[Emerging-Sigs] Emerging Threats Daily Signature Changes
emerging@emergingthreats.net
emerging at emergingthreats.net
Mon May 19 17:00:08 EDT 2008
[***] Results from Oinkmaster started Mon May 19 17:00:08 2008 [***]
[+++] Added rules: [+++]
2007818 - ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability (emerging-web.rules)
2007819 - ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability (emerging-web.rules)
2008103 - ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound (emerging-virus.rules)
2008104 - ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound (emerging-virus.rules)
2008105 - ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound (emerging-virus.rules)
2008106 - ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound (emerging-virus.rules)
2008107 - ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound (emerging-virus.rules)
2008108 - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound (emerging-virus.rules)
2008109 - ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound (emerging-virus.rules)
2008110 - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound (emerging-virus.rules)
2008139 - ET TROJAN RhiFrem Trojan Activity - cmd (emerging-virus.rules)
2008140 - ET TROJAN RhiFrem Trojan Activity - log (emerging-virus.rules)
2008225 - ET WEB Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit (emerging-web.rules)
2008226 - ET WEB Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit (emerging-web.rules)
2008227 - ET WEB Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit (emerging-web.rules)
2008228 - ET MALWARE Suspicious User-Agent inbound (bot) (emerging-malware.rules)
2008230 - ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force (emerging-scan.rules)
2008231 - ET MALWARE Suspicious User-Agent (Mozilla 1.02.45 biz) (emerging-malware.rules)
2008232 - ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely) (emerging-virus.rules)
2008233 - ET TROJAN Common Downloader Install Report URL (farfly checkin) (emerging-virus.rules)
2008234 - ET MALWARE Suspicious User-Agent (winlogon) (emerging-malware.rules)
2008235 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (iloveyou.exe) (emerging.rules)
[///] Modified active rules: [///]
2000005 - ET EXPLOIT Cisco Telnet Buffer Overflow (emerging-exploit.rules)
2000006 - ET DOS Cisco Router HTTP DoS (emerging-dos.rules)
2000007 - ET EXPLOIT Catalyst SSH protocol mismatch (emerging-exploit.rules)
2000009 - ET EXPLOIT Cisco IOS HTTP DoS (emerging-exploit.rules)
2000010 - ET DOS Cisco 514 UDP flood DoS (emerging-dos.rules)
2000011 - ET DOS Catalyst memory leak attack (emerging-dos.rules)
2000012 - ET EXPLOIT Cisco %u IDS evasion (emerging-exploit.rules)
2000013 - ET EXPLOIT Cisco IOS HTTP server DoS (emerging-exploit.rules)
2000016 - ET DOS SSL Bomb DoS Attempt (emerging-dos.rules)
2000032 - ET EXPLOIT LSA exploit (emerging-exploit.rules)
2000033 - ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) (emerging-exploit.rules)
2000046 - ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) (emerging-exploit.rules)
2000342 - ET EXPLOIT Squid NTLM Auth Overflow Exploit (emerging-exploit.rules)
2000377 - ET EXPLOIT MS-SQL heap overflow attempt (emerging-exploit.rules)
2000378 - ET EXPLOIT MS-SQL DOS attempt (08) (emerging-exploit.rules)
2000379 - ET EXPLOIT MS-SQL DOS attempt (08) 1 byte (emerging-exploit.rules)
2000380 - ET EXPLOIT MS-SQL Spike buffer overflow (emerging-exploit.rules)
2000381 - ET EXPLOIT MS-SQL DOS bouncing packets (emerging-exploit.rules)
2000496 - ET DOS Microsoft SMS dos attempt (emerging-dos.rules)
2001181 - ET EXPLOIT Internet Explorer Plugin.ocx Heap Overflow (emerging-exploit.rules)
2001190 - ET EXPLOIT libPNG - Possible NULL-pointer crash in png_handle_iCCP (emerging-exploit.rules)
2001191 - ET EXPLOIT libPNG - Width exceeds limit (emerging-exploit.rules)
2001192 - ET EXPLOIT libPNG - Height exceeds limit (emerging-exploit.rules)
2001195 - ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT (emerging-exploit.rules)
2001239 - ET Cisco Device in Config Mode (emerging-policy.rules)
2001240 - ET Cisco Device New Config Built (emerging-policy.rules)
2001294 - ET POLICY Dameware Remote Control Service Install (emerging-policy.rules)
2001401 - ET EXPLOIT IE IFRAME Exploit (emerging-exploit.rules)
2001622 - ET EXPLOIT winhlp32 ActiveX control attack, phase 1 (emerging-exploit.rules)
2001623 - ET EXPLOIT winhlp32 ActiveX control attack, phase 2 (emerging-exploit.rules)
2001624 - ET EXPLOIT winhlp32 ActiveX control attack, phase 3 (emerging-exploit.rules)
2001625 - ET EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 1 (emerging-exploit.rules)
2001626 - ET EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 2 (emerging-exploit.rules)
2001627 - ET EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 3 (emerging-exploit.rules)
2001669 - ET WEB Proxy GET Request (emerging-web.rules)
2001670 - ET WEB Proxy HEAD Request (emerging-web.rules)
2001674 - ET WEB Proxy POST Request (emerging-web.rules)
2001675 - ET WEB Proxy CONNECT Request (emerging-web.rules)
2001679 - ET MALWARE JoltID Agent P2P via Proxy Server (emerging-malware.rules)
2001751 - ET EXPLOIT Nullsoft Shoutcast Server Format String Attack (emerging-exploit.rules)
2001762 - ET WEB_SPECIFIC phpbb Session Cookie (emerging-web_sql_injection.rules)
2001767 - ET WEB ORACLE OLEDB asp error (emerging-web.rules)
2001768 - ET WEB MS SQL Server OLEDB asp error (emerging-web.rules)
2001780 - ET EXPLOIT Solaris TTYPROMPT environment variable set (emerging-exploit.rules)
2001846 - ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt (emerging-dos.rules)
2001873 - ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021) (emerging-exploit.rules)
2001874 - ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021) (emerging-exploit.rules)
2001875 - ET EXPLOIT MS Exchange chunks accepted (emerging-exploit.rules)
2001876 - ET EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021) (emerging-exploit.rules)
2001904 - ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force (emerging-scan.rules)
2001906 - ET SCAN MYSQL 4.0 brute force root login attempt (emerging-scan.rules)
2001944 - ET EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt (emerging-exploit.rules)
2001961 - ET VIRUS Hotword Trojan - Possible File Upload CHJO (emerging-virus.rules)
2001962 - ET VIRUS Hotword Trojan - Possible File Upload CFXP (emerging-virus.rules)
2001963 - ET VIRUS Hotword Trojan - Possible FTP File Request pspv.exe (emerging-virus.rules)
2001964 - ET VIRUS Hotword Trojan - Possible FTP File Request .tea (emerging-virus.rules)
2001965 - ET VIRUS Hotword Trojan - Possible FTP File Status Upload ___ (emerging-virus.rules)
2001966 - ET VIRUS Hotword Trojan - Possible FTP File Status Check ___ (emerging-virus.rules)
2002034 - ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) (emerging-attack_response.rules)
2002064 - ET EXPLOIT ms05-011 exploit (emerging-exploit.rules)
2002065 - ET EXPLOIT Veritas backupexec_agent exploit (emerging-exploit.rules)
2002068 - ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon (emerging-exploit.rules)
2002199 - ET EXPLOIT SMB-DS DCERPC PnP HOD bind attempt (emerging-exploit.rules)
2002200 - ET EXPLOIT SMB-DS DCERPC PnP bind attempt (emerging-exploit.rules)
2002201 - ET EXPLOIT SMB-DS DCERPC PnP QueryResConfList exploit attempt (emerging-exploit.rules)
2002202 - ET EXPLOIT SMB DCERPC PnP bind attempt (emerging-exploit.rules)
2002203 - ET EXPLOIT SMB DCERPC PnP QueryResConfList exploit attempt (emerging-exploit.rules)
2002734 - ET EXPLOIT WMF Exploit (emerging-exploit.rules)
2002749 - ET POLICY Reserved IP Space Traffic - Bogon Nets 1 (emerging-policy.rules)
2002750 - ET POLICY Reserved IP Space Traffic - Bogon Nets 2 (emerging-policy.rules)
2002842 - ET SCAN MYSQL 4.1 brute force root login attempt (emerging-scan.rules)
2002869 - ET WEB WebAttacker kit (exploit1 ie0601) (emerging-web.rules)
2002870 - ET WEB WebAttacker kit (exploit ie0604) (emerging-web.rules)
2002871 - ET WEB WebAttacker kit (bug ie0604) (emerging-web.rules)
2002880 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port (emerging-dos.rules)
2002881 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port (emerging-dos.rules)
2002882 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port (emerging-dos.rules)
2002912 - ET EXPLOIT VNC Possible Vulnerable Server Response (emerging-exploit.rules)
2002913 - ET EXPLOIT VNC Client response (emerging-exploit.rules)
2002914 - ET EXPLOIT VNC Server VNC Auth Offer (emerging-exploit.rules)
2002915 - ET EXPLOIT VNC Authentication Reply (emerging-exploit.rules)
2002916 - ET EXPLOIT RealVNC Authentication Bypass Attempt (emerging-exploit.rules)
2002917 - ET EXPLOIT RealVNC Server Authentication Bypass Successful (emerging-exploit.rules)
2002918 - ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string (emerging-exploit.rules)
2002919 - ET EXPLOIT VNC Good Authentication Reply (emerging-exploit.rules)
2002920 - ET POLICY VNC Authentication Failure (emerging-exploit.rules)
2002921 - ET EXPLOIT VNC Multiple Authentication Failures (emerging-exploit.rules)
2002922 - ET POLICY VNC Authentication Successful (emerging-exploit.rules)
2002923 - ET EXPLOIT VNC Server Not Requiring Authentication (case 2) (emerging-exploit.rules)
2002924 - ET EXPLOIT VNC Server Not Requiring Authentication (emerging-exploit.rules)
2002926 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port (emerging-dos.rules)
2002927 - ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port (emerging-dos.rules)
2002928 - ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port (emerging-dos.rules)
2002937 - ET WEB WebAttacker kit (ie0606) (emerging-web.rules)
2002992 - ET SCAN Rapid POP3 Connections - Possible Brute Force Attack (emerging-scan.rules)
2002993 - ET SCAN Rapid POP3S Connections - Possible Brute Force Attack (emerging-scan.rules)
2002994 - ET SCAN Rapid IMAP Connections - Possible Brute Force Attack (emerging-scan.rules)
2002995 - ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack (emerging-scan.rules)
2003063 - ET WEB WebAttacker RootLauncher (emerging-web.rules)
2003067 - ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT (emerging-exploit.rules)
2003071 - ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) (emerging-attack_response.rules)
2003072 - ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt (emerging-exploit.rules)
2003081 - ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) (emerging-exploit.rules)
2003082 - ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) (emerging-exploit.rules)
2003192 - ET VOIP INVITE Message Flood (emerging-voip.rules)
2003193 - ET VOIP REGISTER Message Flood (emerging-voip.rules)
2003194 - ET VOIP Multiple Unauthorized SIP Responses (emerging-voip.rules)
2003196 - ET EXPLOIT FTP .message file write (emerging-exploit.rules)
2003197 - ET EXPLOIT ProFTPD .message file overflow attempt (emerging-exploit.rules)
2003198 - ET EXPLOIT TFTP Invalid Mode in file Get (emerging-exploit.rules)
2003199 - ET EXPLOIT TFTP Invalid Mode in file Put (emerging-exploit.rules)
2003237 - ET EXPLOIT MultiTech SIP UDP Overflow (emerging-exploit.rules)
2003250 - ET EXPLOIT Symantec Remote Management RTVScan Exploit (emerging-exploit.rules)
2003474 - ET VOIP Asterisk Register with no URI or Version DOS Attempt (emerging-voip.rules)
2003479 - ET POLICY Radmin Remote Control Session Setup Initiate (emerging-policy.rules)
2003480 - ET POLICY Radmin Remote Control Session Setup Response (emerging-policy.rules)
2003481 - ET POLICY Radmin Remote Control Session Authentication Initiate (emerging-policy.rules)
2003482 - ET POLICY Radmin Remote Control Session Authentication Response (emerging-policy.rules)
2003519 - ET EXPLOIT MS ANI exploit (emerging-exploit.rules)
2003520 - ET EXPLOIT webCalendar Remote File include (emerging-web.rules)
2003535 - ET ATTACK RESPONSE r57 phpshell footer detected (emerging-attack_response.rules)
2003536 - ET ATTACK RESPONSE r57 phpshell source being uploaded (emerging-attack_response.rules)
2003622 - ET MALWARE Suspicious User-Agent outbound (bot) (emerging-malware.rules)
2004115 - ET WEB IIS Auth Bypass Attempt (emerging-web.rules)
2006417 - ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected (emerging-attack_response.rules)
2006779 - ET POLICY Nagios HTTP Monitoring Connection (emerging-policy.rules)
2007651 - ET ATTACK RESPONSE x2300 phpshell detected (emerging-attack_response.rules)
2007652 - ET ATTACK RESPONSE c99shell phpshell detected (emerging-attack_response.rules)
2007653 - ET ATTACK RESPONSE RFI Scanner detected (emerging-attack_response.rules)
2007654 - ET ATTACK RESPONSE C99 Modified phpshell detected (emerging-attack_response.rules)
2007656 - ET ATTACK RESPONSE ALBANIA id.php detected (emerging-attack_response.rules)
2007771 - ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected (emerging-virus.rules)
2007811 - ET TROJAN Metajuan trojan checkin (emerging-virus.rules)
2007874 - ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability (emerging-exploit.rules)
2007875 - ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability (emerging-exploit.rules)
2007877 - ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp (emerging-exploit.rules)
2007933 - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability (emerging-exploit.rules)
2007934 - ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability (emerging-exploit.rules)
2007936 - ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability (emerging-web.rules)
2008011 - ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports (emerging-virus.rules)
2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe) (emerging.rules)
[///] Modified inactive rules: [///]
2002186 - ET EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability (emerging-exploit.rules)
2002187 - ET EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln (emerging-exploit.rules)
2002188 - ET EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln (emerging-exploit.rules)
2007655 - ET ATTACK RESPONSE lila.jpg phpshell detected (emerging-attack_response.rules)
2007657 - ET ATTACK RESPONSE Mic22 id.php detected (emerging-attack_response.rules)
[---] Removed rules: [---]
2007707 - ET DNS Possible MITM lookup for WPAD.com (emerging.rules)
2007708 - ET DNS Possible MITM lookup for WPAD.co (emerging.rules)
2007709 - ET DNS Possible MITM lookup for WPAD.net (emerging.rules)
2007710 - ET DNS Possible MITM lookup for WPAD.org (emerging.rules)
2007773 - ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected (emerging-virus.rules)
2007812 - ET CURRENT_EVENTS Yahoo! Music Jukebox (DataGrid) 2.2 AddImage() ActiveX BOF (emerging.rules)
2007813 - ET CURRENT_EVENTS Yahoo! JukeBox MediaGrid ActiveX Control mediagrid.dll AddBitmap() BoF (emerging.rules)
2007815 - ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt (emerging.rules)
2007816 - ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use (emerging.rules)
2007817 - ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit (emerging.rules)
2007818 - ET CURRENT_EVENTS Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability (emerging.rules)
2007819 - ET CURRENT_EVENTS Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability (emerging.rules)
2007848 - ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit (emerging.rules)
2007887 - ET CURRENT_EVENTS Possible Comodo AntiVirus 2.0 ExecuteStr() Remote Command Execution Vulnerability (emerging.rules)
2007888 - ET CURRENT_EVENTS Rising Online Scanner Insecure Method Vulnerability (emerging.rules)
2008001 - ET CURRENT_EVENTS 2117966.net/iframe exploit (infection) (emerging.rules)
2008002 - ET CURRENT_EVENTS 2117966.net/iframe exploit (attempt) (emerging.rules)
2008045 - ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report (emerging.rules)
2008080 - ET CURRENT_EVENTS Real Player rmoc3260.dll ActiveX Remote Code Execution Exploit (emerging.rules)
2008103 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound (emerging.rules)
2008104 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound (emerging.rules)
2008105 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound (emerging.rules)
2008106 - ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound (emerging.rules)
2008107 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound (emerging.rules)
2008108 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound (emerging.rules)
2008109 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound (emerging.rules)
2008110 - ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound (emerging.rules)
2008111 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe) (emerging.rules)
2008112 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe) (emerging.rules)
2008121 - ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id) (emerging-virus.rules)
2008122 - ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id) (emerging-virus.rules)
2008125 - ET TROJAN Bobax Spam Inbound (Unique Faked Message-ID and no brackets) (emerging-virus.rules)
2008137 - ET CURRENT_EVENTS Domain Related to Phishing GDI Exploits MS08-021 igloofamily.com (emerging.rules)
2008138 - ET CURRENT_EVENTS Domain Related to Phishing GDI Exploits MS08-021 amrc.com.tw (emerging.rules)
2008139 - ET CURRENT_EVENTS RhiFrem Trojan Activity - cmd (emerging.rules)
2008140 - ET CURRENT_EVENTS RhiFrem Trojan Activity - log (emerging.rules)
2008188 - ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe) (emerging.rules)
2008217 - ET MALWARE Kingsoft.com Fake AV User-Agent (KAVTools) (emerging-malware.rules)
[+++] Added non-rule lines: [+++]
-> Added to emerging-exploit.rules (1):
# These rules have to be there for both
-> Added to emerging-sid-msg.map (25):
2001904 || ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force || url,www.rapid7.com/nexpose-faq-answer2.htm
2003622 || ET MALWARE Suspicious User-Agent outbound (bot)
2007818 || ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5028 || bugtraq,27540
2007819 || ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5005 || bugtraq,27493
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe) || url,www.sudosecure.net/archives/61
2008103 || ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008104 || ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008105 || ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008106 || ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008107 || ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008108 || ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008109 || ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008110 || ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008139 || ET TROJAN RhiFrem Trojan Activity - cmd || url,www.castlecops.com/U_S_Courts_phish792683.html
2008140 || ET TROJAN RhiFrem Trojan Activity - log || url,www.castlecops.com/U_S_Courts_phish792683.html
2008225 || ET WEB Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569
2008226 || ET WEB Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820
2008227 || ET WEB Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573
2008228 || ET MALWARE Suspicious User-Agent inbound (bot)
2008230 || ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force || url,www.rapid7.com/nexpose-faq-answer2.htm
2008231 || ET MALWARE Suspicious User-Agent (Mozilla 1.02.45 biz)
2008232 || ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)
2008233 || ET TROJAN Common Downloader Install Report URL (farfly checkin)
2008234 || ET MALWARE Suspicious User-Agent (winlogon)
2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (iloveyou.exe) || url,www.sudosecure.net/archives/61
-> Added to emerging-sid-msg.map.txt (25):
2001904 || ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force || url,www.rapid7.com/nexpose-faq-answer2.htm
2003622 || ET MALWARE Suspicious User-Agent outbound (bot)
2007818 || ET WEB Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5028 || bugtraq,27540
2007819 || ET WEB Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5005 || bugtraq,27493
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe) || url,www.sudosecure.net/archives/61
2008103 || ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008104 || ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008105 || ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008106 || ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008107 || ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008108 || ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008109 || ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008110 || ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008139 || ET TROJAN RhiFrem Trojan Activity - cmd || url,www.castlecops.com/U_S_Courts_phish792683.html
2008140 || ET TROJAN RhiFrem Trojan Activity - log || url,www.castlecops.com/U_S_Courts_phish792683.html
2008225 || ET WEB Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569
2008226 || ET WEB Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || url,www.milw0rm.com/exploits/5530 || url,www.milw0rm.com/exploits/5460 || bugtraq,28820
2008227 || ET WEB Possible Secure File Delete Wizard ActiveX Insecure Methods Exploit || url,www.milw0rm.com/exploits/5573
2008228 || ET MALWARE Suspicious User-Agent inbound (bot)
2008230 || ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force || url,www.rapid7.com/nexpose-faq-answer2.htm
2008231 || ET MALWARE Suspicious User-Agent (Mozilla 1.02.45 biz)
2008232 || ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)
2008233 || ET TROJAN Common Downloader Install Report URL (farfly checkin)
2008234 || ET MALWARE Suspicious User-Agent (winlogon)
2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (iloveyou.exe) || url,www.sudosecure.net/archives/61
-> Added to emerging-virus.rules (3):
#this really isn't Kraken, appears to really be bobax, but reported as kraken.
#These sigs are a first attempt, hopefully this will improve
#by Don Jackson of Secureworks. RE: US courts related phishes
-> Added to emerging-web.rules (3):
#by Chandan S of StillSecure
#by Akash Mahajan of Stillsecure
#by Akash Mahajan of Stillsecure
[---] Removed non-rule lines: [---]
-> Removed from emerging-exploit.rules (1):
# Thes rules have to be there for both
-> Removed from emerging-sid-msg.map (41):
2001904 || ET SCAN Behavioral Unusually fast Telnet Connections, Potential Scan or Brute Force || url,www.rapid7.com/nexpose-faq-answer2.htm
2003622 || ET MALWARE Suspicious User-Agent (bot)
2007707 || ET DNS Possible MITM lookup for WPAD.com || url,support.microsoft.com/kb/247333
2007708 || ET DNS Possible MITM lookup for WPAD.co || url,support.microsoft.com/kb/247333
2007709 || ET DNS Possible MITM lookup for WPAD.net || url,support.microsoft.com/kb/247333
2007710 || ET DNS Possible MITM lookup for WPAD.org || url,support.microsoft.com/kb/247333
2007773 || ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected
2007812 || ET CURRENT_EVENTS Yahoo! Music Jukebox (DataGrid) 2.2 AddImage() ActiveX BOF || url,www.milw0rm.com/exploits/5051 || url,www.milw0rm.com/exploits/5046 || url,www.milw0rm.com/exploits/5048 || bugtraq,27590
2007813 || ET CURRENT_EVENTS Yahoo! JukeBox MediaGrid ActiveX Control mediagrid.dll AddBitmap() BoF || url,isc.sans.org/diary.html?storyid=3929 || url,milw0rm.com/exploits/5052 || bugtraq,27578
2007815 || ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27539
2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929 || url,www.milw0rm.com/exploits/5049
2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 || url,www.milw0rm.com/exploits/5102 || url,www.milw0rm.com/exploits/5049
2007818 || ET CURRENT_EVENTS Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5028 || bugtraq,27540
2007819 || ET CURRENT_EVENTS Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5005 || bugtraq,27493
2007848 || ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit || bugtraq,24426 || url,www.milw0rm.com/exploits/5087
2007887 || ET CURRENT_EVENTS Possible Comodo AntiVirus 2.0 ExecuteStr() Remote Command Execution Vulnerability || url,www.milw0rm.com/exploits/4974 || bugtraq,27424 || cve,CVE-2008-0470
2007888 || ET CURRENT_EVENTS Rising Online Scanner Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5188 || bugtraq,27997
2008001 || ET CURRENT_EVENTS 2117966.net/iframe exploit (infection) || url,isc.sans.org/diary.html?storyid=4139
2008002 || ET CURRENT_EVENTS 2117966.net/iframe exploit (attempt) || url,isc.sans.org/diary.html?storyid=4139
2008045 || ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report || url,doc.emergingthreats.net/bin/view/Main/GzipdPOST
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe) || url,www.sudosecure.net/archives/61
2008080 || ET CURRENT_EVENTS Real Player rmoc3260.dll ActiveX Remote Code Execution Exploit || url,www.milw0rm.com/exploits/5332 || cve,CVE-2008-1309 || bugtraq,28157
2008103 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008104 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008105 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008106 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008107 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008108 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008109 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008110 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008111 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe)
2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe)
2008121 || ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id)
2008122 || ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id)
2008125 || ET TROJAN Bobax Spam Inbound (Unique Faked Message-ID and no brackets)
2008137 || ET CURRENT_EVENTS Domain Related to Phishing GDI Exploits MS08-021 igloofamily.com || url,isc.sans.org/diary.html?storyid=4274
2008138 || ET CURRENT_EVENTS Domain Related to Phishing GDI Exploits MS08-021 amrc.com.tw || url,isc.sans.org/diary.html?storyid=4274
2008139 || ET CURRENT_EVENTS RhiFrem Trojan Activity - cmd || url,www.castlecops.com/U_S_Courts_phish792683.html
2008140 || ET CURRENT_EVENTS RhiFrem Trojan Activity - log || url,www.castlecops.com/U_S_Courts_phish792683.html
2008188 || ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)
2008217 || ET MALWARE Kingsoft.com Fake AV User-Agent (KAVTools)
-> Removed from emerging-sid-msg.map.txt (41):
2001904 || ET SCAN Behavioral Unusually fast Telnet Connections, Potential Scan or Brute Force || url,www.rapid7.com/nexpose-faq-answer2.htm
2003622 || ET MALWARE Suspicious User-Agent (bot)
2007707 || ET DNS Possible MITM lookup for WPAD.com || url,support.microsoft.com/kb/247333
2007708 || ET DNS Possible MITM lookup for WPAD.co || url,support.microsoft.com/kb/247333
2007709 || ET DNS Possible MITM lookup for WPAD.net || url,support.microsoft.com/kb/247333
2007710 || ET DNS Possible MITM lookup for WPAD.org || url,support.microsoft.com/kb/247333
2007773 || ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected
2007812 || ET CURRENT_EVENTS Yahoo! Music Jukebox (DataGrid) 2.2 AddImage() ActiveX BOF || url,www.milw0rm.com/exploits/5051 || url,www.milw0rm.com/exploits/5046 || url,www.milw0rm.com/exploits/5048 || bugtraq,27590
2007813 || ET CURRENT_EVENTS Yahoo! JukeBox MediaGrid ActiveX Control mediagrid.dll AddBitmap() BoF || url,isc.sans.org/diary.html?storyid=3929 || url,milw0rm.com/exploits/5052 || bugtraq,27578
2007815 || ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27539
2007816 || ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use || url,isc.sans.org/diary.html?storyid=3929 || url,www.milw0rm.com/exploits/5049
2007817 || ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit || url,isc.sans.org/diary.html?storyid=3929 || bugtraq,27576 || url,www.milw0rm.com/exploits/5102 || url,www.milw0rm.com/exploits/5049
2007818 || ET CURRENT_EVENTS Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5028 || bugtraq,27540
2007819 || ET CURRENT_EVENTS Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5005 || bugtraq,27493
2007848 || ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit || bugtraq,24426 || url,www.milw0rm.com/exploits/5087
2007887 || ET CURRENT_EVENTS Possible Comodo AntiVirus 2.0 ExecuteStr() Remote Command Execution Vulnerability || url,www.milw0rm.com/exploits/4974 || bugtraq,27424 || cve,CVE-2008-0470
2007888 || ET CURRENT_EVENTS Rising Online Scanner Insecure Method Vulnerability || url,www.milw0rm.com/exploits/5188 || bugtraq,27997
2008001 || ET CURRENT_EVENTS 2117966.net/iframe exploit (infection) || url,isc.sans.org/diary.html?storyid=4139
2008002 || ET CURRENT_EVENTS 2117966.net/iframe exploit (attempt) || url,isc.sans.org/diary.html?storyid=4139
2008045 || ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report || url,doc.emergingthreats.net/bin/view/Main/GzipdPOST
2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe) || url,www.sudosecure.net/archives/61
2008080 || ET CURRENT_EVENTS Real Player rmoc3260.dll ActiveX Remote Code Execution Exploit || url,www.milw0rm.com/exploits/5332 || cve,CVE-2008-1309 || bugtraq,28157
2008103 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008104 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008105 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008106 || ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008107 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008108 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008109 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008110 || ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor
2008111 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe)
2008112 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe)
2008121 || ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id)
2008122 || ET TROJAN Bobax Spam Inbound (Unique Faked Message-Id)
2008125 || ET TROJAN Bobax Spam Inbound (Unique Faked Message-ID and no brackets)
2008137 || ET CURRENT_EVENTS Domain Related to Phishing GDI Exploits MS08-021 igloofamily.com || url,isc.sans.org/diary.html?storyid=4274
2008138 || ET CURRENT_EVENTS Domain Related to Phishing GDI Exploits MS08-021 amrc.com.tw || url,isc.sans.org/diary.html?storyid=4274
2008139 || ET CURRENT_EVENTS RhiFrem Trojan Activity - cmd || url,www.castlecops.com/U_S_Courts_phish792683.html
2008140 || ET CURRENT_EVENTS RhiFrem Trojan Activity - log || url,www.castlecops.com/U_S_Courts_phish792683.html
2008188 || ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)
2008217 || ET MALWARE Kingsoft.com Fake AV User-Agent (KAVTools)
-> Removed from emerging-virus.rules (3):
#data from Joe Stewart at Secureworks. Sigs by matt jonkman
# bobax has some unusual fake header characteristics in it's spam.
# This ought to help ID inbound spam and thus infected hosts.
-> Removed from emerging.rules (31):
# From SANS/Diary isc.sans.org/diary.html?storyid=4139
# Inspect your web proxy logs for visitors to 2117966.net. This will
# indicate who is potentially exposed. Check these systems to verify
# that their patches are up-to-date. Systems that are successfully
# compromised will begin sending traffic to 61.188.39.175
#by Matt Jonkman
#by Akash Mahajan of Stillsecure
#by Chandan S of StillSecure
#by Akash Mahajan of Stillsecure
# re http://isc.sans.org/diary.html?storyid=3929
#by Akash Majahan at StillSecure
# FaceBook PhotoUploader Buffer Overflow Exploit
#by Joshua Gimer
#experimental, see
#by william metcalf
#disabling by default. Is used in some legit places as well. Use this if you have a need
#by Akash Mahajan of Stillsecure
#this really isn't Kraken, appears to really be bobax, but reported as kraken.
#These sigs are a first attempt, hopefully this will improve
#by akash mahajan.
#temporary, not a perfect sig, will false
#by Don Jackson of Secureworks. RE: US courts related phishes
#by Akash Mahajan of Stillsecure
#more by Jeremy at sudosecure
#by Adam Pointon at sentinelsecurity.com.au
# re http://isc.sans.org/diary.html?storyid=3929
# Will remove these sometime after patching looks complete
#by Akash Mahajan at Stillsecure
# Yahoo! JukeBox MediaGrid ActiveX Control mediagrid.dll AddBitmap() Buffer O
#by Akash Mahajan at Stillsecure
# Yahoo! Music Jukebox 2.2 AddImage() and AddButton() ActiveX BOF
More information about the Emerging-sigs
mailing list