2007954 - ET TROJAN Downloader.49651 Online Report (bleeding-virus.rules)
2007955 - ET TROJAN Cygo Checkin (bleeding-virus.rules)
2007956 - ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater) (bleeding-malware.rules)
2007957 - ET TROJAN Banker.ike UDP C&C (bleeding-virus.rules)
2007958 - ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN) (bleeding-malware.rules)
2007959 - ET MALWARE Msconfig.co.kr Related User Agent (GLOBALx) (bleeding-malware.rules)
2007960 - ET MALWARE Suspicious User Agent (AutoItScript/3.2.10.0) (bleeding-malware.rules)
2007961 - ET MALWARE Fake Wget User Agent - Likely Hostile (wget 3.0) (bleeding-malware.rules)
2007962 - ET TROJAN Vipdataend C&C Traffic - Checkin (bleeding-virus.rules)
2007963 - ET TROJAN Vipdataend C&C Traffic - Status OK (bleeding-virus.rules)
2007964 - ET TROJAN Vipdataend C&C Traffic - Server Status OK (bleeding-virus.rules)
2007965 - ET TROJAN Goldun Reporting Install (bleeding-virus.rules)
2007966 - ET TROJAN Win32.Inject.zy Checkin Post (bleeding-virus.rules)
2007967 - ET TROJAN Universal1337 FTP Upload of Compromised Data (bleeding-virus.rules)
2007968 - ET TROJAN Universal1337 Email Upload of Compromised Data (bleeding-virus.rules)
2007970 - ET TROJAN Vipdataend C&C Traffic - Checkin (XY) (bleeding-virus.rules)
2007971 - ET POLICY SSN Detected in Clear Text (SSN ) (bleeding-policy.rules)
2007972 - ET POLICY SSN Detected in Clear Text (SSN# ) (bleeding-policy.rules)
2007973 - ET TROJAN Perfect Keylogger FTP Initial Install Log Upload (bleeding-virus.rules)
2007974 - ET TROJAN Perfect Keylogger FTP Log Upload (bleeding-virus.rules)
2007975 - ET TROJAN Common Downloader Trojan Checkin (bleeding-virus.rules)
2007977 - ET MALWARE Dokterfix.com Fake AV User Agent (Magic NetInstaller) (bleeding-malware.rules)
2007978 - ET MALWARE Direct-web.co.kr Related Spyware Checkin (bleeding-malware.rules)
2007979 - ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version (bleeding-virus.rules)
2007980 - ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send (bleeding-virus.rules)
2007981 - ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge (bleeding-virus.rules)
2007982 - ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound (bleeding-virus.rules)
2007983 - ET TROJAN LDPinch Checkin (4) (bleeding-virus.rules)
2007984 - ET TROJAN Banker Trojan (General) HTTP Checkin (bleeding-virus.rules)
2007986 - ET TROJAN Emogen Reporting via HTTP (bleeding-virus.rules)
2007987 - ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP (bleeding-virus.rules)
2007988 - ET TROJAN Banker Trojan (General) HTTP Checkin (bleeding-virus.rules)
2007989 - ET TROJAN Vundo HTTP Pre-Install Checkin (bleeding-virus.rules)
2007990 - ET TROJAN Vundo HTTP Post-Install Checkin (bleeding-virus.rules)
2007991 - ET MALWARE Suspicious User Agent (Unknown) (bleeding-malware.rules)
2007992 - ET TROJAN Shark Pass Stealer Email Report (bleeding-virus.rules)
2007993 - ET MALWARE Suspicious User Agent (2 spaces) (bleeding-malware.rules)
2007994 - ET MALWARE Suspicious User Agent (1 space) (bleeding-malware.rules)
2007995 - ET MALWARE Vaccine-program.co.kr Related Spyware Checkin (bleeding-malware.rules)
2007996 - ET MALWARE Sears.com/Kmart.com My SHC Community spyware download (bleeding-malware.rules)
2007998 - ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution (bleeding-web.rules)
2007999 - ET TROJAN Banker Trojan (General) HTTP Checkin (vit) (bleeding-virus.rules)
2008000 - ET MALWARE Easydownloadsoft.com Fake Anti-Virus User Agent (IM Downloader) (bleeding-malware.rules)
2008001 - ET CURRENT_EVENTS 2117966.net/iframe exploit (infection) (bleeding.rules)
2008002 - ET CURRENT_EVENTS 2117966.net/iframe exploit (attempt) (bleeding.rules)
2406036 - ET RBN Known Russian Business Network Monitored Domains (32) (bleeding-rbn.rules)
2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (bleeding-rbn-BLOCK.rules)
[///] Modified active rules: [///]
2000035 - ET POLICY Hotmail Inbox Access (bleeding-policy.rules)
2000036 - ET POLICY Hotmail Message Access (bleeding-policy.rules)
2000037 - ET POLICY Hotmail Compose Message Access (bleeding-policy.rules)
2000038 - ET POLICY Hotmail Compose Message Submit (bleeding-policy.rules)
2000039 - ET POLICY Hotmail Compose Message Submit Data (bleeding-policy.rules)
2001197 - ET WEB_SPECIFIC PHPNuke SQL injection attempt (bleeding-web_sql_injection.rules)
2001202 - ET WEB_SPECIFIC PHPNuke general SQL injection attempt (bleeding-web_sql_injection.rules)
2001218 - ET WEB_SPECIFIC PHPNuke general XSS attempt (bleeding-web_sql_injection.rules)
2001342 - ET WEB IIS ASP.net Auth Bypass / Canonicalization (bleeding-web.rules)
2001343 - ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C (bleeding-web.rules)
2001344 - ET WEB PHP EasyDynamicPages exploit (bleeding-web.rules)
2001562 - ET MALWARE MarketScore.com Spyware User Configuration and Setup Access (bleeding-malware.rules)
2002029 - ET TROJAN BOT - channel topic scan/exploit command (bleeding-virus.rules)
2002030 - ET TROJAN BOT - potential scan/exploit command (bleeding-virus.rules)
2002031 - ET TROJAN BOT - potential update/download (bleeding-virus.rules)
2002032 - ET TROJAN BOT - potential DDoS command (1) (bleeding-virus.rules)
2002033 - ET TROJAN BOT - potential response (bleeding-virus.rules)
2002160 - ET MALWARE CoolWebSearch Spyware (Feat) (bleeding-malware.rules)
2002164 - ET MALWARE Hotbar Spyware User-Agent (bleeding-malware.rules)
2002166 - ET MALWARE Alexa Search Toolbar User-Agent (Alexa Toolbar) (bleeding-malware.rules)
2002169 - ET MALWARE iWon Spyware (iWonSearchAssistant) (bleeding-malware.rules)
2002363 - ET TROJAN BOT - potential reptile commands (bleeding-virus.rules)
2002384 - ET TROJAN BOT - potential misc bot commands (bleeding-virus.rules)
2002385 - ET TROJAN BOT - channel topic reptile commands (bleeding-virus.rules)
2002386 - ET TROJAN BOT - channel topic misc bot commands (bleeding-virus.rules)
2002394 - ET MALWARE Adwave/MarketScore User Agent (WTA) (bleeding-malware.rules)
2002395 - ET MALWARE Miva User Agent (TPSystem) (bleeding-malware.rules)
2002396 - ET MALWARE Miva Spyware User Agent (Travel Update) (bleeding-malware.rules)
2002397 - ET MALWARE Precision Targeting User Agent (XC) (bleeding-malware.rules)
2002398 - ET MALWARE DelFin Project User Agent (Dpi) (bleeding-malware.rules)
2002399 - ET MALWARE DelFin Project User Agent (PromulGate) (bleeding-malware.rules)
2002401 - ET MALWARE Web Search User Agent (ST3PS) (bleeding-malware.rules)
2002402 - ET MALWARE Suspicious Spyware Related User Agent (UtilMind HTTPGet) (bleeding-malware.rules)
2002403 - ET MALWARE Context Plus User Agent (PTS) (bleeding-malware.rules)
2002404 - ET MALWARE Movies etc User Agent (IOInstall) (bleeding-malware.rules)
2002405 - ET MALWARE Internet Optimizer User Agent (ROGUE) (bleeding-malware.rules)
2002731 - ET WEB PHP Generic phpbb arbitrary command attempt (bleeding-web_sql_injection.rules)
2002775 - ET TROJAN Goldun Reporting User Activity (bleeding-virus.rules)
2002780 - ET TROJAN Goldun Reporting User Activity 2 (bleeding-virus.rules)
2002996 - ET WEB PHP GeekLog Remote File Include Vulnerability (bleeding-web_sql_injection.rules)
2003132 - ET TROJAN BOT - potential DDoS command (2) (bleeding-virus.rules)
2003157 - ET TROJAN Agobot-SDBot Commands (bleeding-virus.rules)
2003208 - ET TROJAN pBot (PHP bot) Commands (bleeding-virus.rules)
2003474 - ET VOIP Asterisk Register with no URI or Version DOS Attempt (bleeding-voip.rules)
2006910 - ET TROJAN perlb0t/w0rmb0t Response (Case 1) (bleeding-virus.rules)
2006911 - ET TROJAN perlb0t/w0rmb0t Response (Case 2) (bleeding-virus.rules)
2006912 - ET TROJAN perlb0t/w0rmb0t Response (Case 3) (bleeding-virus.rules)
2007712 - ET TROJAN Srizbi requesting template (bleeding-virus.rules)
2007729 - ET CURRENT EVENTS Likely Zlob Binary Requested (VideoAccessCodecInstall.exe) (bleeding.rules)
2007742 - ET TROJAN Storm C&C with typo'd User-Agent (Windoss) (bleeding-virus.rules)
2007781 - ET TROJAN Zapchast Bot User-Agent (bleeding-virus.rules)
2007828 - ET TROJAN LDPinch Checkin (2) (bleeding-virus.rules)
2007862 - ET TROJAN LDPinch Checkin (3) (bleeding-virus.rules)
2007906 - ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF (bleeding-game.rules)
2007920 - ET TROJAN Dropper-497 (Yumato) Status Reply from server (bleeding-virus.rules)
2007922 - ET TROJAN Backdoor.Win32.VB.brg C&C Checkin (bleeding-virus.rules)
2007924 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded) (bleeding-virus.rules)
2007925 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames) (bleeding-virus.rules)
2007926 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0) (bleeding-virus.rules)
2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules)
2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2402000 - ET DROP Dshield Block Listed Source (bleeding-dshield.rules)
2403000 - ET DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules)
2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules)
2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules)
2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules)
2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules)
2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules)
2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules)
2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules)
2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules)
2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules)
2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules)
2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (bleeding-botcc.rules)
2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (bleeding-botcc.rules)
2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (bleeding-botcc.rules)
2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (bleeding-botcc.rules)
2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (bleeding-botcc.rules)
2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (bleeding-botcc.rules)
2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (bleeding-botcc.rules)
2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (bleeding-botcc.rules)
2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (bleeding-botcc.rules)
2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (bleeding-botcc.rules)
2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules)
2406005 - ET RBN Known Russian Business Network Monitored Domains (1) (bleeding-rbn.rules)
2406006 - ET RBN Known Russian Business Network Monitored Domains (2) (bleeding-rbn.rules)
2406007 - ET RBN Known Russian Business Network Monitored Domains (3) (bleeding-rbn.rules)
2406008 - ET RBN Known Russian Business Network Monitored Domains (4) (bleeding-rbn.rules)
2406009 - ET RBN Known Russian Business Network Monitored Domains (5) (bleeding-rbn.rules)
2406010 - ET RBN Known Russian Business Network Monitored Domains (6) (bleeding-rbn.rules)
2406011 - ET RBN Known Russian Business Network Monitored Domains (7) (bleeding-rbn.rules)
2406012 - ET RBN Known Russian Business Network Monitored Domains (8) (bleeding-rbn.rules)
2406013 - ET RBN Known Russian Business Network Monitored Domains (9) (bleeding-rbn.rules)
2406014 - ET RBN Known Russian Business Network Monitored Domains (10) (bleeding-rbn.rules)
2406015 - ET RBN Known Russian Business Network Monitored Domains (11) (bleeding-rbn.rules)
2406016 - ET RBN Known Russian Business Network Monitored Domains (12) (bleeding-rbn.rules)
2406017 - ET RBN Known Russian Business Network Monitored Domains (13) (bleeding-rbn.rules)
2406018 - ET RBN Known Russian Business Network Monitored Domains (14) (bleeding-rbn.rules)
2406019 - ET RBN Known Russian Business Network Monitored Domains (15) (bleeding-rbn.rules)
2406020 - ET RBN Known Russian Business Network Monitored Domains (16) (bleeding-rbn.rules)
2406021 - ET RBN Known Russian Business Network Monitored Domains (17) (bleeding-rbn.rules)
2406022 - ET RBN Known Russian Business Network Monitored Domains (18) (bleeding-rbn.rules)
2406023 - ET RBN Known Russian Business Network Monitored Domains (19) (bleeding-rbn.rules)
2406024 - ET RBN Known Russian Business Network Monitored Domains (20) (bleeding-rbn.rules)
2406025 - ET RBN Known Russian Business Network Monitored Domains (21) (bleeding-rbn.rules)
2406026 - ET RBN Known Russian Business Network Monitored Domains (22) (bleeding-rbn.rules)
2406027 - ET RBN Known Russian Business Network Monitored Domains (23) (bleeding-rbn.rules)
2406028 - ET RBN Known Russian Business Network Monitored Domains (24) (bleeding-rbn.rules)
2406029 - ET RBN Known Russian Business Network Monitored Domains (25) (bleeding-rbn.rules)
2406030 - ET RBN Known Russian Business Network Monitored Domains (26) (bleeding-rbn.rules)
2406031 - ET RBN Known Russian Business Network Monitored Domains (27) (bleeding-rbn.rules)
2406032 - ET RBN Known Russian Business Network Monitored Domains (28) (bleeding-rbn.rules)
2406033 - ET RBN Known Russian Business Network Monitored Domains (29) (bleeding-rbn.rules)
2406034 - ET RBN Known Russian Business Network Monitored Domains (30) (bleeding-rbn.rules)
2406035 - ET RBN Known Russian Business Network Monitored Domains (31) (bleeding-rbn.rules)
2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (bleeding-rbn-BLOCK.rules)
2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (bleeding-rbn-BLOCK.rules)
2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (bleeding-rbn-BLOCK.rules)
2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (bleeding-rbn-BLOCK.rules)
2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (bleeding-rbn-BLOCK.rules)
2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (bleeding-rbn-BLOCK.rules)
2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (bleeding-rbn-BLOCK.rules)
2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (bleeding-rbn-BLOCK.rules)
2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (bleeding-rbn-BLOCK.rules)
2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (bleeding-rbn-BLOCK.rules)
2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (bleeding-rbn-BLOCK.rules)
2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (bleeding-rbn-BLOCK.rules)
2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (bleeding-rbn-BLOCK.rules)
2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (bleeding-rbn-BLOCK.rules)
2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (bleeding-rbn-BLOCK.rules)
2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (bleeding-rbn-BLOCK.rules)
2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (bleeding-rbn-BLOCK.rules)
2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (bleeding-rbn-BLOCK.rules)
2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (bleeding-rbn-BLOCK.rules)
2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (bleeding-rbn-BLOCK.rules)
2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (bleeding-rbn-BLOCK.rules)
2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (bleeding-rbn-BLOCK.rules)
2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (bleeding-rbn-BLOCK.rules)
2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (bleeding-rbn-BLOCK.rules)
2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (bleeding-rbn-BLOCK.rules)
2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (bleeding-rbn-BLOCK.rules)
2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (bleeding-rbn-BLOCK.rules)
2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (bleeding-rbn-BLOCK.rules)
2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (bleeding-rbn-BLOCK.rules)
2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (bleeding-rbn-BLOCK.rules)
2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (bleeding-rbn-BLOCK.rules)
[///] Modified inactive rules: [///]
2001328 - ET POLICY SSN Detected in Clear Text (dashed) (bleeding-policy.rules)
2001375 - ET POLICY Credit Card Number Detected in Clear (16 digit spaced) (bleeding-policy.rules)
2001376 - ET POLICY Credit Card Number Detected in Clear (16 digit dashed) (bleeding-policy.rules)
2001377 - ET POLICY Credit Card Number Detected in Clear (16 digit) (bleeding-policy.rules)
2001378 - ET POLICY Credit Card Number Detected in Clear (15 digit) (bleeding-policy.rules)
2001379 - ET POLICY Credit Card Number Detected in Clear (15 digit spaced) (bleeding-policy.rules)
2001380 - ET POLICY Credit Card Number Detected in Clear (15 digit dashed) (bleeding-policy.rules)
2001381 - ET POLICY Credit Card Number Detected in Clear (14 digit) (bleeding-policy.rules)
2001382 - ET POLICY Credit Card Number Detected in Clear (14 digit spaced) (bleeding-policy.rules)
2001383 - ET POLICY Credit Card Number Detected in Clear (14 digit dashed) (bleeding-policy.rules)
2001384 - ET POLICY SSN Detected in Clear Text (spaced) (bleeding-policy.rules)
[---] Removed rules: [---]
2002161 - ET MALWARE CoolWebSearch Spyware (feat2) (bleeding-malware.rules)
2002163 - ET MALWARE Ezula Update Engine (bleeding-malware.rules)
2002165 - ET MALWARE IESearch Spyware (bleeding-malware.rules)
2002167 - ET MALWARE Possible Spyware - Wise User Agent (bleeding-malware.rules)
2002168 - ET MALWARE Svcmm Parasite (bleeding-malware.rules)
2002959 - ET MALWARE Blueskyltd.biz Spyware Checkin (bleeding-malware.rules)
2002960 - ET MALWARE Blueskyltd.biz Spyware Download (bleeding-malware.rules)
2002961 - ET MALWARE Blueskyltd.biz Spyware Checkin 2 (bleeding-malware.rules)
2002962 - ET MALWARE nov.ru Spyware Code Download (bleeding-malware.rules)
2002963 - ET MALWARE Generic Spambot-Spyware Access (bleeding-malware.rules)
2002964 - ET MALWARE Generic Spyware Update Download (bleeding-malware.rules)
2002965 - ET MALWARE Generic Spambot Spam Download (bleeding-malware.rules)
2002976 - ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner (bleeding-virus.rules)
2002978 - ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner (bleeding-virus.rules)
2002980 - ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner (bleeding-virus.rules)
2002981 - ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner (bleeding-virus.rules)
2003107 - ET TROJAN Possible Goldun Dropsite 1 (bleeding-virus.rules)
2003108 - ET TROJAN Possible Goldun Dropsite 2 (bleeding-virus.rules)
2003931 - ET TROJAN Banker.Delf User-Agent (Varlok_11000) (bleeding-virus.rules)
2003933 - ET TROJAN Banker.Delf User-Agent (Ms) (bleeding-virus.rules)
2004442 - ET TROJAN Banker.Delf User-Agent (hhh) (bleeding-virus.rules)
2007594 - ET TROJAN Banker.Delf User-Agent (MzApp) (bleeding-virus.rules)
2007611 - ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 (bleeding-policy.rules)
2007612 - ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 (bleeding-policy.rules)
2007613 - ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (bleeding-policy.rules)
2007614 - ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (bleeding-policy.rules)
2007699 - ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS) (bleeding-virus.rules)
2007838 - ET TROJAN Delf HTTP Checkin (1) (bleeding-virus.rules)
2007858 - ET TROJAN Delf Keylog FTP Upload (bleeding-virus.rules)
2007867 - ET TROJAN Delf HTTP Post Checkin (1) (bleeding-virus.rules)
2007879 - ET EXPLOIT Cyan Soft Products Format String Vulnerability (bleeding-exploit.rules)
2007911 - ET TROJAN Delf Download via HTTP (bleeding-virus.rules)
2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report (bleeding-virus.rules)
2007939 - ET TROJAN Delf Checkin via HTTP (up) (bleeding-virus.rules)
2007941 - ET MALWARE Invalid HTTP GET Request - Often Malware Related (bleeding-malware.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-drop-BLOCK.rules (2):
# VERSION 1087
# Generated 2008-03-14 01:03:02 EDT
-> Added to bleeding-drop.rules (2):
# VERSION 1087
# Generated 2008-03-14 01:03:02 EDT
-> Added to bleeding-malware.rules (2):
#many malware packages use hex to obscure an IP
#by Akash Mahajan
-> Added to bleeding-policy.rules (1):
#moving to policy, it's just a sign of an install. You should note if that was authoried or not
-> Added to bleeding-rbn-BLOCK.rules (2):
# VERSION 38
# Updated 2008-03-12 13:33:38
-> Added to bleeding-rbn.rules (2):
# VERSION 38
# Updated 2008-03-12 13:33:38
-> Added to bleeding-sid-msg.map (103):
2000035 || ET POLICY Hotmail Inbox Access
2000036 || ET POLICY Hotmail Message Access
2000037 || ET POLICY Hotmail Compose Message Access
2000038 || ET POLICY Hotmail Compose Message Submit
2000039 || ET POLICY Hotmail Compose Message Submit Data
2001197 || ET WEB_SPECIFIC PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35
2001202 || ET WEB_SPECIFIC PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
2001218 || ET WEB_SPECIFIC PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030
2001328 || ET POLICY SSN Detected in Clear Text (dashed)
2001342 || ET WEB IIS ASP.net Auth Bypass / Canonicalization
2001343 || ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C
2001344 || ET WEB PHP EasyDynamicPages exploit || cve,CAN-2004-0073 || url,www.securitytracker.com/alerts/2004/Jan/1008584.html
2001375 || ET POLICY Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001376 || ET POLICY Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001377 || ET POLICY Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001378 || ET POLICY Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001379 || ET POLICY Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001380 || ET POLICY Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001381 || ET POLICY Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001382 || ET POLICY Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001383 || ET POLICY Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001384 || ET POLICY SSN Detected in Clear Text (spaced)
2002164 || ET MALWARE Hotbar Spyware User-Agent || url,www.pchell.com/support/hotbar.shtml || url,www.doxdesk.com/parasite/Hotbar.html
2002166 || ET MALWARE Alexa Search Toolbar User-Agent (Alexa Toolbar) || url,www.spywareguide.com/product_show.php?id=418
2002167 || ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
2002169 || ET MALWARE iWon Spyware (iWonSearchAssistant) || url,www.spywareguide.com/product_show.php?id=461
2002394 || ET MALWARE Adwave/MarketScore User Agent (WTA) || url,www.marketscore.com || url,www.adwave.com/our_mission.aspx
2002395 || ET MALWARE Miva User Agent (TPSystem) || url,www.findwhat.com || url,www.miva.com
2002396 || ET MALWARE Miva Spyware User Agent (Travel Update) || url,www.miva.com
2002397 || ET MALWARE Precision Targeting User Agent (XC) || url,www.precisiontargeting.com
2002398 || ET MALWARE DelFin Project User Agent (Dpi) || url,www.delfinproject.com
2002399 || ET MALWARE DelFin Project User Agent (PromulGate) || url,www.delfinproject.com
2002401 || ET MALWARE Web Search User Agent (ST3PS) || url,www.websearch.com
2002402 || ET MALWARE Suspicious Spyware Related User Agent (UtilMind HTTPGet) || url,www.websearch.com
2002403 || ET MALWARE Context Plus User Agent (PTS) || url,www.contextplus.net
2002404 || ET MALWARE Movies etc User Agent (IOInstall) || url,www.movies-etc.com
2002405 || ET MALWARE Internet Optimizer User Agent (ROGUE) || url,www.internet-optimizer.com
2002731 || ET WEB PHP Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path
2002959 || ET TROJAN Tibs Checkin
2002960 || ET TROJAN Tibs Download
2002961 || ET TROJAN Tibs Checkin 2
2002962 || ET TROJAN Tibs Code Download
2002963 || ET TROJAN Generic Spambot-Spyware Access
2002964 || ET TROJAN Generic Spyware Update Download
2002965 || ET TROJAN Generic Spambot Spam Download
2002996 || ET WEB PHP GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html
2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
2007906 || ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at emergingthreats.net for analysis
2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body
2007951 || ET MALWARE Hex Encoded IP HTTP Request - Likely Malware
2007952 || ET TROJAN Downloader.49651 Checkin
2007953 || ET TROJAN Downloader.49651 Install Report
2007954 || ET TROJAN Downloader.49651 Online Report
2007955 || ET TROJAN Cygo Checkin
2007956 || ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)
2007957 || ET TROJAN Banker.ike UDP C&C
2007958 || ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN)
2007959 || ET MALWARE Msconfig.co.kr Related User Agent (GLOBALx)
2007960 || ET MALWARE Suspicious User Agent (AutoItScript/3.2.10.0)
2007961 || ET MALWARE Fake Wget User Agent - Likely Hostile (wget 3.0)
2007962 || ET TROJAN Vipdataend C&C Traffic - Checkin
2007963 || ET TROJAN Vipdataend C&C Traffic - Status OK
2007964 || ET TROJAN Vipdataend C&C Traffic - Server Status OK
2007965 || ET TROJAN Goldun Reporting Install
2007966 || ET TROJAN Win32.Inject.zy Checkin Post
2007967 || ET TROJAN Universal1337 FTP Upload of Compromised Data || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337
2007968 || ET TROJAN Universal1337 Email Upload of Compromised Data || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337
2007970 || ET TROJAN Vipdataend C&C Traffic - Checkin (XY)
2007971 || ET POLICY SSN Detected in Clear Text (SSN )
2007972 || ET POLICY SSN Detected in Clear Text (SSN# )
2007973 || ET TROJAN Perfect Keylogger FTP Initial Install Log Upload
2007974 || ET TROJAN Perfect Keylogger FTP Log Upload
2007975 || ET TROJAN Common Downloader Trojan Checkin
2007977 || ET MALWARE Dokterfix.com Fake AV User Agent (Magic NetInstaller)
2007978 || ET MALWARE Direct-web.co.kr Related Spyware Checkin
2007979 || ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version
2007980 || ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send
2007981 || ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge
2007982 || ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound
2007983 || ET TROJAN LDPinch Checkin (4)
2007984 || ET TROJAN Banker Trojan (General) HTTP Checkin
2007986 || ET TROJAN Emogen Reporting via HTTP
2007987 || ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP || url,doc.emergingthreats.net
2007988 || ET TROJAN Banker Trojan (General) HTTP Checkin
2007989 || ET TROJAN Vundo HTTP Pre-Install Checkin
2007990 || ET TROJAN Vundo HTTP Post-Install Checkin
2007991 || ET MALWARE Suspicious User Agent (Unknown)
2007992 || ET TROJAN Shark Pass Stealer Email Report
2007993 || ET MALWARE Suspicious User Agent (2 spaces)
2007994 || ET MALWARE Suspicious User Agent (1 space)
2007995 || ET MALWARE Vaccine-program.co.kr Related Spyware Checkin
2007996 || ET MALWARE Sears.com/Kmart.com My SHC Community spyware download || url,www.benedelman.org/news/010108-1.html || url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx
2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838
2007999 || ET TROJAN Banker Trojan (General) HTTP Checkin (vit)
2008000 || ET MALWARE Easydownloadsoft.com Fake Anti-Virus User Agent (IM Downloader)
2008001 || ET CURRENT_EVENTS 2117966.net/iframe exploit (infection) || url,isc.sans.org/diary.html?storyid=4139
2008002 || ET CURRENT_EVENTS 2117966.net/iframe exploit (attempt) || url,isc.sans.org/diary.html?storyid=4139
2406036 || ET RBN Known Russian Business Network Monitored Domains (32) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
2407036 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
-> Added to bleeding-sid-msg.map.txt (103):
2000035 || ET POLICY Hotmail Inbox Access
2000036 || ET POLICY Hotmail Message Access
2000037 || ET POLICY Hotmail Compose Message Access
2000038 || ET POLICY Hotmail Compose Message Submit
2000039 || ET POLICY Hotmail Compose Message Submit Data
2001197 || ET WEB_SPECIFIC PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35
2001202 || ET WEB_SPECIFIC PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
2001218 || ET WEB_SPECIFIC PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030
2001328 || ET POLICY SSN Detected in Clear Text (dashed)
2001342 || ET WEB IIS ASP.net Auth Bypass / Canonicalization
2001343 || ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C
2001344 || ET WEB PHP EasyDynamicPages exploit || cve,CAN-2004-0073 || url,www.securitytracker.com/alerts/2004/Jan/1008584.html
2001375 || ET POLICY Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001376 || ET POLICY Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001377 || ET POLICY Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001378 || ET POLICY Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001379 || ET POLICY Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001380 || ET POLICY Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001381 || ET POLICY Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001382 || ET POLICY Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001383 || ET POLICY Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001384 || ET POLICY SSN Detected in Clear Text (spaced)
2002164 || ET MALWARE Hotbar Spyware User-Agent || url,www.pchell.com/support/hotbar.shtml || url,www.doxdesk.com/parasite/Hotbar.html
2002166 || ET MALWARE Alexa Search Toolbar User-Agent (Alexa Toolbar) || url,www.spywareguide.com/product_show.php?id=418
2002167 || ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
2002169 || ET MALWARE iWon Spyware (iWonSearchAssistant) || url,www.spywareguide.com/product_show.php?id=461
2002394 || ET MALWARE Adwave/MarketScore User Agent (WTA) || url,www.marketscore.com || url,www.adwave.com/our_mission.aspx
2002395 || ET MALWARE Miva User Agent (TPSystem) || url,www.findwhat.com || url,www.miva.com
2002396 || ET MALWARE Miva Spyware User Agent (Travel Update) || url,www.miva.com
2002397 || ET MALWARE Precision Targeting User Agent (XC) || url,www.precisiontargeting.com
2002398 || ET MALWARE DelFin Project User Agent (Dpi) || url,www.delfinproject.com
2002399 || ET MALWARE DelFin Project User Agent (PromulGate) || url,www.delfinproject.com
2002401 || ET MALWARE Web Search User Agent (ST3PS) || url,www.websearch.com
2002402 || ET MALWARE Suspicious Spyware Related User Agent (UtilMind HTTPGet) || url,www.websearch.com
2002403 || ET MALWARE Context Plus User Agent (PTS) || url,www.contextplus.net
2002404 || ET MALWARE Movies etc User Agent (IOInstall) || url,www.movies-etc.com
2002405 || ET MALWARE Internet Optimizer User Agent (ROGUE) || url,www.internet-optimizer.com
2002731 || ET WEB PHP Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path
2002959 || ET TROJAN Tibs Checkin
2002960 || ET TROJAN Tibs Download
2002961 || ET TROJAN Tibs Checkin 2
2002962 || ET TROJAN Tibs Code Download
2002963 || ET TROJAN Generic Spambot-Spyware Access
2002964 || ET TROJAN Generic Spyware Update Download
2002965 || ET TROJAN Generic Spambot Spam Download
2002996 || ET WEB PHP GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html
2007611 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
2007612 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
2007613 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
2007614 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
2007906 || ET GAMES Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
2007949 || ET TROJAN Medbod UDP Phone Home Packet - Please report hits to emerging at emergingthreats.net for analysis
2007950 || ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body
2007951 || ET MALWARE Hex Encoded IP HTTP Request - Likely Malware
2007952 || ET TROJAN Downloader.49651 Checkin
2007953 || ET TROJAN Downloader.49651 Install Report
2007954 || ET TROJAN Downloader.49651 Online Report
2007955 || ET TROJAN Cygo Checkin
2007956 || ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)
2007957 || ET TROJAN Banker.ike UDP C&C
2007958 || ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN)
2007959 || ET MALWARE Msconfig.co.kr Related User Agent (GLOBALx)
2007960 || ET MALWARE Suspicious User Agent (AutoItScript/3.2.10.0)
2007961 || ET MALWARE Fake Wget User Agent - Likely Hostile (wget 3.0)
2007962 || ET TROJAN Vipdataend C&C Traffic - Checkin
2007963 || ET TROJAN Vipdataend C&C Traffic - Status OK
2007964 || ET TROJAN Vipdataend C&C Traffic - Server Status OK
2007965 || ET TROJAN Goldun Reporting Install
2007966 || ET TROJAN Win32.Inject.zy Checkin Post
2007967 || ET TROJAN Universal1337 FTP Upload of Compromised Data || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337
2007968 || ET TROJAN Universal1337 Email Upload of Compromised Data || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337
2007970 || ET TROJAN Vipdataend C&C Traffic - Checkin (XY)
2007971 || ET POLICY SSN Detected in Clear Text (SSN )
2007972 || ET POLICY SSN Detected in Clear Text (SSN# )
2007973 || ET TROJAN Perfect Keylogger FTP Initial Install Log Upload
2007974 || ET TROJAN Perfect Keylogger FTP Log Upload
2007975 || ET TROJAN Common Downloader Trojan Checkin
2007977 || ET MALWARE Dokterfix.com Fake AV User Agent (Magic NetInstaller)
2007978 || ET MALWARE Direct-web.co.kr Related Spyware Checkin
2007979 || ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version
2007980 || ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send
2007981 || ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge
2007982 || ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound
2007983 || ET TROJAN LDPinch Checkin (4)
2007984 || ET TROJAN Banker Trojan (General) HTTP Checkin
2007986 || ET TROJAN Emogen Reporting via HTTP
2007987 || ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP || url,doc.emergingthreats.net
2007988 || ET TROJAN Banker Trojan (General) HTTP Checkin
2007989 || ET TROJAN Vundo HTTP Pre-Install Checkin
2007990 || ET TROJAN Vundo HTTP Post-Install Checkin
2007991 || ET MALWARE Suspicious User Agent (Unknown)
2007992 || ET TROJAN Shark Pass Stealer Email Report
2007993 || ET MALWARE Suspicious User Agent (2 spaces)
2007994 || ET MALWARE Suspicious User Agent (1 space)
2007995 || ET MALWARE Vaccine-program.co.kr Related Spyware Checkin
2007996 || ET MALWARE Sears.com/Kmart.com My SHC Community spyware download || url,www.benedelman.org/news/010108-1.html || url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx
2007998 || ET WEB Rediff Bol Downloader ActiveX Control Remote Code Execution || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || bugtraq,21831 || cve,CVE-2006-6838
2007999 || ET TROJAN Banker Trojan (General) HTTP Checkin (vit)
2008000 || ET MALWARE Easydownloadsoft.com Fake Anti-Virus User Agent (IM Downloader)
2008001 || ET CURRENT_EVENTS 2117966.net/iframe exploit (infection) || url,isc.sans.org/diary.html?storyid=4139
2008002 || ET CURRENT_EVENTS 2117966.net/iframe exploit (attempt) || url,isc.sans.org/diary.html?storyid=4139
2406036 || ET RBN Known Russian Business Network Monitored Domains (32) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
2407036 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) || url,doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
-> Added to bleeding-virus.rules (9):
#by matt jonkman and victor julien
#by victor julien
#matt jonkman, Dropper.Win32.VB.on
# A large number of trojans report an infection by sending a blank email to a gmail or other free provider
# They're pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique
# This sig should catch them outbound
#by Matt Jonkman, significant update from Don Jackson of Secureworks
# kaspersky calls is win32.shark.hz. This sig will catch the report email outbound
#by victor julien
-> Added to bleeding-web.rules (1):
#by akash mahajan of Stillsecure
-> Added to bleeding.rules (5):
# From SANS/Diary isc.sans.org/diary.html?storyid=4139
# Inspect your web proxy logs for visitors to 2117966.net. This will
# indicate who is potentially exposed. Check these systems to verify
# that their patches are up-to-date. Systems that are successfully
# compromised will begin sending traffic to 61.188.39.175
[---] Removed non-rule lines: [---]
-> Removed from bleeding-drop-BLOCK.rules (2):
# VERSION 1081
# Generated 2008-03-08 01:03:00 EDT
-> Removed from bleeding-drop.rules (2):
# VERSION 1081
# Generated 2008-03-08 01:03:00 EDT
-> Removed from bleeding-malware.rules (4):
# Seeing several bits of malware that are creating their http get's
# incorrectly. They're adding an http://domain.com/url to the GET string,
# which should be just the uri. This will catch those
#Extra content check for snort <2.4.3 doesn't support pure not rules
-> Removed from bleeding-policy.rules (3):
# A large number of trojans report an infection by sending a blank email to a gmail or other free provider
# They're pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique
# This sig should catch them outbound
-> Removed from bleeding-rbn-BLOCK.rules (2):
# VERSION 37
# Updated 2008-03-06 19:56:19
-> Removed from bleeding-rbn.rules (2):
# VERSION 37
# Updated 2008-03-06 19:56:19
-> Removed from bleeding-sid-msg.map (74):
2000035 || ET Hotmail Inbox Access
2000036 || ET Hotmail Message Access
2000037 || ET Hotmail Compose Message Access
2000038 || ET Hotmail Compose Message Submit
2000039 || ET Hotmail Compose Message Submit Data
2001197 || ET PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35
2001202 || ET PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
2001218 || ET PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030
2001328 || ET POLICY SSN Detected in Clear Text
2001342 || ET WEB-IIS ASP.net Auth Bypass / Canonicalization
2001343 || ET WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C
2001344 || ET WEB-PHP EasyDynamicPages exploit || cve,CAN-2004-0073 || url,www.securitytracker.com/alerts/2004/Jan/1008584.html
2001375 || ET Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001376 || ET Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001377 || ET Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001378 || ET Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001379 || ET Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001380 || ET Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001381 || ET Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001382 || ET Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001383 || ET Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001384 || ET POLICY SSN Detected in Clear Text
2002161 || ET MALWARE CoolWebSearch Spyware (feat2) || url,www.doxdesk.com/parasite/CoolWebSearch.html || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759 || url,www.spywareguide.com/product_show.php?id=599
2002163 || ET MALWARE Ezula Update Engine || url,www.spywareguide.com/product_show.php?id=9
2002164 || ET MALWARE Hotbar Spyware || url,www.pchell.com/support/hotbar.shtml || url,www.doxdesk.com/parasite/Hotbar.html
2002165 || ET MALWARE IESearch Spyware || url,www.spywareguide.com/product_show.php?id=982
2002166 || ET MALWARE Alexa Search Toolbar || url,www.spywareguide.com/product_show.php?id=418
2002167 || ET MALWARE Possible Spyware - Wise User Agent || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
2002168 || ET MALWARE Svcmm Parasite || url,doxdesk.com/parasite/SvcMM.html || url,castlecops.com/startuplist-5862.html
2002169 || ET MALWARE iWon Spyware || url,www.spywareguide.com/product_show.php?id=461
2002394 || ET MALWARE Adwave/MarketScore User Agent || url,www.marketscore.com || url,www.adwave.com/our_mission.aspx
2002395 || ET MALWARE Miva User Agent || url,www.findwhat.com || url,www.miva.com
2002396 || ET MALWARE Miva User Agent 2 || url,www.miva.com
2002397 || ET MALWARE Precision Targeting User Agent || url,www.precisiontargeting.com
2002398 || ET MALWARE DelFin Project User Agent || url,www.delfinproject.com
2002399 || ET MALWARE DelFin Project User Agent 2 || url,www.delfinproject.com
2002401 || ET MALWARE Web Search User Agent 2 || url,www.websearch.com
2002402 || ET MALWARE Web Search User Agent 3 || url,www.websearch.com
2002403 || ET MALWARE Context Plus User Agent 2 || url,www.contextplus.net
2002404 || ET MALWARE Movies etc User Agent || url,www.movies-etc.com
2002405 || ET MALWARE Internet Optimizer User Agent 2 || url,www.internet-optimizer.com
2002731 || ET WEB-PHP Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path
2002959 || ET MALWARE Blueskyltd.biz Spyware Checkin
2002960 || ET MALWARE Blueskyltd.biz Spyware Download
2002961 || ET MALWARE Blueskyltd.biz Spyware Checkin 2
2002962 || ET MALWARE nov.ru Spyware Code Download
2002963 || ET MALWARE Generic Spambot-Spyware Access
2002964 || ET MALWARE Generic Spyware Update Download
2002965 || ET MALWARE Generic Spambot Spam Download
2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002996 || ET WEB-PHP GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html
2003107 || ET TROJAN Possible Goldun Dropsite 1
2003108 || ET TROJAN Possible Goldun Dropsite 2
2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007611 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
2007612 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
2007613 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
2007614 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
2007838 || ET TROJAN Delf HTTP Checkin (1)
2007858 || ET TROJAN Delf Keylog FTP Upload
2007867 || ET TROJAN Delf HTTP Post Checkin (1)
2007879 || ET EXPLOIT Cyan Soft Products Format String Vulnerability || url,aluigi.altervista.org/adv/cyanuro-adv.txt || bugtraq,27728 || cve,CVE-2008-0755
2007906 || ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
2007911 || ET TROJAN Delf Download via HTTP
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941
-> Removed from bleeding-sid-msg.map.txt (74):
2000035 || ET Hotmail Inbox Access
2000036 || ET Hotmail Message Access
2000037 || ET Hotmail Compose Message Access
2000038 || ET Hotmail Compose Message Submit
2000039 || ET Hotmail Compose Message Submit Data
2001197 || ET PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35
2001202 || ET PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=036 || url,www.waraxe.us/?modname=sa&id=030
2001218 || ET PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030
2001328 || ET POLICY SSN Detected in Clear Text
2001342 || ET WEB-IIS ASP.net Auth Bypass / Canonicalization
2001343 || ET WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C
2001344 || ET WEB-PHP EasyDynamicPages exploit || cve,CAN-2004-0073 || url,www.securitytracker.com/alerts/2004/Jan/1008584.html
2001375 || ET Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001376 || ET Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001377 || ET Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001378 || ET Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001379 || ET Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001380 || ET Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001381 || ET Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html
2001382 || ET Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html
2001383 || ET Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html
2001384 || ET POLICY SSN Detected in Clear Text
2002161 || ET MALWARE CoolWebSearch Spyware (feat2) || url,www.doxdesk.com/parasite/CoolWebSearch.html || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759 || url,www.spywareguide.com/product_show.php?id=599
2002163 || ET MALWARE Ezula Update Engine || url,www.spywareguide.com/product_show.php?id=9
2002164 || ET MALWARE Hotbar Spyware || url,www.pchell.com/support/hotbar.shtml || url,www.doxdesk.com/parasite/Hotbar.html
2002165 || ET MALWARE IESearch Spyware || url,www.spywareguide.com/product_show.php?id=982
2002166 || ET MALWARE Alexa Search Toolbar || url,www.spywareguide.com/product_show.php?id=418
2002167 || ET MALWARE Possible Spyware - Wise User Agent || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771
2002168 || ET MALWARE Svcmm Parasite || url,doxdesk.com/parasite/SvcMM.html || url,castlecops.com/startuplist-5862.html
2002169 || ET MALWARE iWon Spyware || url,www.spywareguide.com/product_show.php?id=461
2002394 || ET MALWARE Adwave/MarketScore User Agent || url,www.marketscore.com || url,www.adwave.com/our_mission.aspx
2002395 || ET MALWARE Miva User Agent || url,www.findwhat.com || url,www.miva.com
2002396 || ET MALWARE Miva User Agent 2 || url,www.miva.com
2002397 || ET MALWARE Precision Targeting User Agent || url,www.precisiontargeting.com
2002398 || ET MALWARE DelFin Project User Agent || url,www.delfinproject.com
2002399 || ET MALWARE DelFin Project User Agent 2 || url,www.delfinproject.com
2002401 || ET MALWARE Web Search User Agent 2 || url,www.websearch.com
2002402 || ET MALWARE Web Search User Agent 3 || url,www.websearch.com
2002403 || ET MALWARE Context Plus User Agent 2 || url,www.contextplus.net
2002404 || ET MALWARE Movies etc User Agent || url,www.movies-etc.com
2002405 || ET MALWARE Internet Optimizer User Agent 2 || url,www.internet-optimizer.com
2002731 || ET WEB-PHP Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path
2002959 || ET MALWARE Blueskyltd.biz Spyware Checkin
2002960 || ET MALWARE Blueskyltd.biz Spyware Download
2002961 || ET MALWARE Blueskyltd.biz Spyware Checkin 2
2002962 || ET MALWARE nov.ru Spyware Code Download
2002963 || ET MALWARE Generic Spambot-Spyware Access
2002964 || ET MALWARE Generic Spyware Update Download
2002965 || ET MALWARE Generic Spambot Spam Download
2002976 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002978 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002980 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002981 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2002996 || ET WEB-PHP GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html
2003107 || ET TROJAN Possible Goldun Dropsite 1
2003108 || ET TROJAN Possible Goldun Dropsite 2
2003931 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2003933 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2004442 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007594 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html
2007611 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1
2007612 || ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3
2007613 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1
2007614 || ET POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3
2007699 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)
2007838 || ET TROJAN Delf HTTP Checkin (1)
2007858 || ET TROJAN Delf Keylog FTP Upload
2007867 || ET TROJAN Delf HTTP Post Checkin (1)
2007879 || ET EXPLOIT Cyan Soft Products Format String Vulnerability || url,aluigi.altervista.org/adv/cyanuro-adv.txt || bugtraq,27728 || cve,CVE-2008-0755
2007906 || ET GAME Ourgame GLWorld 2.x hgs_startNotify()/hgs_startGame() ActiveX BoF || url,www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html || cve,CVE-2008-0647 || bugtraq,27626 || url,www.milw0rm.com/exploits/5153
2007911 || ET TROJAN Delf Download via HTTP
2007930 || ET TROJAN Delf/Hupigon C&C Channel Version Report
2007939 || ET TROJAN Delf Checkin via HTTP (up)
2007941 || ET MALWARE Invalid HTTP GET Request - Often Malware Related || url,doc.emergingthreats.net/2007941
-> Removed from bleeding-virus.rules (7):
# This thing send out an email to it's owner with stats and such. This ought to catch it..
#another variant
#Yet another
#yet another c&c method, by matt jonkman
#delf keylog upload, kinda flimsy but works
#by Victor Julien
# Submitted 2006-09-22 by Frank Knobbe
More information about the Emerging-sigs
mailing list