From gregm at econet.com Wed Apr 1 11:13:14 2009 From: gregm at econet.com (Greg Martin) Date: Wed, 1 Apr 2009 11:13:14 -0500 Subject: [Emerging-Sigs] Conficker Shellcode Sigs References: <49D0E9A7.9070709@gmail.com> <49D0ED88.8080704@jonkmans.com> <49D0FED6.80103@gmail.com> <49D10256.8080003@jonkmans.com> Message-ID: Just a follow up, some of my sensors are seeing significant hits on the Conficker.b shellcode signature today. Just wanted to confirm it IS working... alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|& References: <20090328185440.22B63A40B2@medusa.richmond-family.org> <20090328185859.88434A40B2@medusa.richmond-family.org> <20090330133733.55A71A405A@medusa.richmond-family.org> Message-ID: <20090401171352.D3329A403A@medusa.richmond-family.org> Regarding the "urilen" discussion, if you want to change these rules for compatibility, replacing the urilen with the following pcre worked on the pcaps I have of the traffic. Check me on the pcre escapes. SID 2009173 pcre:"/\/frame\.html\?(a-z0-9|\-|_){70}/i" SID 2009174 pcre:"/\/dwn\/d\.html\?sid=(a-z0-9|\-|_){70}/i" Matt Jonkman wrote: > Got them, thanks Nathaniel! > > Posting now > > Matt > > Nathaniel Richmond wrote: >> I see I left the sid out of the first, so it needs adding instead >> of >> just changing. >> >> Nathaniel Richmond wrote: >>> # Since it's a POST, there shouldn't be many false positives >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL >>> RULES Possible Vundo Trojan Variant reporting to Controller"; >>> flow:established,to_server; content:"POST "; depth:5; >>> uricontent:"/frame.html?"; urilen: > 80; >>> classtype:trojan-activity; >>> rev:2;) >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL >>> RULES Possible Vundo EXE Download Attempt"; >>> flow:established,to_server; content:"GET "; depth:4; >>> uricontent:"/dwn/d.html?sid="; urilen: > 80; >>> classtype:trojan-activity; sid:1000049; rev:1;) >>> >>> Nate >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > From emerging at emergingthreats.net Wed Apr 1 15:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 1 Apr 2009 16:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090401200011.5645A4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Apr 1 16:00:11 2009 [***] [+++] Added rules: [+++] 2009202 - ET CURRENT_EVENTS GhostNet Trojan Reporting (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (3): 2009202 || ET CURRENT_EVENTS GhostNet Trojan Reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ghostnet || url,doc.emergingthreats.net/2009202 || url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network 2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (3): 2009202 || ET CURRENT_EVENTS GhostNet Trojan Reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ghostnet || url,doc.emergingthreats.net/2009202 || url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network 2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging.rules (1): #by Martin Holste From pppmarinho at gmail.com Thu Apr 2 07:21:26 2009 From: pppmarinho at gmail.com (Pedro Marinho) Date: Thu, 2 Apr 2009 09:21:26 -0300 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 17, Issue 1 In-Reply-To: References: Message-ID: Hello, I am trying to download this paper you pointed out here www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network but i can't make an account in the scribd.com/ website sorry to bother you but would you send me a copy of this document? is of very importance. thanks 2009/4/1 > Send Emerging-sigs mailing list submissions to > emerging-sigs at emergingthreats.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > or, via email, send a message with subject or body 'help' to > emerging-sigs-request at emergingthreats.net > > You can reach the person managing the list at > emerging-sigs-owner at emergingthreats.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Emerging-sigs digest..." > > > Today's Topics: > > 1. GhostNet-related Trojan URI sig (Martin Holste) > 2. Re: GhostNet-related Trojan URI sig (Matt Jonkman) > 3. Re: urilen more 2.8 rules? (Michael Scheidell) > 4. BHO / browser hijacker traffic requests (Darren Spruell) > 5. Re: GhostNet-related Trojan URI sig (Frank Knobbe) > 6. Re: Conficker Shellcode Sigs (Greg Martin) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 31 Mar 2009 15:53:08 -0500 > From: Martin Holste > Subject: [Emerging-Sigs] GhostNet-related Trojan URI sig > To: emerging-sigs at emergingthreats.net > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > Here's a sig for a Trojan that uses the same servers and one URL ( > msnxy.net) > as the Ghost Net reported on in the reference for the rule submitted by > Frank yesterday: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > GhostNet Reporting"; flow:established,to_server; > uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; > uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; > uricontent:"&owner="; classtype:trojan-activity; reference:url, > > www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network > ; > sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, seconds > 300;) > > It is an extremely constant check-in, (about 5 times per minute) so I put a > threshold on there to save the sensor a bit. One could argue that the > "hostname" URI param should be its own uricontent term, but connecting it > to > the URI stem gives it a longer pattern for the AC engine to hit on, so that > should aid performance. Also, you guys usually put a "GET" content match > on > the beginning of these, but I don't understand that since uricontent would > never hit on something that wasn't HTTP traffic, and the act of normalizing > the HTTP request means that the packet has to be inspected anyway, right? > Feel free to correct that if I'm misunderstanding that. > > Thanks, > > Martin > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/336cc795/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Tue, 31 Mar 2009 17:00:01 -0400 > From: Matt Jonkman > Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig > To: Martin Holste > Cc: emerging-sigs at emergingthreats.net > Message-ID: <49D28451.40904 at jonkmans.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Good sig, thanks Martin. > > As for the leading GET's we often use, that's to eliminate other methods > for the most part. POST, HEAD, etc. I think it's fine in this case to go > without though, we're not looking into post parameters or anything. > > Posting now, thanks!! > > matt > > Martin Holste wrote: > > Here's a sig for a Trojan that uses the same servers and one URL > > (msnxy.net ) as the Ghost Net reported on in the > > reference for the rule submitted by Frank yesterday: > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > > GhostNet Reporting"; flow:established,to_server; > > uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; > > uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; > > uricontent:"&owner="; classtype:trojan-activity; > > reference:url, > www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network > > < > http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network > >; > > sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, > > seconds 300;) > > > > It is an extremely constant check-in, (about 5 times per minute) so I > > put a threshold on there to save the sensor a bit. One could argue that > > the "hostname" URI param should be its own uricontent term, but > > connecting it to the URI stem gives it a longer pattern for the AC > > engine to hit on, so that should aid performance. Also, you guys > > usually put a "GET" content match on the beginning of these, but I don't > > understand that since uricontent would never hit on something that > > wasn't HTTP traffic, and the act of normalizing the HTTP request means > > that the packet has to be inspected anyway, right? Feel free to correct > > that if I'm misunderstanding that. > > > > Thanks, > > > > Martin > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > ------------------------------ > > Message: 3 > Date: Tue, 31 Mar 2009 18:04:03 -0700 > From: Michael Scheidell > Subject: Re: [Emerging-Sigs] urilen more 2.8 rules? > To: Matt Jonkman , Nathaniel Richmond > > > > Cc: emerging-sigs at emergingthreats.net > Message-ID: > > > Content-Type: text/plain; charset="US-ASCII" > > > I'm not one to force folks to upgrade, although I'd certainly recommend > it. > > > > But making a multiple set of rulesets brings in a significantly higher > > complexity of backend management, and with that a much higher likelihood > > of ruleset errors. And we all know I put enough errors in on my own, > > another source scares me.... > > > > What we could do in the shorter term would be to publish a list of sid's > > that are NOT 2.6 compatible for folks that need it, and where possible > > an alternative rule. Would that be a reasonable solution? > > Or I get off my but and finish up all the patches and testing. > Don't even remember why now, just every time I tried to implement it, weird > stuff happens. > > If no one else is stuck at 2.6, than I would say its mostly my problem. > > -- > Michael Scheidell, CTO > >|SECNAP Network Security > Finalist 2009 Network Products Guide Hot Companies > FreeBSD SpamAssassin Ports maintainer > > > _________________________________________________________________________ > This email has been scanned and certified safe by SpammerTrap(r). > For Information please see http://www.secnap.com/products/spammertrap/ > _________________________________________________________________________ > > > ------------------------------ > > Message: 4 > Date: Tue, 31 Mar 2009 18:46:19 -0700 > From: Darren Spruell > Subject: [Emerging-Sigs] BHO / browser hijacker traffic requests > To: Emerging Threats Signatures > Message-ID: > <839aec700903311846y3ca530f8l421f0c42067f1a2e at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Picked up the below request chain from a client. First request looks > like VRT sid 14080 wants to match it ("SPYWARE-PUT Adware > winspywareprotect runtime detection - connection to malicious server") > although it looks too specific with the Host header. This looks to be > the critter (although my victim's requests are direct to IP): > > > http://www.threatexpert.com/report.aspx?md5=fab5238181344c1dc4e5c7e315a0b89f > > The use of the non-standard LabelCommand user-agent seems sigworthy > here. Sorry, no pcap (just ascii)... > > > # > http://85.255.119.62/confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= > > GET > /confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= > HTTP/1.1 > Accept: */* > Content-Type: application/x-www-form-urlencoded > Accept-Language: en-gb > Accept-Encoding: gzip, deflate > User-Agent: LabelCommand > Host: 85.255.119.62 > Connection: Keep-Alive > Cache-Control: no-cache > > > > # > http://85.255.119.62/upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= > > GET > /upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= > HTTP/1.1 > Accept: */* > Content-Type: application/x-www-form-urlencoded > Accept-Language: en-gb > Accept-Encoding: gzip, deflate > User-Agent: LabelCommand > Host: 85.255.119.62 > Connection: Keep-Alive > Cache-Control: no-cache > > > # http://85.255.119.62/iseti.php > > GET /iseti.php HTTP/1.1 > Accept: */* > Content-Type: application/x-www-form-urlencoded > Accept-Language: en-gb > Accept-Encoding: gzip, deflate > User-Agent: LabelCommand > Host: 85.255.119.62 > Connection: Keep-Alive > Cache-Control: no-cache > > > -- > Darren Spruell > phatbuckett at gmail.com > > > ------------------------------ > > Message: 5 > Date: Tue, 31 Mar 2009 21:46:15 -0500 > From: Frank Knobbe > Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig > To: Martin Holste > Cc: emerging-sigs at emergingthreats.net > Message-ID: <1238553975.91691.32.camel at localhost> > Content-Type: text/plain; charset="us-ascii" > > On Tue, 2009-03-31 at 15:53 -0500, Martin Holste wrote: > > Here's a sig for a Trojan that uses the same servers and one URL > > (msnxy.net) as the Ghost Net reported on in the reference for the rule > > submitted by Frank yesterday: > > Just for the record, I didn't submit that sig. Looks like Kevin Ross is > credited with that signature. So, blame him if it falses a lot ;) > > Cheers, > Frank > > > -- > It is said that the Internet is a public utility. As such, it is best > compared to a sewer. A big, fat pipe with a bunch of crap sloshing > against your ports. > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 188 bytes > Desc: This is a digitally signed message part > Url : > http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/7c48c909/attachment-0001.bin > > ------------------------------ > > Message: 6 > Date: Wed, 1 Apr 2009 11:13:14 -0500 > From: "Greg Martin" > Subject: Re: [Emerging-Sigs] Conficker Shellcode Sigs > To: "David Glosser" > Cc: emerging-sigs at emergingthreats.net, Mike Lococo > > Message-ID: > > > > Content-Type: text/plain; charset="iso-8859-1" > > Just a follow up, some of my sensors are seeing significant hits on the > Conficker.b shellcode signature today. Just wanted to confirm it IS > working... > > > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS > Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff > c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 > d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|& c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 > |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 > cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 > c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 > a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url, > www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; > reference:url, > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; > classtype:trojan-activity; sid:2009201; rev:4;) > > > -Greg > > > > > --- > Greg Martin > Director InfoSecurity > Econet Inc. - Sentinel IPS > 972-991-5005 x102 > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090401/df6d1016/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > End of Emerging-sigs Digest, Vol 17, Issue 1 > ******************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/d97738df/attachment-0001.html From jules at visionintel.com Thu Apr 2 07:32:16 2009 From: jules at visionintel.com (Jules Pagna Disso) Date: Thu, 2 Apr 2009 13:32:16 +0100 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 17, Issue 1 In-Reply-To: References: Message-ID: <69544300904020532s289bbc96q3c7891f68069174b@mail.gmail.com> you should get it in a minute through ur personal account. already sent!!! 2009/4/2 Pedro Marinho > > Hello, > > I am trying to download this paper you pointed out here > > www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network > > but i can't make an account in the scribd.com/ website > > sorry to bother you but would you send me a copy of this document? > is of very importance. > thanks > > 2009/4/1 > >> Send Emerging-sigs mailing list submissions to >> emerging-sigs at emergingthreats.net >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> or, via email, send a message with subject or body 'help' to >> emerging-sigs-request at emergingthreats.net >> >> You can reach the person managing the list at >> emerging-sigs-owner at emergingthreats.net >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Emerging-sigs digest..." >> >> >> Today's Topics: >> >> 1. GhostNet-related Trojan URI sig (Martin Holste) >> 2. Re: GhostNet-related Trojan URI sig (Matt Jonkman) >> 3. Re: urilen more 2.8 rules? (Michael Scheidell) >> 4. BHO / browser hijacker traffic requests (Darren Spruell) >> 5. Re: GhostNet-related Trojan URI sig (Frank Knobbe) >> 6. Re: Conficker Shellcode Sigs (Greg Martin) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 31 Mar 2009 15:53:08 -0500 >> From: Martin Holste >> Subject: [Emerging-Sigs] GhostNet-related Trojan URI sig >> To: emerging-sigs at emergingthreats.net >> Message-ID: >> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Here's a sig for a Trojan that uses the same servers and one URL ( >> msnxy.net) >> as the Ghost Net reported on in the reference for the rule submitted by >> Frank yesterday: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> GhostNet Reporting"; flow:established,to_server; >> uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; >> uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; >> uricontent:"&owner="; classtype:trojan-activity; reference:url, >> >> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >> ; >> sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, seconds >> 300;) >> >> It is an extremely constant check-in, (about 5 times per minute) so I put >> a >> threshold on there to save the sensor a bit. One could argue that the >> "hostname" URI param should be its own uricontent term, but connecting it >> to >> the URI stem gives it a longer pattern for the AC engine to hit on, so >> that >> should aid performance. Also, you guys usually put a "GET" content match >> on >> the beginning of these, but I don't understand that since uricontent would >> never hit on something that wasn't HTTP traffic, and the act of >> normalizing >> the HTTP request means that the packet has to be inspected anyway, right? >> Feel free to correct that if I'm misunderstanding that. >> >> Thanks, >> >> Martin >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/336cc795/attachment-0001.html >> >> ------------------------------ >> >> Message: 2 >> Date: Tue, 31 Mar 2009 17:00:01 -0400 >> From: Matt Jonkman >> Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig >> To: Martin Holste >> Cc: emerging-sigs at emergingthreats.net >> Message-ID: <49D28451.40904 at jonkmans.com> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Good sig, thanks Martin. >> >> As for the leading GET's we often use, that's to eliminate other methods >> for the most part. POST, HEAD, etc. I think it's fine in this case to go >> without though, we're not looking into post parameters or anything. >> >> Posting now, thanks!! >> >> matt >> >> Martin Holste wrote: >> > Here's a sig for a Trojan that uses the same servers and one URL >> > (msnxy.net ) as the Ghost Net reported on in the >> > reference for the rule submitted by Frank yesterday: >> > >> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> > GhostNet Reporting"; flow:established,to_server; >> > uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; >> > uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; >> > uricontent:"&owner="; classtype:trojan-activity; >> > reference:url, >> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >> > < >> http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >> >; >> > sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, >> > seconds 300;) >> > >> > It is an extremely constant check-in, (about 5 times per minute) so I >> > put a threshold on there to save the sensor a bit. One could argue that >> > the "hostname" URI param should be its own uricontent term, but >> > connecting it to the URI stem gives it a longer pattern for the AC >> > engine to hit on, so that should aid performance. Also, you guys >> > usually put a "GET" content match on the beginning of these, but I don't >> > understand that since uricontent would never hit on something that >> > wasn't HTTP traffic, and the act of normalizing the HTTP request means >> > that the packet has to be inspected anyway, right? Feel free to correct >> > that if I'm misunderstanding that. >> > >> > Thanks, >> > >> > Martin >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Emerging-sigs mailing list >> > Emerging-sigs at emergingthreats.net >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Tue, 31 Mar 2009 18:04:03 -0700 >> From: Michael Scheidell >> Subject: Re: [Emerging-Sigs] urilen more 2.8 rules? >> To: Matt Jonkman , Nathaniel Richmond >> >> > >> Cc: emerging-sigs at emergingthreats.net >> Message-ID: >> > >> Content-Type: text/plain; charset="US-ASCII" >> >> > I'm not one to force folks to upgrade, although I'd certainly recommend >> it. >> > >> > But making a multiple set of rulesets brings in a significantly higher >> > complexity of backend management, and with that a much higher likelihood >> > of ruleset errors. And we all know I put enough errors in on my own, >> > another source scares me.... >> > >> > What we could do in the shorter term would be to publish a list of sid's >> > that are NOT 2.6 compatible for folks that need it, and where possible >> > an alternative rule. Would that be a reasonable solution? >> >> Or I get off my but and finish up all the patches and testing. >> Don't even remember why now, just every time I tried to implement it, >> weird >> stuff happens. >> >> If no one else is stuck at 2.6, than I would say its mostly my problem. >> >> -- >> Michael Scheidell, CTO >> >|SECNAP Network Security >> Finalist 2009 Network Products Guide Hot Companies >> FreeBSD SpamAssassin Ports maintainer >> >> >> _________________________________________________________________________ >> This email has been scanned and certified safe by SpammerTrap(r). >> For Information please see http://www.secnap.com/products/spammertrap/ >> _________________________________________________________________________ >> >> >> ------------------------------ >> >> Message: 4 >> Date: Tue, 31 Mar 2009 18:46:19 -0700 >> From: Darren Spruell >> Subject: [Emerging-Sigs] BHO / browser hijacker traffic requests >> To: Emerging Threats Signatures >> Message-ID: >> <839aec700903311846y3ca530f8l421f0c42067f1a2e at mail.gmail.com> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Picked up the below request chain from a client. First request looks >> like VRT sid 14080 wants to match it ("SPYWARE-PUT Adware >> winspywareprotect runtime detection - connection to malicious server") >> although it looks too specific with the Host header. This looks to be >> the critter (although my victim's requests are direct to IP): >> >> >> http://www.threatexpert.com/report.aspx?md5=fab5238181344c1dc4e5c7e315a0b89f >> >> The use of the non-standard LabelCommand user-agent seems sigworthy >> here. Sorry, no pcap (just ascii)... >> >> >> # >> http://85.255.119.62/confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >> >> GET >> /confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >> HTTP/1.1 >> Accept: */* >> Content-Type: application/x-www-form-urlencoded >> Accept-Language: en-gb >> Accept-Encoding: gzip, deflate >> User-Agent: LabelCommand >> Host: 85.255.119.62 >> Connection: Keep-Alive >> Cache-Control: no-cache >> >> >> >> # >> http://85.255.119.62/upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >> >> GET >> /upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >> HTTP/1.1 >> Accept: */* >> Content-Type: application/x-www-form-urlencoded >> Accept-Language: en-gb >> Accept-Encoding: gzip, deflate >> User-Agent: LabelCommand >> Host: 85.255.119.62 >> Connection: Keep-Alive >> Cache-Control: no-cache >> >> >> # http://85.255.119.62/iseti.php >> >> GET /iseti.php HTTP/1.1 >> Accept: */* >> Content-Type: application/x-www-form-urlencoded >> Accept-Language: en-gb >> Accept-Encoding: gzip, deflate >> User-Agent: LabelCommand >> Host: 85.255.119.62 >> Connection: Keep-Alive >> Cache-Control: no-cache >> >> >> -- >> Darren Spruell >> phatbuckett at gmail.com >> >> >> ------------------------------ >> >> Message: 5 >> Date: Tue, 31 Mar 2009 21:46:15 -0500 >> From: Frank Knobbe >> Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig >> To: Martin Holste >> Cc: emerging-sigs at emergingthreats.net >> Message-ID: <1238553975.91691.32.camel at localhost> >> Content-Type: text/plain; charset="us-ascii" >> >> On Tue, 2009-03-31 at 15:53 -0500, Martin Holste wrote: >> > Here's a sig for a Trojan that uses the same servers and one URL >> > (msnxy.net) as the Ghost Net reported on in the reference for the rule >> > submitted by Frank yesterday: >> >> Just for the record, I didn't submit that sig. Looks like Kevin Ross is >> credited with that signature. So, blame him if it falses a lot ;) >> >> Cheers, >> Frank >> >> >> -- >> It is said that the Internet is a public utility. As such, it is best >> compared to a sewer. A big, fat pipe with a bunch of crap sloshing >> against your ports. >> >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: not available >> Type: application/pgp-signature >> Size: 188 bytes >> Desc: This is a digitally signed message part >> Url : >> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/7c48c909/attachment-0001.bin >> >> ------------------------------ >> >> Message: 6 >> Date: Wed, 1 Apr 2009 11:13:14 -0500 >> From: "Greg Martin" >> Subject: Re: [Emerging-Sigs] Conficker Shellcode Sigs >> To: "David Glosser" >> Cc: emerging-sigs at emergingthreats.net, Mike Lococo >> >> Message-ID: >> >> >> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Just a follow up, some of my sensors are seeing significant hits on the >> Conficker.b shellcode signature today. Just wanted to confirm it IS >> working... >> >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS >> Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff >> c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 >> d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&> c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 >> |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 >> cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 >> c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 >> a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url, >> www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; >> reference:url, >> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; >> classtype:trojan-activity; sid:2009201; rev:4;) >> >> >> -Greg >> >> >> >> >> --- >> Greg Martin >> Director InfoSecurity >> Econet Inc. - Sentinel IPS >> 972-991-5005 x102 >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090401/df6d1016/attachment-0001.html >> >> ------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> End of Emerging-sigs Digest, Vol 17, Issue 1 >> ******************************************** >> > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/ec9b2650/attachment-0001.html From pppmarinho at gmail.com Thu Apr 2 07:34:53 2009 From: pppmarinho at gmail.com (Pedro Marinho) Date: Thu, 2 Apr 2009 09:34:53 -0300 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 17, Issue 1 In-Reply-To: <69544300904020532s289bbc96q3c7891f68069174b@mail.gmail.com> References: <69544300904020532s289bbc96q3c7891f68069174b@mail.gmail.com> Message-ID: Thank you very much 2009/4/2 Jules Pagna Disso > you should get it in a minute through ur personal account. already sent!!! > > 2009/4/2 Pedro Marinho > > >> Hello, >> >> I am trying to download this paper you pointed out here >> >> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >> >> but i can't make an account in the scribd.com/ website >> >> sorry to bother you but would you send me a copy of this document? >> is of very importance. >> thanks >> >> 2009/4/1 >> >>> Send Emerging-sigs mailing list submissions to >>> emerging-sigs at emergingthreats.net >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> or, via email, send a message with subject or body 'help' to >>> emerging-sigs-request at emergingthreats.net >>> >>> You can reach the person managing the list at >>> emerging-sigs-owner at emergingthreats.net >>> >>> When replying, please edit your Subject line so it is more specific >>> than "Re: Contents of Emerging-sigs digest..." >>> >>> >>> Today's Topics: >>> >>> 1. GhostNet-related Trojan URI sig (Martin Holste) >>> 2. Re: GhostNet-related Trojan URI sig (Matt Jonkman) >>> 3. Re: urilen more 2.8 rules? (Michael Scheidell) >>> 4. BHO / browser hijacker traffic requests (Darren Spruell) >>> 5. Re: GhostNet-related Trojan URI sig (Frank Knobbe) >>> 6. Re: Conficker Shellcode Sigs (Greg Martin) >>> >>> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Tue, 31 Mar 2009 15:53:08 -0500 >>> From: Martin Holste >>> Subject: [Emerging-Sigs] GhostNet-related Trojan URI sig >>> To: emerging-sigs at emergingthreats.net >>> Message-ID: >>> >>> Content-Type: text/plain; charset="iso-8859-1" >>> >>> Here's a sig for a Trojan that uses the same servers and one URL ( >>> msnxy.net) >>> as the Ghost Net reported on in the reference for the rule submitted by >>> Frank yesterday: >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>> GhostNet Reporting"; flow:established,to_server; >>> uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; >>> uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; >>> uricontent:"&owner="; classtype:trojan-activity; reference:url, >>> >>> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>> ; >>> sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, >>> seconds >>> 300;) >>> >>> It is an extremely constant check-in, (about 5 times per minute) so I put >>> a >>> threshold on there to save the sensor a bit. One could argue that the >>> "hostname" URI param should be its own uricontent term, but connecting it >>> to >>> the URI stem gives it a longer pattern for the AC engine to hit on, so >>> that >>> should aid performance. Also, you guys usually put a "GET" content match >>> on >>> the beginning of these, but I don't understand that since uricontent >>> would >>> never hit on something that wasn't HTTP traffic, and the act of >>> normalizing >>> the HTTP request means that the packet has to be inspected anyway, right? >>> Feel free to correct that if I'm misunderstanding that. >>> >>> Thanks, >>> >>> Martin >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/336cc795/attachment-0001.html >>> >>> ------------------------------ >>> >>> Message: 2 >>> Date: Tue, 31 Mar 2009 17:00:01 -0400 >>> From: Matt Jonkman >>> Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig >>> To: Martin Holste >>> Cc: emerging-sigs at emergingthreats.net >>> Message-ID: <49D28451.40904 at jonkmans.com> >>> Content-Type: text/plain; charset=ISO-8859-1 >>> >>> Good sig, thanks Martin. >>> >>> As for the leading GET's we often use, that's to eliminate other methods >>> for the most part. POST, HEAD, etc. I think it's fine in this case to go >>> without though, we're not looking into post parameters or anything. >>> >>> Posting now, thanks!! >>> >>> matt >>> >>> Martin Holste wrote: >>> > Here's a sig for a Trojan that uses the same servers and one URL >>> > (msnxy.net ) as the Ghost Net reported on in the >>> > reference for the rule submitted by Frank yesterday: >>> > >>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>> > GhostNet Reporting"; flow:established,to_server; >>> > uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; >>> > uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; >>> > uricontent:"&owner="; classtype:trojan-activity; >>> > reference:url, >>> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>> > < >>> http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>> >; >>> > sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, >>> > seconds 300;) >>> > >>> > It is an extremely constant check-in, (about 5 times per minute) so I >>> > put a threshold on there to save the sensor a bit. One could argue >>> that >>> > the "hostname" URI param should be its own uricontent term, but >>> > connecting it to the URI stem gives it a longer pattern for the AC >>> > engine to hit on, so that should aid performance. Also, you guys >>> > usually put a "GET" content match on the beginning of these, but I >>> don't >>> > understand that since uricontent would never hit on something that >>> > wasn't HTTP traffic, and the act of normalizing the HTTP request means >>> > that the packet has to be inspected anyway, right? Feel free to >>> correct >>> > that if I'm misunderstanding that. >>> > >>> > Thanks, >>> > >>> > Martin >>> > >>> > >>> > >>> ------------------------------------------------------------------------ >>> > >>> > _______________________________________________ >>> > Emerging-sigs mailing list >>> > Emerging-sigs at emergingthreats.net >>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> -- >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> >>> >>> ------------------------------ >>> >>> Message: 3 >>> Date: Tue, 31 Mar 2009 18:04:03 -0700 >>> From: Michael Scheidell >>> Subject: Re: [Emerging-Sigs] urilen more 2.8 rules? >>> To: Matt Jonkman , Nathaniel Richmond >>> >>> > >>> Cc: emerging-sigs at emergingthreats.net >>> Message-ID: >>> > >>> Content-Type: text/plain; charset="US-ASCII" >>> >>> > I'm not one to force folks to upgrade, although I'd certainly recommend >>> it. >>> > >>> > But making a multiple set of rulesets brings in a significantly higher >>> > complexity of backend management, and with that a much higher >>> likelihood >>> > of ruleset errors. And we all know I put enough errors in on my own, >>> > another source scares me.... >>> > >>> > What we could do in the shorter term would be to publish a list of >>> sid's >>> > that are NOT 2.6 compatible for folks that need it, and where possible >>> > an alternative rule. Would that be a reasonable solution? >>> >>> Or I get off my but and finish up all the patches and testing. >>> Don't even remember why now, just every time I tried to implement it, >>> weird >>> stuff happens. >>> >>> If no one else is stuck at 2.6, than I would say its mostly my problem. >>> >>> -- >>> Michael Scheidell, CTO >>> >|SECNAP Network Security >>> Finalist 2009 Network Products Guide Hot Companies >>> FreeBSD SpamAssassin Ports maintainer >>> >>> >>> _________________________________________________________________________ >>> This email has been scanned and certified safe by SpammerTrap(r). >>> For Information please see http://www.secnap.com/products/spammertrap/ >>> _________________________________________________________________________ >>> >>> >>> ------------------------------ >>> >>> Message: 4 >>> Date: Tue, 31 Mar 2009 18:46:19 -0700 >>> From: Darren Spruell >>> Subject: [Emerging-Sigs] BHO / browser hijacker traffic requests >>> To: Emerging Threats Signatures >>> Message-ID: >>> <839aec700903311846y3ca530f8l421f0c42067f1a2e at mail.gmail.com> >>> Content-Type: text/plain; charset=ISO-8859-1 >>> >>> Picked up the below request chain from a client. First request looks >>> like VRT sid 14080 wants to match it ("SPYWARE-PUT Adware >>> winspywareprotect runtime detection - connection to malicious server") >>> although it looks too specific with the Host header. This looks to be >>> the critter (although my victim's requests are direct to IP): >>> >>> >>> http://www.threatexpert.com/report.aspx?md5=fab5238181344c1dc4e5c7e315a0b89f >>> >>> The use of the non-standard LabelCommand user-agent seems sigworthy >>> here. Sorry, no pcap (just ascii)... >>> >>> >>> # >>> http://85.255.119.62/confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>> >>> GET >>> /confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>> HTTP/1.1 >>> Accept: */* >>> Content-Type: application/x-www-form-urlencoded >>> Accept-Language: en-gb >>> Accept-Encoding: gzip, deflate >>> User-Agent: LabelCommand >>> Host: 85.255.119.62 >>> Connection: Keep-Alive >>> Cache-Control: no-cache >>> >>> >>> >>> # >>> http://85.255.119.62/upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>> >>> GET >>> /upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>> HTTP/1.1 >>> Accept: */* >>> Content-Type: application/x-www-form-urlencoded >>> Accept-Language: en-gb >>> Accept-Encoding: gzip, deflate >>> User-Agent: LabelCommand >>> Host: 85.255.119.62 >>> Connection: Keep-Alive >>> Cache-Control: no-cache >>> >>> >>> # http://85.255.119.62/iseti.php >>> >>> GET /iseti.php HTTP/1.1 >>> Accept: */* >>> Content-Type: application/x-www-form-urlencoded >>> Accept-Language: en-gb >>> Accept-Encoding: gzip, deflate >>> User-Agent: LabelCommand >>> Host: 85.255.119.62 >>> Connection: Keep-Alive >>> Cache-Control: no-cache >>> >>> >>> -- >>> Darren Spruell >>> phatbuckett at gmail.com >>> >>> >>> ------------------------------ >>> >>> Message: 5 >>> Date: Tue, 31 Mar 2009 21:46:15 -0500 >>> From: Frank Knobbe >>> Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig >>> To: Martin Holste >>> Cc: emerging-sigs at emergingthreats.net >>> Message-ID: <1238553975.91691.32.camel at localhost> >>> Content-Type: text/plain; charset="us-ascii" >>> >>> On Tue, 2009-03-31 at 15:53 -0500, Martin Holste wrote: >>> > Here's a sig for a Trojan that uses the same servers and one URL >>> > (msnxy.net) as the Ghost Net reported on in the reference for the rule >>> > submitted by Frank yesterday: >>> >>> Just for the record, I didn't submit that sig. Looks like Kevin Ross is >>> credited with that signature. So, blame him if it falses a lot ;) >>> >>> Cheers, >>> Frank >>> >>> >>> -- >>> It is said that the Internet is a public utility. As such, it is best >>> compared to a sewer. A big, fat pipe with a bunch of crap sloshing >>> against your ports. >>> >>> -------------- next part -------------- >>> A non-text attachment was scrubbed... >>> Name: not available >>> Type: application/pgp-signature >>> Size: 188 bytes >>> Desc: This is a digitally signed message part >>> Url : >>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/7c48c909/attachment-0001.bin >>> >>> ------------------------------ >>> >>> Message: 6 >>> Date: Wed, 1 Apr 2009 11:13:14 -0500 >>> From: "Greg Martin" >>> Subject: Re: [Emerging-Sigs] Conficker Shellcode Sigs >>> To: "David Glosser" >>> Cc: emerging-sigs at emergingthreats.net, Mike Lococo >>> >>> Message-ID: >>> >>> >>> >>> Content-Type: text/plain; charset="iso-8859-1" >>> >>> Just a follow up, some of my sensors are seeing significant hits on the >>> Conficker.b shellcode signature today. Just wanted to confirm it IS >>> working... >>> >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS >>> Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff >>> c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 >>> d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&>> c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 >>> |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 >>> cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 >>> c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 >>> a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url, >>> www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; >>> reference:url, >>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; >>> classtype:trojan-activity; sid:2009201; rev:4;) >>> >>> >>> -Greg >>> >>> >>> >>> >>> --- >>> Greg Martin >>> Director InfoSecurity >>> Econet Inc. - Sentinel IPS >>> 972-991-5005 x102 >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090401/df6d1016/attachment-0001.html >>> >>> ------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >>> End of Emerging-sigs Digest, Vol 17, Issue 1 >>> ******************************************** >>> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/29dcdf45/attachment-0001.html From jules at visionintel.com Thu Apr 2 07:36:18 2009 From: jules at visionintel.com (Jules Pagna Disso) Date: Thu, 2 Apr 2009 13:36:18 +0100 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 17, Issue 1 In-Reply-To: References: <69544300904020532s289bbc96q3c7891f68069174b@mail.gmail.com> Message-ID: <69544300904020536gb7fbb6cj4476658b871e1832@mail.gmail.com> :) 2009/4/2 Pedro Marinho > Thank you very much > > 2009/4/2 Jules Pagna Disso > > you should get it in a minute through ur personal account. already sent!!! >> >> 2009/4/2 Pedro Marinho >> >> >>> Hello, >>> >>> I am trying to download this paper you pointed out here >>> >>> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>> >>> but i can't make an account in the scribd.com/ website >>> >>> sorry to bother you but would you send me a copy of this document? >>> is of very importance. >>> thanks >>> >>> 2009/4/1 >>> >>>> Send Emerging-sigs mailing list submissions to >>>> emerging-sigs at emergingthreats.net >>>> >>>> To subscribe or unsubscribe via the World Wide Web, visit >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> or, via email, send a message with subject or body 'help' to >>>> emerging-sigs-request at emergingthreats.net >>>> >>>> You can reach the person managing the list at >>>> emerging-sigs-owner at emergingthreats.net >>>> >>>> When replying, please edit your Subject line so it is more specific >>>> than "Re: Contents of Emerging-sigs digest..." >>>> >>>> >>>> Today's Topics: >>>> >>>> 1. GhostNet-related Trojan URI sig (Martin Holste) >>>> 2. Re: GhostNet-related Trojan URI sig (Matt Jonkman) >>>> 3. Re: urilen more 2.8 rules? (Michael Scheidell) >>>> 4. BHO / browser hijacker traffic requests (Darren Spruell) >>>> 5. Re: GhostNet-related Trojan URI sig (Frank Knobbe) >>>> 6. Re: Conficker Shellcode Sigs (Greg Martin) >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> Message: 1 >>>> Date: Tue, 31 Mar 2009 15:53:08 -0500 >>>> From: Martin Holste >>>> Subject: [Emerging-Sigs] GhostNet-related Trojan URI sig >>>> To: emerging-sigs at emergingthreats.net >>>> Message-ID: >>>> >>>> Content-Type: text/plain; charset="iso-8859-1" >>>> >>>> Here's a sig for a Trojan that uses the same servers and one URL ( >>>> msnxy.net) >>>> as the Ghost Net reported on in the reference for the rule submitted by >>>> Frank yesterday: >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>> GhostNet Reporting"; flow:established,to_server; >>>> uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; >>>> uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; >>>> uricontent:"&owner="; classtype:trojan-activity; reference:url, >>>> >>>> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>>> ; >>>> sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, >>>> seconds >>>> 300;) >>>> >>>> It is an extremely constant check-in, (about 5 times per minute) so I >>>> put a >>>> threshold on there to save the sensor a bit. One could argue that the >>>> "hostname" URI param should be its own uricontent term, but connecting >>>> it to >>>> the URI stem gives it a longer pattern for the AC engine to hit on, so >>>> that >>>> should aid performance. Also, you guys usually put a "GET" content >>>> match on >>>> the beginning of these, but I don't understand that since uricontent >>>> would >>>> never hit on something that wasn't HTTP traffic, and the act of >>>> normalizing >>>> the HTTP request means that the packet has to be inspected anyway, >>>> right? >>>> Feel free to correct that if I'm misunderstanding that. >>>> >>>> Thanks, >>>> >>>> Martin >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: >>>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/336cc795/attachment-0001.html >>>> >>>> ------------------------------ >>>> >>>> Message: 2 >>>> Date: Tue, 31 Mar 2009 17:00:01 -0400 >>>> From: Matt Jonkman >>>> Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig >>>> To: Martin Holste >>>> Cc: emerging-sigs at emergingthreats.net >>>> Message-ID: <49D28451.40904 at jonkmans.com> >>>> Content-Type: text/plain; charset=ISO-8859-1 >>>> >>>> Good sig, thanks Martin. >>>> >>>> As for the leading GET's we often use, that's to eliminate other methods >>>> for the most part. POST, HEAD, etc. I think it's fine in this case to go >>>> without though, we're not looking into post parameters or anything. >>>> >>>> Posting now, thanks!! >>>> >>>> matt >>>> >>>> Martin Holste wrote: >>>> > Here's a sig for a Trojan that uses the same servers and one URL >>>> > (msnxy.net ) as the Ghost Net reported on in the >>>> > reference for the rule submitted by Frank yesterday: >>>> > >>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>> > GhostNet Reporting"; flow:established,to_server; >>>> > uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; >>>> > uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; >>>> > uricontent:"&owner="; classtype:trojan-activity; >>>> > reference:url, >>>> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>>> > < >>>> http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>>> >; >>>> > sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, >>>> > seconds 300;) >>>> > >>>> > It is an extremely constant check-in, (about 5 times per minute) so I >>>> > put a threshold on there to save the sensor a bit. One could argue >>>> that >>>> > the "hostname" URI param should be its own uricontent term, but >>>> > connecting it to the URI stem gives it a longer pattern for the AC >>>> > engine to hit on, so that should aid performance. Also, you guys >>>> > usually put a "GET" content match on the beginning of these, but I >>>> don't >>>> > understand that since uricontent would never hit on something that >>>> > wasn't HTTP traffic, and the act of normalizing the HTTP request means >>>> > that the packet has to be inspected anyway, right? Feel free to >>>> correct >>>> > that if I'm misunderstanding that. >>>> > >>>> > Thanks, >>>> > >>>> > Martin >>>> > >>>> > >>>> > >>>> ------------------------------------------------------------------------ >>>> > >>>> > _______________________________________________ >>>> > Emerging-sigs mailing list >>>> > Emerging-sigs at emergingthreats.net >>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> -- >>>> -------------------------------------------- >>>> Matthew Jonkman >>>> Emerging Threats >>>> Phone 765-429-0398 >>>> Fax 312-264-0205 >>>> http://www.emergingthreats.net >>>> -------------------------------------------- >>>> >>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>> >>>> >>>> >>>> >>>> ------------------------------ >>>> >>>> Message: 3 >>>> Date: Tue, 31 Mar 2009 18:04:03 -0700 >>>> From: Michael Scheidell >>>> Subject: Re: [Emerging-Sigs] urilen more 2.8 rules? >>>> To: Matt Jonkman , Nathaniel Richmond >>>> >>>> > >>>> Cc: emerging-sigs at emergingthreats.net >>>> Message-ID: >>>> > >>>> Content-Type: text/plain; charset="US-ASCII" >>>> >>>> > I'm not one to force folks to upgrade, although I'd certainly >>>> recommend it. >>>> > >>>> > But making a multiple set of rulesets brings in a significantly higher >>>> > complexity of backend management, and with that a much higher >>>> likelihood >>>> > of ruleset errors. And we all know I put enough errors in on my own, >>>> > another source scares me.... >>>> > >>>> > What we could do in the shorter term would be to publish a list of >>>> sid's >>>> > that are NOT 2.6 compatible for folks that need it, and where possible >>>> > an alternative rule. Would that be a reasonable solution? >>>> >>>> Or I get off my but and finish up all the patches and testing. >>>> Don't even remember why now, just every time I tried to implement it, >>>> weird >>>> stuff happens. >>>> >>>> If no one else is stuck at 2.6, than I would say its mostly my problem. >>>> >>>> -- >>>> Michael Scheidell, CTO >>>> >|SECNAP Network Security >>>> Finalist 2009 Network Products Guide Hot Companies >>>> FreeBSD SpamAssassin Ports maintainer >>>> >>>> >>>> >>>> _________________________________________________________________________ >>>> This email has been scanned and certified safe by SpammerTrap(r). >>>> For Information please see http://www.secnap.com/products/spammertrap/ >>>> >>>> _________________________________________________________________________ >>>> >>>> >>>> ------------------------------ >>>> >>>> Message: 4 >>>> Date: Tue, 31 Mar 2009 18:46:19 -0700 >>>> From: Darren Spruell >>>> Subject: [Emerging-Sigs] BHO / browser hijacker traffic requests >>>> To: Emerging Threats Signatures >>>> Message-ID: >>>> <839aec700903311846y3ca530f8l421f0c42067f1a2e at mail.gmail.com> >>>> Content-Type: text/plain; charset=ISO-8859-1 >>>> >>>> Picked up the below request chain from a client. First request looks >>>> like VRT sid 14080 wants to match it ("SPYWARE-PUT Adware >>>> winspywareprotect runtime detection - connection to malicious server") >>>> although it looks too specific with the Host header. This looks to be >>>> the critter (although my victim's requests are direct to IP): >>>> >>>> >>>> http://www.threatexpert.com/report.aspx?md5=fab5238181344c1dc4e5c7e315a0b89f >>>> >>>> The use of the non-standard LabelCommand user-agent seems sigworthy >>>> here. Sorry, no pcap (just ascii)... >>>> >>>> >>>> # >>>> http://85.255.119.62/confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>>> >>>> GET >>>> /confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>>> HTTP/1.1 >>>> Accept: */* >>>> Content-Type: application/x-www-form-urlencoded >>>> Accept-Language: en-gb >>>> Accept-Encoding: gzip, deflate >>>> User-Agent: LabelCommand >>>> Host: 85.255.119.62 >>>> Connection: Keep-Alive >>>> Cache-Control: no-cache >>>> >>>> >>>> >>>> # >>>> http://85.255.119.62/upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>>> >>>> GET >>>> /upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>>> HTTP/1.1 >>>> Accept: */* >>>> Content-Type: application/x-www-form-urlencoded >>>> Accept-Language: en-gb >>>> Accept-Encoding: gzip, deflate >>>> User-Agent: LabelCommand >>>> Host: 85.255.119.62 >>>> Connection: Keep-Alive >>>> Cache-Control: no-cache >>>> >>>> >>>> # http://85.255.119.62/iseti.php >>>> >>>> GET /iseti.php HTTP/1.1 >>>> Accept: */* >>>> Content-Type: application/x-www-form-urlencoded >>>> Accept-Language: en-gb >>>> Accept-Encoding: gzip, deflate >>>> User-Agent: LabelCommand >>>> Host: 85.255.119.62 >>>> Connection: Keep-Alive >>>> Cache-Control: no-cache >>>> >>>> >>>> -- >>>> Darren Spruell >>>> phatbuckett at gmail.com >>>> >>>> >>>> ------------------------------ >>>> >>>> Message: 5 >>>> Date: Tue, 31 Mar 2009 21:46:15 -0500 >>>> From: Frank Knobbe >>>> Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig >>>> To: Martin Holste >>>> Cc: emerging-sigs at emergingthreats.net >>>> Message-ID: <1238553975.91691.32.camel at localhost> >>>> Content-Type: text/plain; charset="us-ascii" >>>> >>>> On Tue, 2009-03-31 at 15:53 -0500, Martin Holste wrote: >>>> > Here's a sig for a Trojan that uses the same servers and one URL >>>> > (msnxy.net) as the Ghost Net reported on in the reference for the >>>> rule >>>> > submitted by Frank yesterday: >>>> >>>> Just for the record, I didn't submit that sig. Looks like Kevin Ross is >>>> credited with that signature. So, blame him if it falses a lot ;) >>>> >>>> Cheers, >>>> Frank >>>> >>>> >>>> -- >>>> It is said that the Internet is a public utility. As such, it is best >>>> compared to a sewer. A big, fat pipe with a bunch of crap sloshing >>>> against your ports. >>>> >>>> -------------- next part -------------- >>>> A non-text attachment was scrubbed... >>>> Name: not available >>>> Type: application/pgp-signature >>>> Size: 188 bytes >>>> Desc: This is a digitally signed message part >>>> Url : >>>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/7c48c909/attachment-0001.bin >>>> >>>> ------------------------------ >>>> >>>> Message: 6 >>>> Date: Wed, 1 Apr 2009 11:13:14 -0500 >>>> From: "Greg Martin" >>>> Subject: Re: [Emerging-Sigs] Conficker Shellcode Sigs >>>> To: "David Glosser" >>>> Cc: emerging-sigs at emergingthreats.net, Mike Lococo >>>> >>>> Message-ID: >>>> >>>> >>> > >>>> >>>> Content-Type: text/plain; charset="iso-8859-1" >>>> >>>> Just a follow up, some of my sensors are seeing significant hits on the >>>> Conficker.b shellcode signature today. Just wanted to confirm it IS >>>> working... >>>> >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS >>>> Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff >>>> c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 >>>> d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&>>> c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 >>>> |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 >>>> cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 >>>> c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 >>>> a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url, >>>> www.honeynet.org/node/388; reference:url, >>>> doc.emergingthreats.net/2009201; reference:url, >>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; >>>> classtype:trojan-activity; sid:2009201; rev:4;) >>>> >>>> >>>> -Greg >>>> >>>> >>>> >>>> >>>> --- >>>> Greg Martin >>>> Director InfoSecurity >>>> Econet Inc. - Sentinel IPS >>>> 972-991-5005 x102 >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: >>>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090401/df6d1016/attachment-0001.html >>>> >>>> ------------------------------ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>>> End of Emerging-sigs Digest, Vol 17, Issue 1 >>>> ******************************************** >>>> >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/016fd3c3/attachment-0001.html From jonkman at jonkmans.com Thu Apr 2 09:12:09 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 02 Apr 2009 10:12:09 -0400 Subject: [Emerging-Sigs] Conficker Shellcode Sigs In-Reply-To: References: <49D0E9A7.9070709@gmail.com> <49D0ED88.8080704@jonkmans.com> <49D0FED6.80103@gmail.com> <49D10256.8080003@jonkmans.com> Message-ID: <49D4C7B9.3000606@jonkmans.com> Glad to hear that! Not glad you're seeing hostile activity... but glad you're 'seeing' it :) Matt Greg Martin wrote: > Just a follow up, some of my sensors are seeing significant hits on the > Conficker.b shellcode signature today. Just wanted to confirm it IS > working... > > > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS > Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff > ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 > c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 > 94|& 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 > 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 > 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 > b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab > aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; > reference:url,www.honeynet.org/node/388; > reference:url,doc.emergingthreats.net/2009201; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; > classtype:trojan-activity; sid:2009201; rev:4;) > > > -Greg > > > > > --- > Greg Martin > Director InfoSecurity > Econet Inc. - Sentinel IPS > 972-991-5005 x102 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emergingsigs at eriko.mobi Thu Apr 2 10:04:05 2009 From: emergingsigs at eriko.mobi (Erik) Date: Thu, 2 Apr 2009 10:04:05 -0500 Subject: [Emerging-Sigs] urilen more 2.8 rules? In-Reply-To: References: <49D267DB.9030705@jonkmans.com> Message-ID: <20090402150405.GA33418@cork.barragry.com> On Tue, Mar 31, 2009 at 06:04:03PM -0700, Michael Scheidell wrote: > > I'm not one to force folks to upgrade, although I'd certainly recommend it. > > > > But making a multiple set of rulesets brings in a significantly higher > > complexity of backend management, and with that a much higher likelihood > > of ruleset errors. And we all know I put enough errors in on my own, > > another source scares me.... > > > > What we could do in the shorter term would be to publish a list of sid's > > that are NOT 2.6 compatible for folks that need it, and where possible > > an alternative rule. Would that be a reasonable solution? > > Or I get off my but and finish up all the patches and testing. > Don't even remember why now, just every time I tried to implement it, weird > stuff happens. > > If no one else is stuck at 2.6, than I would say its mostly my problem. > > -- > Michael Scheidell, CTO For what it's worth, we have dozens of boxes deployed at 2.6 (or lower, in a few cases.) We primarily haven't upgraded due to the massive amount of person-power required. Erik From mcholste at gmail.com Thu Apr 2 10:08:25 2009 From: mcholste at gmail.com (Martin Holste) Date: Thu, 2 Apr 2009 10:08:25 -0500 Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 17, Issue 1 In-Reply-To: <69544300904020536gb7fbb6cj4476658b871e1832@mail.gmail.com> References: <69544300904020532s289bbc96q3c7891f68069174b@mail.gmail.com> <69544300904020536gb7fbb6cj4476658b871e1832@mail.gmail.com> Message-ID: I was able to view it without a scribd account. I don't know why it would have prompted you for it, but I'm glad Pedro was able to get it to you--it's very interesting. --Martin On Thu, Apr 2, 2009 at 7:36 AM, Jules Pagna Disso wrote: > :) > > 2009/4/2 Pedro Marinho > >> Thank you very much >> >> 2009/4/2 Jules Pagna Disso >> >> you should get it in a minute through ur personal account. already sent!!! >>> >>> 2009/4/2 Pedro Marinho >>> >>> >>>> Hello, >>>> >>>> I am trying to download this paper you pointed out here >>>> >>>> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>>> >>>> but i can't make an account in the scribd.com/ website >>>> >>>> sorry to bother you but would you send me a copy of this document? >>>> is of very importance. >>>> thanks >>>> >>>> 2009/4/1 >>>> >>>>> Send Emerging-sigs mailing list submissions to >>>>> emerging-sigs at emergingthreats.net >>>>> >>>>> To subscribe or unsubscribe via the World Wide Web, visit >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> or, via email, send a message with subject or body 'help' to >>>>> emerging-sigs-request at emergingthreats.net >>>>> >>>>> You can reach the person managing the list at >>>>> emerging-sigs-owner at emergingthreats.net >>>>> >>>>> When replying, please edit your Subject line so it is more specific >>>>> than "Re: Contents of Emerging-sigs digest..." >>>>> >>>>> >>>>> Today's Topics: >>>>> >>>>> 1. GhostNet-related Trojan URI sig (Martin Holste) >>>>> 2. Re: GhostNet-related Trojan URI sig (Matt Jonkman) >>>>> 3. Re: urilen more 2.8 rules? (Michael Scheidell) >>>>> 4. BHO / browser hijacker traffic requests (Darren Spruell) >>>>> 5. Re: GhostNet-related Trojan URI sig (Frank Knobbe) >>>>> 6. Re: Conficker Shellcode Sigs (Greg Martin) >>>>> >>>>> >>>>> ---------------------------------------------------------------------- >>>>> >>>>> Message: 1 >>>>> Date: Tue, 31 Mar 2009 15:53:08 -0500 >>>>> From: Martin Holste >>>>> Subject: [Emerging-Sigs] GhostNet-related Trojan URI sig >>>>> To: emerging-sigs at emergingthreats.net >>>>> Message-ID: >>>>> >>>>> Content-Type: text/plain; charset="iso-8859-1" >>>>> >>>>> Here's a sig for a Trojan that uses the same servers and one URL ( >>>>> msnxy.net) >>>>> as the Ghost Net reported on in the reference for the rule submitted by >>>>> Frank yesterday: >>>>> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>>> GhostNet Reporting"; flow:established,to_server; >>>>> uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; >>>>> uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; >>>>> uricontent:"&owner="; classtype:trojan-activity; reference:url, >>>>> >>>>> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>>>> ; >>>>> sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, >>>>> seconds >>>>> 300;) >>>>> >>>>> It is an extremely constant check-in, (about 5 times per minute) so I >>>>> put a >>>>> threshold on there to save the sensor a bit. One could argue that the >>>>> "hostname" URI param should be its own uricontent term, but connecting >>>>> it to >>>>> the URI stem gives it a longer pattern for the AC engine to hit on, so >>>>> that >>>>> should aid performance. Also, you guys usually put a "GET" content >>>>> match on >>>>> the beginning of these, but I don't understand that since uricontent >>>>> would >>>>> never hit on something that wasn't HTTP traffic, and the act of >>>>> normalizing >>>>> the HTTP request means that the packet has to be inspected anyway, >>>>> right? >>>>> Feel free to correct that if I'm misunderstanding that. >>>>> >>>>> Thanks, >>>>> >>>>> Martin >>>>> -------------- next part -------------- >>>>> An HTML attachment was scrubbed... >>>>> URL: >>>>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/336cc795/attachment-0001.html >>>>> >>>>> ------------------------------ >>>>> >>>>> Message: 2 >>>>> Date: Tue, 31 Mar 2009 17:00:01 -0400 >>>>> From: Matt Jonkman >>>>> Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig >>>>> To: Martin Holste >>>>> Cc: emerging-sigs at emergingthreats.net >>>>> Message-ID: <49D28451.40904 at jonkmans.com> >>>>> Content-Type: text/plain; charset=ISO-8859-1 >>>>> >>>>> Good sig, thanks Martin. >>>>> >>>>> As for the leading GET's we often use, that's to eliminate other >>>>> methods >>>>> for the most part. POST, HEAD, etc. I think it's fine in this case to >>>>> go >>>>> without though, we're not looking into post parameters or anything. >>>>> >>>>> Posting now, thanks!! >>>>> >>>>> matt >>>>> >>>>> Martin Holste wrote: >>>>> > Here's a sig for a Trojan that uses the same servers and one URL >>>>> > (msnxy.net ) as the Ghost Net reported on in the >>>>> > reference for the rule submitted by Frank yesterday: >>>>> > >>>>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>>>> > GhostNet Reporting"; flow:established,to_server; >>>>> > uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; >>>>> > uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; >>>>> > uricontent:"&owner="; classtype:trojan-activity; >>>>> > reference:url, >>>>> www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>>>> > < >>>>> http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network >>>>> >; >>>>> > sid:2009xxxx; rev:1; threshold: type limit, track by_src, count 1, >>>>> > seconds 300;) >>>>> > >>>>> > It is an extremely constant check-in, (about 5 times per minute) so I >>>>> > put a threshold on there to save the sensor a bit. One could argue >>>>> that >>>>> > the "hostname" URI param should be its own uricontent term, but >>>>> > connecting it to the URI stem gives it a longer pattern for the AC >>>>> > engine to hit on, so that should aid performance. Also, you guys >>>>> > usually put a "GET" content match on the beginning of these, but I >>>>> don't >>>>> > understand that since uricontent would never hit on something that >>>>> > wasn't HTTP traffic, and the act of normalizing the HTTP request >>>>> means >>>>> > that the packet has to be inspected anyway, right? Feel free to >>>>> correct >>>>> > that if I'm misunderstanding that. >>>>> > >>>>> > Thanks, >>>>> > >>>>> > Martin >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------------ >>>>> > >>>>> > _______________________________________________ >>>>> > Emerging-sigs mailing list >>>>> > Emerging-sigs at emergingthreats.net >>>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> -- >>>>> -------------------------------------------- >>>>> Matthew Jonkman >>>>> Emerging Threats >>>>> Phone 765-429-0398 >>>>> Fax 312-264-0205 >>>>> http://www.emergingthreats.net >>>>> -------------------------------------------- >>>>> >>>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------ >>>>> >>>>> Message: 3 >>>>> Date: Tue, 31 Mar 2009 18:04:03 -0700 >>>>> From: Michael Scheidell >>>>> Subject: Re: [Emerging-Sigs] urilen more 2.8 rules? >>>>> To: Matt Jonkman , Nathaniel Richmond >>>>> >>>>> > >>>>> Cc: emerging-sigs at emergingthreats.net >>>>> Message-ID: >>>>> > >>>>> Content-Type: text/plain; charset="US-ASCII" >>>>> >>>>> > I'm not one to force folks to upgrade, although I'd certainly >>>>> recommend it. >>>>> > >>>>> > But making a multiple set of rulesets brings in a significantly >>>>> higher >>>>> > complexity of backend management, and with that a much higher >>>>> likelihood >>>>> > of ruleset errors. And we all know I put enough errors in on my own, >>>>> > another source scares me.... >>>>> > >>>>> > What we could do in the shorter term would be to publish a list of >>>>> sid's >>>>> > that are NOT 2.6 compatible for folks that need it, and where >>>>> possible >>>>> > an alternative rule. Would that be a reasonable solution? >>>>> >>>>> Or I get off my but and finish up all the patches and testing. >>>>> Don't even remember why now, just every time I tried to implement it, >>>>> weird >>>>> stuff happens. >>>>> >>>>> If no one else is stuck at 2.6, than I would say its mostly my problem. >>>>> >>>>> -- >>>>> Michael Scheidell, CTO >>>>> >|SECNAP Network Security >>>>> Finalist 2009 Network Products Guide Hot Companies >>>>> FreeBSD SpamAssassin Ports maintainer >>>>> >>>>> >>>>> >>>>> _________________________________________________________________________ >>>>> This email has been scanned and certified safe by SpammerTrap(r). >>>>> For Information please see http://www.secnap.com/products/spammertrap/ >>>>> >>>>> _________________________________________________________________________ >>>>> >>>>> >>>>> ------------------------------ >>>>> >>>>> Message: 4 >>>>> Date: Tue, 31 Mar 2009 18:46:19 -0700 >>>>> From: Darren Spruell >>>>> Subject: [Emerging-Sigs] BHO / browser hijacker traffic requests >>>>> To: Emerging Threats Signatures >>>>> Message-ID: >>>>> <839aec700903311846y3ca530f8l421f0c42067f1a2e at mail.gmail.com> >>>>> Content-Type: text/plain; charset=ISO-8859-1 >>>>> >>>>> Picked up the below request chain from a client. First request looks >>>>> like VRT sid 14080 wants to match it ("SPYWARE-PUT Adware >>>>> winspywareprotect runtime detection - connection to malicious server") >>>>> although it looks too specific with the Host header. This looks to be >>>>> the critter (although my victim's requests are direct to IP): >>>>> >>>>> >>>>> http://www.threatexpert.com/report.aspx?md5=fab5238181344c1dc4e5c7e315a0b89f >>>>> >>>>> The use of the non-standard LabelCommand user-agent seems sigworthy >>>>> here. Sorry, no pcap (just ascii)... >>>>> >>>>> >>>>> # >>>>> http://85.255.119.62/confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>>>> >>>>> GET >>>>> /confuci.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDe3LpkyaJMRrIzuV5rDgsp8dPHLmtGGxjpYEbZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>>>> HTTP/1.1 >>>>> Accept: */* >>>>> Content-Type: application/x-www-form-urlencoded >>>>> Accept-Language: en-gb >>>>> Accept-Encoding: gzip, deflate >>>>> User-Agent: LabelCommand >>>>> Host: 85.255.119.62 >>>>> Connection: Keep-Alive >>>>> Cache-Control: no-cache >>>>> >>>>> >>>>> >>>>> # >>>>> http://85.255.119.62/upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>>>> >>>>> GET >>>>> /upderiko.php?id=gaoADSNE5u31GEMlNm+oWj+BawNNzwYTpA1dsfCT746WoSn3STyfmsX0ouis61pSW7THnRRztyPUwPnn8wkEDARosPwfLYg1BuLclS1Nc9UoRfNWyp2L1l2lAe8ALAOHPI+PPJ6pJPllzs5asM8RuKB4TP5IZo/95Ny/PIVRt8rhDTxlcOFjY4aZIP/xm/4i6rQqqhO9iZZHG0wq7G4lajtglIKcbizlvqWORMI8v9commJsHIwb3dIkEn1k5sQWLO8MS0oq9yXRP8uxw+xnclDF1A/QahhKqgNkZwd1pxbFPNK+eZxpamMnWC85VoXkhjzC9hZTXTp9SyDd1LhkyaJMRrIzuV5rDgsp8dPHLmtGGxjqaETZZ2Q0A7qMdjmon0lx2rofIOkUA5bK+igZIlpzans/msw20vOCIcsefhccBF6TuILlqqXgsTW0LLwM7WfovD3krVk2aLfn2S08AtNKef1mF1ORGpksbMlsTXwYg856SvI= >>>>> HTTP/1.1 >>>>> Accept: */* >>>>> Content-Type: application/x-www-form-urlencoded >>>>> Accept-Language: en-gb >>>>> Accept-Encoding: gzip, deflate >>>>> User-Agent: LabelCommand >>>>> Host: 85.255.119.62 >>>>> Connection: Keep-Alive >>>>> Cache-Control: no-cache >>>>> >>>>> >>>>> # http://85.255.119.62/iseti.php >>>>> >>>>> GET /iseti.php HTTP/1.1 >>>>> Accept: */* >>>>> Content-Type: application/x-www-form-urlencoded >>>>> Accept-Language: en-gb >>>>> Accept-Encoding: gzip, deflate >>>>> User-Agent: LabelCommand >>>>> Host: 85.255.119.62 >>>>> Connection: Keep-Alive >>>>> Cache-Control: no-cache >>>>> >>>>> >>>>> -- >>>>> Darren Spruell >>>>> phatbuckett at gmail.com >>>>> >>>>> >>>>> ------------------------------ >>>>> >>>>> Message: 5 >>>>> Date: Tue, 31 Mar 2009 21:46:15 -0500 >>>>> From: Frank Knobbe >>>>> Subject: Re: [Emerging-Sigs] GhostNet-related Trojan URI sig >>>>> To: Martin Holste >>>>> Cc: emerging-sigs at emergingthreats.net >>>>> Message-ID: <1238553975.91691.32.camel at localhost> >>>>> Content-Type: text/plain; charset="us-ascii" >>>>> >>>>> On Tue, 2009-03-31 at 15:53 -0500, Martin Holste wrote: >>>>> > Here's a sig for a Trojan that uses the same servers and one URL >>>>> > (msnxy.net) as the Ghost Net reported on in the reference for the >>>>> rule >>>>> > submitted by Frank yesterday: >>>>> >>>>> Just for the record, I didn't submit that sig. Looks like Kevin Ross is >>>>> credited with that signature. So, blame him if it falses a lot ;) >>>>> >>>>> Cheers, >>>>> Frank >>>>> >>>>> >>>>> -- >>>>> It is said that the Internet is a public utility. As such, it is best >>>>> compared to a sewer. A big, fat pipe with a bunch of crap sloshing >>>>> against your ports. >>>>> >>>>> -------------- next part -------------- >>>>> A non-text attachment was scrubbed... >>>>> Name: not available >>>>> Type: application/pgp-signature >>>>> Size: 188 bytes >>>>> Desc: This is a digitally signed message part >>>>> Url : >>>>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090331/7c48c909/attachment-0001.bin >>>>> >>>>> ------------------------------ >>>>> >>>>> Message: 6 >>>>> Date: Wed, 1 Apr 2009 11:13:14 -0500 >>>>> From: "Greg Martin" >>>>> Subject: Re: [Emerging-Sigs] Conficker Shellcode Sigs >>>>> To: "David Glosser" >>>>> Cc: emerging-sigs at emergingthreats.net, Mike Lococo >>>>> >>>>> Message-ID: >>>>> >>>>> >>>> > >>>>> >>>>> Content-Type: text/plain; charset="iso-8859-1" >>>>> >>>>> Just a follow up, some of my sensors are seeing significant hits on the >>>>> Conficker.b shellcode signature today. Just wanted to confirm it IS >>>>> working... >>>>> >>>>> >>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS >>>>> Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff >>>>> c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 >>>>> d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&>>>> c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 >>>>> |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 >>>>> cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 >>>>> c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 >>>>> a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url, >>>>> www.honeynet.org/node/388; reference:url, >>>>> doc.emergingthreats.net/2009201; reference:url, >>>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; >>>>> classtype:trojan-activity; sid:2009201; rev:4;) >>>>> >>>>> >>>>> -Greg >>>>> >>>>> >>>>> >>>>> >>>>> --- >>>>> Greg Martin >>>>> Director InfoSecurity >>>>> Econet Inc. - Sentinel IPS >>>>> 972-991-5005 x102 >>>>> -------------- next part -------------- >>>>> An HTML attachment was scrubbed... >>>>> URL: >>>>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090401/df6d1016/attachment-0001.html >>>>> >>>>> ------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> Emerging-sigs at emergingthreats.net >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> >>>>> End of Emerging-sigs Digest, Vol 17, Issue 1 >>>>> ******************************************** >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>> >> > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/8e49e26e/attachment-0001.html From mcholste at gmail.com Thu Apr 2 10:25:22 2009 From: mcholste at gmail.com (Martin Holste) Date: Thu, 2 Apr 2009 10:25:22 -0500 Subject: [Emerging-Sigs] urilen more 2.8 rules? In-Reply-To: <20090402150405.GA33418@cork.barragry.com> References: <49D267DB.9030705@jonkmans.com> <20090402150405.GA33418@cork.barragry.com> Message-ID: Have you considered using an NFS mount (or Samba/CIFS) to serve your binary and shared objects? You could even separate your 32-bit and 64-bit hardware into separate folders if you like. That way upgrading just means changing one binary (or symlinking to a different remotely mounted directory on the local box), and you can roll back if necessary. You might also consider using the included .spec files to create RPM's for more straightforward deployment. One way to set it up would be to have the central NFS server have a subdirectory for each server, (maybe name the directories the IP address of the Snort boxes), then change the symlink for the snort binary in each subdirectory to point to the upgraded snort version. On the remote boxes, you have a directory called /usr/local/snort which is an NFS mount to central-server:/srv/snort/10.10.10.10/. Anyway, just some ideas for managing large deployments. --Martin On Thu, Apr 2, 2009 at 10:04 AM, Erik wrote: > On Tue, Mar 31, 2009 at 06:04:03PM -0700, Michael Scheidell wrote: > > > I'm not one to force folks to upgrade, although I'd certainly recommend > it. > > > > > > But making a multiple set of rulesets brings in a significantly higher > > > complexity of backend management, and with that a much higher > likelihood > > > of ruleset errors. And we all know I put enough errors in on my own, > > > another source scares me.... > > > > > > What we could do in the shorter term would be to publish a list of > sid's > > > that are NOT 2.6 compatible for folks that need it, and where possible > > > an alternative rule. Would that be a reasonable solution? > > > > Or I get off my but and finish up all the patches and testing. > > Don't even remember why now, just every time I tried to implement it, > weird > > stuff happens. > > > > If no one else is stuck at 2.6, than I would say its mostly my problem. > > > > -- > > Michael Scheidell, CTO > > For what it's worth, we have dozens of boxes deployed at 2.6 (or > lower, in a few cases.) We primarily haven't upgraded due to the > massive amount of person-power required. > > Erik > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/54c47aef/attachment.html From jonkman at jonkmans.com Thu Apr 2 10:48:25 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 02 Apr 2009 11:48:25 -0400 Subject: [Emerging-Sigs] OSSIM Conficker Directive Message-ID: <49D4DE49.30701@jonkmans.com> http://www.ossim.net/conficker.xml.txt >From the OSSIN guys. If you're using OSSIM be sure to add this directive. Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From scheidell at secnap.net Thu Apr 2 10:57:58 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu, 02 Apr 2009 08:57:58 -0700 Subject: [Emerging-Sigs] urilen more 2.8 rules? In-Reply-To: References: <49D267DB.9030705@jonkmans.com> <20090402150405.GA33418@cork.barragry.com> Message-ID: <49D4E086.7050007@secnap.net> Martin Holste wrote: > Have you considered using an NFS mount (or Samba/CIFS) to serve your > binary and shared objects? You could even separate your 32-bit and > 64-bit hardware into separate folders if you like. That way upgrading > just means changing one binary (or symlinking to a different remotely > mounted directory on the local box), and you can roll back if > necessary. You might also consider using the included .spec files to > create RPM's for more straightforward deployment. > its not the binaries that are the issue.. there are snort.conf file changes between 2.4 and 2.6 (and 2.8), -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/f3c4603a/attachment.html From mcholste at gmail.com Thu Apr 2 11:34:21 2009 From: mcholste at gmail.com (Martin Holste) Date: Thu, 2 Apr 2009 11:34:21 -0500 Subject: [Emerging-Sigs] urilen more 2.8 rules? In-Reply-To: <49D4E086.7050007@secnap.net> References: <49D267DB.9030705@jonkmans.com> <20090402150405.GA33418@cork.barragry.com> <49D4E086.7050007@secnap.net> Message-ID: I see. You can use the same strategy for the config files as well by NFS mounting /etc/snort to a remote directory. That's rather handy, because you can grep all of your configs at once on the central server if you wanted to. You can also easily use one sensor's config as a template for another with a simple copy command, and centralized config backups become easy as well. On Thu, Apr 2, 2009 at 10:57 AM, Michael Scheidell wrote: > > > Martin Holste wrote: > > Have you considered using an NFS mount (or Samba/CIFS) to serve your binary > and shared objects? You could even separate your 32-bit and 64-bit hardware > into separate folders if you like. That way upgrading just means changing > one binary (or symlinking to a different remotely mounted directory on the > local box), and you can roll back if necessary. You might also consider > using the included .spec files to create RPM's for more straightforward > deployment. > > its not the binaries that are the issue.. there are snort.conf file > changes between 2.4 and 2.6 (and 2.8), > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 > > *| *SECNAP Network Security Corporation > > - Certified SNORT Integrator > - 2009 Hot Company Award Finalist, World Executive Alliance > - Five-Star Partner Program 2009, VARBusiness > - Best Anti-Spam Product 2008, Network Products Guide > - King of Spam Filters, SC Magazine 2008 > > > ------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > ------------------------------ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/30df0ada/attachment.html From scheidell at secnap.net Thu Apr 2 11:40:59 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu, 02 Apr 2009 09:40:59 -0700 Subject: [Emerging-Sigs] urilen more 2.8 rules? In-Reply-To: References: <49D267DB.9030705@jonkmans.com> <20090402150405.GA33418@cork.barragry.com> <49D4E086.7050007@secnap.net> Message-ID: <49D4EA9B.7060607@secnap.net> Martin Holste wrote: > I see. You can use the same strategy for the config files as well by > NFS mounting /etc/snort to a remote directory. That's rather handy, > because you can grep all of your configs at once on the central server > if you wanted to. You can also easily use one sensor's config as a > template for another with a simple copy command, and centralized > config backups become easy as well. > noop, configs are very different among clients (we are a MSSP)., yes, we paid the extra money for the right to resell snort sigs :-) as in VERY different, depending on a huge range of things, some are in facing sensors, some outfacing, some dmz, some lan. some sites have several sensors on same box, some sites are in snort-sam (ips) mode. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090402/4ccb2676/attachment-0001.html From emerging at emergingthreats.net Thu Apr 2 15:00:10 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 2 Apr 2009 16:00:10 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090402200010.AEAC44501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Apr 2 16:00:10 2009 [***] [+++] Added rules: [+++] 2009203 - ET TROJAN Alman Dropper Checkin (emerging-virus.rules) 2009204 - ET TROJAN Crypt.CFI.Gen Checkin (emerging-virus.rules) [///] Modified active rules: [///] 2008759 - ET MALWARE Matcash Trojan Related Spyware Code Download (emerging-malware.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (6): 2009203 || ET TROJAN Alman Dropper Checkin 2009204 || ET TROJAN Crypt.CFI.Gen Checkin 2404022 || ET DROP Known Bot C&C Server Traffic (group 23) || url,www.shadowserver.org 2405022 || ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (6): 2009203 || ET TROJAN Alman Dropper Checkin 2009204 || ET TROJAN Crypt.CFI.Gen Checkin 2404022 || ET DROP Known Bot C&C Server Traffic (group 23) || url,www.shadowserver.org 2405022 || ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From phatbuckett at gmail.com Thu Apr 2 18:34:18 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 2 Apr 2009 16:34:18 -0700 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <49B82060.9030506@jonkmans.com> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <49B68FAB.8040209@jonkmans.com> <314cf0830903100917s44424054w4afb19f819fba94@mail.gmail.com> <49B69DCD.7000703@jonkmans.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> Message-ID: <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> Looks like the pcre we settled on for the committed revision of this rule was too specific; we dug out another compromised client from proxy logs and found the following requests which had some differences in the URI: /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ Namely, several of the characters in the leading classes were different, the number of digits in the third section were less than anticipated, and the final section was of lesser length. I made adjustments and came up with the following altered regex: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:?;) I hesitate to make the matches much tighter as we've also had reports of other variations of the C2 requests so more general may be the way to go. Feedback of course welcome. DS On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: > Just going through the sandnet database and there's not a single entry > that has the same typo, so we'll have to assume it unique to this > rolling of this variant. > > I'll keep an eye out and see if it shows up with anything else. Very > interesting one. > > Matt > > Joel Esler wrote: >> I think the rule might be good enough with the en-en match. ?That's >> pretty specific. >> >> J >> >> On Wed, Mar 11, 2009 at 2:46 PM, dxp > > wrote: >> >> ? ? Here's another one, noticed it only after disecting the binary. >> ? ? The UAS is missing a space between IE version string and Windows >> ? ? version string. ?There should be a space after the semicolumn. >> >> >> ? ? ? ? /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >> ? ? ? ? 5.1)/ >> >> ? ? - >> >> ? ? -=[ dxp ]=- >> ? ? 0xA3F3C6E3 >> >> >> >> >> ? ? On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>> ? ? Nice catch. >>> >>> ? ? On Tue, Mar 10, 2009 at 4:45 PM, dxp >> ? ? > wrote: >>> >>> ? ? ? ? Regarding the "Accept-Language:" header, looks like the value >>> ? ? ? ? used ("en-en") is not legit. ?That's an anomaly which can be >>> ? ? ? ? used to extend the language header match. >>> >>> ? ? ? ? - >>> >>> ? ? ? ? -=[ dxp ]=- >>> ? ? ? ? 0xA3F3C6E3 >>> >>> >>> >>> >>> >>> ? ? ? ? On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>> ? ? ? ? How about >>>> >>>> >>>> ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>> ? ? ? ? (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>> ? ? ? ? flow:stateless; content:"GET "; depth:4; nocase; >>>> ? ? ? ? isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>> ? ? ? ? nocase; >>>> ? ? ? ? pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>> ? ? ? ? classtype:trojan-activity; sid:2009125; rev:4;) >>>> >>>> >>>> ? ? ? ? Notes: >>>> ? ? ? ? Flow >>>> ? ? ? ? isdataat >>>> ? ? ? ? Accept-Language inclusion >>>> ? ? ? ? Pcre that is not only more accurate, but it also correct. >>>> ? ? ? ? ?(the original pcre could be (as was) evaded). >>>> >>>> >>>> ? ? ? ? J >>>> >>>> ? ? ? ? On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>> ? ? ? ? > wrote: >>>> >>>> ? ? ? ? ? ? Joel Esler wrote: >>>> ? ? ? ? ? ? > >>>> ? ? ? ? ? ? > Is it not unique in the pcap that I was sent. ?The >>>> ? ? ? ? ? ? accept-language will >>>> ? ? ? ? ? ? > fire a lot, but you need it for the prequalification >>>> ? ? ? ? ? ? step in the FP >>>> ? ? ? ? ? ? > portion of the engine. ?Fire on accept-language, keep >>>> ? ? ? ? ? ? the "GET", do an >>>> ? ? ? ? ? ? > anchor at offset of 0, use an isdataat to test length, >>>> ? ? ? ? ? ? pcre to qualify >>>> ? ? ? ? ? ? > and fire. ?Test the difference in between the two rules >>>> ? ? ? ? ? ? with rule >>>> ? ? ? ? ? ? > profiling. ?See how it goes. >>>> ? ? ? ? ? ? > >>>> ? ? ? ? ? ? > >>>> >>>> >>>> ? ? ? ? ? ? The GET has a depth of 4 so that's equivalent to >>>> ? ? ? ? ? ? offset 0 no? >>>> >>>> ? ? ? ? ? ? Isdadaat is a good idea. There will ilkely be data after >>>> ? ? ? ? ? ? the url string >>>> ? ? ? ? ? ? length, so maybe just a content:!"|0d 0a|"; within:62; >>>> >>>> ? ? ? ? ? ? The uri is between 64 and 67 bytes in the samples >>>> ? ? ? ? ? ? depending on the >>>> ? ? ? ? ? ? length of that numeric string so I went 62 just in case. >>>> >>>> ? ? ? ? ? ? So: >>>> ? ? ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>> ? ? ? ? ? ? (msg:"ET TROJAN >>>> ? ? ? ? ? ? Trojan.Win32.Inject.esi Outbound Communication"; >>>> ? ? ? ? ? ? flow:established,to_server; content:"GET "; depth:4; >>>> ? ? ? ? ? ? content:"/"; >>>> >>>> ? ? ? ? ? ? distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>> ? ? ? ? ? ? distance:16; >>>> ? ? ? ? ? ? within:1; content:"/"; distance:3; within:5; content:"/"; >>>> ? ? ? ? ? ? distance:12; >>>> ? ? ? ? ? ? within:1; content:"/|0d 0a|"; distance:17; within:3; >>>> ? ? ? ? ? ? pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>> >>>> ? ? ? ? ? ? classtype:trojan-activity; sid:2009125; rev:3;) >>>> >>>> ? ? ? ? ? ? Is that going to work? The negated content isn't going to >>>> ? ? ? ? ? ? put the ptr at >>>> ? ? ? ? ? ? the end of 62 is it? hmmmm >>>> >>>> >>>> ? ? ? ? ? ? > >>>> ? ? ? ? ? ? > So if I was a malware writer, all I have to do is use a >>>> ? ? ? ? ? ? POST and I >>>> ? ? ? ? ? ? > bypass your rule. ?You do NOT want to eliminate the >>>> ? ? ? ? ? ? others, as that will >>>> ? ? ? ? ? ? > open you to false negatives. ?Up to you. ?For this >>>> ? ? ? ? ? ? particular sample, >>>> ? ? ? ? ? ? > you can keep your GET, I just want you to be aware that >>>> ? ? ? ? ? ? overall, a check >>>> ? ? ? ? ? ? > for GET is usually bad. ?In all of the rules the VRT >>>> ? ? ? ? ? ? has written, >>>> ? ? ? ? ? ? > (14,000+) as of current build, there are 38 live rules >>>> ? ? ? ? ? ? that do a content >>>> ? ? ? ? ? ? > check for GET. ?If you look at them, you will see why >>>> ? ? ? ? ? ? it had to be done >>>> ? ? ? ? ? ? > that way. >>>> >>>> >>>> ? ? ? ? ? ? In other rules I'd agree with you that making an easy >>>> ? ? ? ? ? ? evasion is bad. >>>> ? ? ? ? ? ? But in the malware side we have so many things that are >>>> ? ? ? ? ? ? intended to look >>>> ? ? ? ? ? ? like normal traffic. >>>> >>>> ? ? ? ? ? ? So in the malware side I err toward evadable but reliable >>>> ? ? ? ? ? ? for a few reasons: >>>> >>>> ? ? ? ? ? ? 1. We've had many sigs out for years that are easily >>>> ? ? ? ? ? ? evadable but the >>>> ? ? ? ? ? ? malware authors just DON'T try to evade. And the strains >>>> ? ? ? ? ? ? come and go >>>> ? ? ? ? ? ? quickly sometimes. >>>> >>>> ? ? ? ? ? ? 2. False positives in these sigs are costly. In most >>>> ? ? ? ? ? ? places that means >>>> ? ? ? ? ? ? an IT guy has to go visit a workstation and check it out >>>> ? ? ? ? ? ? by hand. Costs >>>> ? ? ? ? ? ? money and costs the security group their reputation for >>>> ? ? ? ? ? ? reliability. >>>> >>>> ? ? ? ? ? ? 3. If they do try to evade we'll generally catch the >>>> ? ? ? ? ? ? change in the >>>> ? ? ? ? ? ? sandnet or in the analysis' put up by av vendors and the >>>> ? ? ? ? ? ? like. >>>> >>>> ? ? ? ? ? ? Anyone have a differing argument for this philosophy? >>>> ? ? ? ? ? ? It's what I tend >>>> ? ? ? ? ? ? to apply to all of the virus/malware and spyware sigs. >>>> >>>> ? ? ? ? ? ? Matt >>>> >>>> >>>> ? ? ? ? ? ? > >>>> ? ? ? ? ? ? > >>>> ? ? ? ? ? ? ------------------------------------------------------------------------ >>>> ? ? ? ? ? ? > >>>> ? ? ? ? ? ? > _______________________________________________ >>>> ? ? ? ? ? ? > Emerging-sigs mailing list >>>> ? ? ? ? ? ? > Emerging-sigs at emergingthreats.net >>>> ? ? ? ? ? ? >>>> ? ? ? ? ? ? > >>>> ? ? ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> ? ? ? ? ? ? -- >>>> ? ? ? ? ? ? -------------------------------------------- >>>> >>>> >>>> ? ? ? ? ? ? Matthew Jonkman >>>> ? ? ? ? ? ? Emerging Threats >>>> ? ? ? ? ? ? Phone 765-429-0398 >>>> ? ? ? ? ? ? Fax 312-264-0205 >>>> ? ? ? ? ? ? http://www.emergingthreats.net >>>> ? ? ? ? ? ? -------------------------------------------- >>>> >>>> ? ? ? ? ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >>>> >>>> >>>> >>>> >>>> >>>> >>>> ? ? ? ? -- >>>> ? ? ? ? Joel Esler >>>> ? ? ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>> ? ? ? ? >>>> ? ? ? ? [m] >>>> >>>> ? ? ? ? _______________________________________________ >>>> ? ? ? ? Emerging-sigs mailing list >>>> ? ? ? ? Emerging-sigs at emergingthreats.net >>>> ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >>> >>> >>> ? ? -- >>> ? ? Joel Esler >>> ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>> ? ? >>> ? ? [m] >> >> >> >> >> -- >> Joel Esler >> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >> >> [m] >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- Darren Spruell phatbuckett at gmail.com From eslerj at gmail.com Thu Apr 2 22:31:41 2009 From: eslerj at gmail.com (Joel Esler) Date: Thu, 2 Apr 2009 23:31:41 -0400 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <314cf0830903100917s44424054w4afb19f819fba94@mail.gmail.com> <49B69DCD.7000703@jonkmans.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> Message-ID: <314cf0830904022031o3123a236tdfdfd07450479d4c@mail.gmail.com> I'll take a look and see what I can about re-writing the rule. Thanks for the info. J On Thu, Apr 2, 2009 at 7:34 PM, Darren Spruell wrote: > Looks like the pcre we settled on for the committed revision of this > rule was too specific; we dug out another compromised client from > proxy logs and found the following requests which had some differences > in the URI: > > /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ > /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ > /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ > /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ > /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ > /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ > /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ > /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ > /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ > /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ > /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ > /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ > /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ > /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ > /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ > /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ > /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ > /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ > /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ > /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ > /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ > /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ > /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ > /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ > /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ > /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ > /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ > /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ > /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ > /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ > /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ > /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ > /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ > /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ > /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ > /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ > /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ > /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ > /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ > /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ > /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ > /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ > /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ > /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ > /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ > /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ > /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ > /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ > > Namely, several of the characters in the leading classes were > different, the number of digits in the third section were less than > anticipated, and the final section was of lesser length. I made > adjustments and came up with the following altered regex: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Trojan.Win32.Inject.esi Outbound Communication"; > flow:established,to_server; content:"GET "; depth:4; > isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; > nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2009125; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; > sid:2009125; rev:?;) > > I hesitate to make the matches much tighter as we've also had reports > of other variations of the C2 requests so more general may be the way > to go. Feedback of course welcome. > > DS > > On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: >> Just going through the sandnet database and there's not a single entry >> that has the same typo, so we'll have to assume it unique to this >> rolling of this variant. >> >> I'll keep an eye out and see if it shows up with anything else. Very >> interesting one. >> >> Matt >> >> Joel Esler wrote: >>> I think the rule might be good enough with the en-en match. ?That's >>> pretty specific. >>> >>> J >>> >>> On Wed, Mar 11, 2009 at 2:46 PM, dxp >> > wrote: >>> >>> ? ? Here's another one, noticed it only after disecting the binary. >>> ? ? The UAS is missing a space between IE version string and Windows >>> ? ? version string. ?There should be a space after the semicolumn. >>> >>> >>> ? ? ? ? /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >>> ? ? ? ? 5.1)/ >>> >>> ? ? - >>> >>> ? ? -=[ dxp ]=- >>> ? ? 0xA3F3C6E3 >>> >>> >>> >>> >>> ? ? On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>>> ? ? Nice catch. >>>> >>>> ? ? On Tue, Mar 10, 2009 at 4:45 PM, dxp >>> ? ? > wrote: >>>> >>>> ? ? ? ? Regarding the "Accept-Language:" header, looks like the value >>>> ? ? ? ? used ("en-en") is not legit. ?That's an anomaly which can be >>>> ? ? ? ? used to extend the language header match. >>>> >>>> ? ? ? ? - >>>> >>>> ? ? ? ? -=[ dxp ]=- >>>> ? ? ? ? 0xA3F3C6E3 >>>> >>>> >>>> >>>> >>>> >>>> ? ? ? ? On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>>> ? ? ? ? How about >>>>> >>>>> >>>>> ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>> ? ? ? ? (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>>> ? ? ? ? flow:stateless; content:"GET "; depth:4; nocase; >>>>> ? ? ? ? isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>>> ? ? ? ? nocase; >>>>> ? ? ? ? pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>>> ? ? ? ? classtype:trojan-activity; sid:2009125; rev:4;) >>>>> >>>>> >>>>> ? ? ? ? Notes: >>>>> ? ? ? ? Flow >>>>> ? ? ? ? isdataat >>>>> ? ? ? ? Accept-Language inclusion >>>>> ? ? ? ? Pcre that is not only more accurate, but it also correct. >>>>> ? ? ? ? ?(the original pcre could be (as was) evaded). >>>>> >>>>> >>>>> ? ? ? ? J >>>>> >>>>> ? ? ? ? On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>>> ? ? ? ? > wrote: >>>>> >>>>> ? ? ? ? ? ? Joel Esler wrote: >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > Is it not unique in the pcap that I was sent. ?The >>>>> ? ? ? ? ? ? accept-language will >>>>> ? ? ? ? ? ? > fire a lot, but you need it for the prequalification >>>>> ? ? ? ? ? ? step in the FP >>>>> ? ? ? ? ? ? > portion of the engine. ?Fire on accept-language, keep >>>>> ? ? ? ? ? ? the "GET", do an >>>>> ? ? ? ? ? ? > anchor at offset of 0, use an isdataat to test length, >>>>> ? ? ? ? ? ? pcre to qualify >>>>> ? ? ? ? ? ? > and fire. ?Test the difference in between the two rules >>>>> ? ? ? ? ? ? with rule >>>>> ? ? ? ? ? ? > profiling. ?See how it goes. >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > >>>>> >>>>> >>>>> ? ? ? ? ? ? The GET has a depth of 4 so that's equivalent to >>>>> ? ? ? ? ? ? offset 0 no? >>>>> >>>>> ? ? ? ? ? ? Isdadaat is a good idea. There will ilkely be data after >>>>> ? ? ? ? ? ? the url string >>>>> ? ? ? ? ? ? length, so maybe just a content:!"|0d 0a|"; within:62; >>>>> >>>>> ? ? ? ? ? ? The uri is between 64 and 67 bytes in the samples >>>>> ? ? ? ? ? ? depending on the >>>>> ? ? ? ? ? ? length of that numeric string so I went 62 just in case. >>>>> >>>>> ? ? ? ? ? ? So: >>>>> ? ? ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>> ? ? ? ? ? ? (msg:"ET TROJAN >>>>> ? ? ? ? ? ? Trojan.Win32.Inject.esi Outbound Communication"; >>>>> ? ? ? ? ? ? flow:established,to_server; content:"GET "; depth:4; >>>>> ? ? ? ? ? ? content:"/"; >>>>> >>>>> ? ? ? ? ? ? distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>>> ? ? ? ? ? ? distance:16; >>>>> ? ? ? ? ? ? within:1; content:"/"; distance:3; within:5; content:"/"; >>>>> ? ? ? ? ? ? distance:12; >>>>> ? ? ? ? ? ? within:1; content:"/|0d 0a|"; distance:17; within:3; >>>>> ? ? ? ? ? ? pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>>> >>>>> ? ? ? ? ? ? classtype:trojan-activity; sid:2009125; rev:3;) >>>>> >>>>> ? ? ? ? ? ? Is that going to work? The negated content isn't going to >>>>> ? ? ? ? ? ? put the ptr at >>>>> ? ? ? ? ? ? the end of 62 is it? hmmmm >>>>> >>>>> >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > So if I was a malware writer, all I have to do is use a >>>>> ? ? ? ? ? ? POST and I >>>>> ? ? ? ? ? ? > bypass your rule. ?You do NOT want to eliminate the >>>>> ? ? ? ? ? ? others, as that will >>>>> ? ? ? ? ? ? > open you to false negatives. ?Up to you. ?For this >>>>> ? ? ? ? ? ? particular sample, >>>>> ? ? ? ? ? ? > you can keep your GET, I just want you to be aware that >>>>> ? ? ? ? ? ? overall, a check >>>>> ? ? ? ? ? ? > for GET is usually bad. ?In all of the rules the VRT >>>>> ? ? ? ? ? ? has written, >>>>> ? ? ? ? ? ? > (14,000+) as of current build, there are 38 live rules >>>>> ? ? ? ? ? ? that do a content >>>>> ? ? ? ? ? ? > check for GET. ?If you look at them, you will see why >>>>> ? ? ? ? ? ? it had to be done >>>>> ? ? ? ? ? ? > that way. >>>>> >>>>> >>>>> ? ? ? ? ? ? In other rules I'd agree with you that making an easy >>>>> ? ? ? ? ? ? evasion is bad. >>>>> ? ? ? ? ? ? But in the malware side we have so many things that are >>>>> ? ? ? ? ? ? intended to look >>>>> ? ? ? ? ? ? like normal traffic. >>>>> >>>>> ? ? ? ? ? ? So in the malware side I err toward evadable but reliable >>>>> ? ? ? ? ? ? for a few reasons: >>>>> >>>>> ? ? ? ? ? ? 1. We've had many sigs out for years that are easily >>>>> ? ? ? ? ? ? evadable but the >>>>> ? ? ? ? ? ? malware authors just DON'T try to evade. And the strains >>>>> ? ? ? ? ? ? come and go >>>>> ? ? ? ? ? ? quickly sometimes. >>>>> >>>>> ? ? ? ? ? ? 2. False positives in these sigs are costly. In most >>>>> ? ? ? ? ? ? places that means >>>>> ? ? ? ? ? ? an IT guy has to go visit a workstation and check it out >>>>> ? ? ? ? ? ? by hand. Costs >>>>> ? ? ? ? ? ? money and costs the security group their reputation for >>>>> ? ? ? ? ? ? reliability. >>>>> >>>>> ? ? ? ? ? ? 3. If they do try to evade we'll generally catch the >>>>> ? ? ? ? ? ? change in the >>>>> ? ? ? ? ? ? sandnet or in the analysis' put up by av vendors and the >>>>> ? ? ? ? ? ? like. >>>>> >>>>> ? ? ? ? ? ? Anyone have a differing argument for this philosophy? >>>>> ? ? ? ? ? ? It's what I tend >>>>> ? ? ? ? ? ? to apply to all of the virus/malware and spyware sigs. >>>>> >>>>> ? ? ? ? ? ? Matt >>>>> >>>>> >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? ------------------------------------------------------------------------ >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > _______________________________________________ >>>>> ? ? ? ? ? ? > Emerging-sigs mailing list >>>>> ? ? ? ? ? ? > Emerging-sigs at emergingthreats.net >>>>> ? ? ? ? ? ? >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> ? ? ? ? ? ? -- >>>>> ? ? ? ? ? ? -------------------------------------------- >>>>> >>>>> >>>>> ? ? ? ? ? ? Matthew Jonkman >>>>> ? ? ? ? ? ? Emerging Threats >>>>> ? ? ? ? ? ? Phone 765-429-0398 >>>>> ? ? ? ? ? ? Fax 312-264-0205 >>>>> ? ? ? ? ? ? http://www.emergingthreats.net >>>>> ? ? ? ? ? ? -------------------------------------------- >>>>> >>>>> ? ? ? ? ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ? ? ? ? -- >>>>> ? ? ? ? Joel Esler >>>>> ? ? ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>> ? ? ? ? >>>>> ? ? ? ? [m] >>>>> >>>>> ? ? ? ? _______________________________________________ >>>>> ? ? ? ? Emerging-sigs mailing list >>>>> ? ? ? ? Emerging-sigs at emergingthreats.net >>>>> ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>>> >>>> >>>> ? ? -- >>>> ? ? Joel Esler >>>> ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>> ? ? >>>> ? ? [m] >>> >>> >>> >>> >>> -- >>> Joel Esler >>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>> >>> [m] >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > > > -- > Darren Spruell > phatbuckett at gmail.com > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From dxp2532 at gmail.com Fri Apr 3 10:14:33 2009 From: dxp2532 at gmail.com (dxp) Date: Fri, 03 Apr 2009 11:14:33 -0400 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <49B68FAB.8040209@jonkmans.com> <314cf0830903100917s44424054w4afb19f819fba94@mail.gmail.com> <49B69DCD.7000703@jonkmans.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> Message-ID: <1238771673.7285.27.camel@kinta> After looking at the GET generation code it appears this particular variant will create URIs with this form: / base64 / base64 Y5 / X? / Z2 base64 / base64 W3 / where: base64 = base64 encoded crypted string based on embeded strings and random numbers Y5 = randomly generated integer 5 digits long X? = randomly generated integer, varying digit lengths Z2 = randomly generated integer 2 digits long W3 = randomly generated integer 3 digits long These integers are part of the encryption key used to create the base64 strings and thus needed to decode on the server side. The data encoded in the strings is not based on user's information rather on embeded constants in the malware. Perhaps some form of identification scheme. Here are the PCREs for each segment of the URI: /AWsPa39hKhs \/[A-Za-z0-9]{2,16} /XTJdbT85bE021115 \/[A-Za-z0-9]{2,16}\d{5} /9347 \/\d{1,5} /42DmQLPmg3bw \/\d{2}[A-Za-z0-9]{2,16} /QDBcPTkzbU1jbFgM223/ \/[A-Za-z0-9]{2,16}\d{3}\/ The length of Base64 encoded strings may vary between variants as it depends on 2 constant strings which may serve as some form of identification. In this case it was: "liberate", and two integers represented as ascii. - -=[ dxp ]=- 0xA3F3C6E3 On Thu, 2009-04-02 at 16:34 -0700, Darren Spruell wrote: > Looks like the pcre we settled on for the committed revision of this > rule was too specific; we dug out another compromised client from > proxy logs and found the following requests which had some differences > in the URI: > > /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ > /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ > /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ > /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ > /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ > /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ > /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ > /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ > /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ > /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ > /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ > /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ > /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ > /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ > /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ > /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ > /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ > /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ > /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ > /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ > /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ > /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ > /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ > /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ > /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ > /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ > /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ > /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ > /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ > /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ > /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ > /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ > /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ > /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ > /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ > /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ > /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ > /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ > /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ > /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ > /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ > /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ > /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ > /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ > /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ > /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ > /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ > /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ > > Namely, several of the characters in the leading classes were > different, the number of digits in the third section were less than > anticipated, and the final section was of lesser length. I made > adjustments and came up with the following altered regex: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Trojan.Win32.Inject.esi Outbound Communication"; > flow:established,to_server; content:"GET "; depth:4; > isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; > nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2009125; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; > sid:2009125; rev:?;) > > I hesitate to make the matches much tighter as we've also had reports > of other variations of the C2 requests so more general may be the way > to go. Feedback of course welcome. > > DS > > On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: > > Just going through the sandnet database and there's not a single entry > > that has the same typo, so we'll have to assume it unique to this > > rolling of this variant. > > > > I'll keep an eye out and see if it shows up with anything else. Very > > interesting one. > > > > Matt > > > > Joel Esler wrote: > >> I think the rule might be good enough with the en-en match. That's > >> pretty specific. > >> > >> J > >> > >> On Wed, Mar 11, 2009 at 2:46 PM, dxp >> > wrote: > >> > >> Here's another one, noticed it only after disecting the binary. > >> The UAS is missing a space between IE version string and Windows > >> version string. There should be a space after the semicolumn. > >> > >> > >> /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT > >> 5.1)/ > >> > >> - > >> > >> -=[ dxp ]=- > >> 0xA3F3C6E3 > >> > >> > >> > >> > >> On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: > >>> Nice catch. > >>> > >>> On Tue, Mar 10, 2009 at 4:45 PM, dxp >>> > wrote: > >>> > >>> Regarding the "Accept-Language:" header, looks like the value > >>> used ("en-en") is not legit. That's an anomaly which can be > >>> used to extend the language header match. > >>> > >>> - > >>> > >>> -=[ dxp ]=- > >>> 0xA3F3C6E3 > >>> > >>> > >>> > >>> > >>> > >>> On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: > >>>> How about > >>>> > >>>> > >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > >>>> (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; > >>>> flow:stateless; content:"GET "; depth:4; nocase; > >>>> isdataat:62,relative; content:"|0d 0a|Accept-Language"; > >>>> nocase; > >>>> pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; > >>>> classtype:trojan-activity; sid:2009125; rev:4;) > >>>> > >>>> > >>>> Notes: > >>>> Flow > >>>> isdataat > >>>> Accept-Language inclusion > >>>> Pcre that is not only more accurate, but it also correct. > >>>> (the original pcre could be (as was) evaded). > >>>> > >>>> > >>>> J > >>>> > >>>> On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman > >>>> > wrote: > >>>> > >>>> Joel Esler wrote: > >>>> > > >>>> > Is it not unique in the pcap that I was sent. The > >>>> accept-language will > >>>> > fire a lot, but you need it for the prequalification > >>>> step in the FP > >>>> > portion of the engine. Fire on accept-language, keep > >>>> the "GET", do an > >>>> > anchor at offset of 0, use an isdataat to test length, > >>>> pcre to qualify > >>>> > and fire. Test the difference in between the two rules > >>>> with rule > >>>> > profiling. See how it goes. > >>>> > > >>>> > > >>>> > >>>> > >>>> The GET has a depth of 4 so that's equivalent to > >>>> offset 0 no? > >>>> > >>>> Isdadaat is a good idea. There will ilkely be data after > >>>> the url string > >>>> length, so maybe just a content:!"|0d 0a|"; within:62; > >>>> > >>>> The uri is between 64 and 67 bytes in the samples > >>>> depending on the > >>>> length of that numeric string so I went 62 just in case. > >>>> > >>>> So: > >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > >>>> (msg:"ET TROJAN > >>>> Trojan.Win32.Inject.esi Outbound Communication"; > >>>> flow:established,to_server; content:"GET "; depth:4; > >>>> content:"/"; > >>>> > >>>> distance:0; content:!"|0d 0a|"; within:62; content:"/"; > >>>> distance:16; > >>>> within:1; content:"/"; distance:3; within:5; content:"/"; > >>>> distance:12; > >>>> within:1; content:"/|0d 0a|"; distance:17; within:3; > >>>> pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; > >>>> > >>>> classtype:trojan-activity; sid:2009125; rev:3;) > >>>> > >>>> Is that going to work? The negated content isn't going to > >>>> put the ptr at > >>>> the end of 62 is it? hmmmm > >>>> > >>>> > >>>> > > >>>> > So if I was a malware writer, all I have to do is use a > >>>> POST and I > >>>> > bypass your rule. You do NOT want to eliminate the > >>>> others, as that will > >>>> > open you to false negatives. Up to you. For this > >>>> particular sample, > >>>> > you can keep your GET, I just want you to be aware that > >>>> overall, a check > >>>> > for GET is usually bad. In all of the rules the VRT > >>>> has written, > >>>> > (14,000+) as of current build, there are 38 live rules > >>>> that do a content > >>>> > check for GET. If you look at them, you will see why > >>>> it had to be done > >>>> > that way. > >>>> > >>>> > >>>> In other rules I'd agree with you that making an easy > >>>> evasion is bad. > >>>> But in the malware side we have so many things that are > >>>> intended to look > >>>> like normal traffic. > >>>> > >>>> So in the malware side I err toward evadable but reliable > >>>> for a few reasons: > >>>> > >>>> 1. We've had many sigs out for years that are easily > >>>> evadable but the > >>>> malware authors just DON'T try to evade. And the strains > >>>> come and go > >>>> quickly sometimes. > >>>> > >>>> 2. False positives in these sigs are costly. In most > >>>> places that means > >>>> an IT guy has to go visit a workstation and check it out > >>>> by hand. Costs > >>>> money and costs the security group their reputation for > >>>> reliability. > >>>> > >>>> 3. If they do try to evade we'll generally catch the > >>>> change in the > >>>> sandnet or in the analysis' put up by av vendors and the > >>>> like. > >>>> > >>>> Anyone have a differing argument for this philosophy? > >>>> It's what I tend > >>>> to apply to all of the virus/malware and spyware sigs. > >>>> > >>>> Matt > >>>> > >>>> > >>>> > > >>>> > > >>>> ------------------------------------------------------------------------ > >>>> > > >>>> > _______________________________________________ > >>>> > Emerging-sigs mailing list > >>>> > Emerging-sigs at emergingthreats.net > >>>> > >>>> > > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>>> -- > >>>> -------------------------------------------- > >>>> > >>>> > >>>> Matthew Jonkman > >>>> Emerging Threats > >>>> Phone 765-429-0398 > >>>> Fax 312-264-0205 > >>>> http://www.emergingthreats.net > >>>> -------------------------------------------- > >>>> > >>>> PGP: http://www.jonkmans.com/mattjonkman.asc > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Joel Esler > >>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com > >>>> > >>>> [m] > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>> > >>> > >>> > >>> > >>> -- > >>> Joel Esler > >>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com > >>> > >>> [m] > >> > >> > >> > >> > >> -- > >> Joel Esler > >> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com > >> > >> [m] > >> > >> > >> ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090403/07fbebd0/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090403/07fbebd0/attachment-0001.bin From phatbuckett at gmail.com Fri Apr 3 10:36:33 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Fri, 3 Apr 2009 08:36:33 -0700 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <1238771673.7285.27.camel@kinta> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <49B69DCD.7000703@jonkmans.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> <1238771673.7285.27.camel@kinta> Message-ID: <839aec700904030836t7e430c84k8ea30a6714f7afae@mail.gmail.com> I can verify that this expression matches all requests i've got record of. Adjusted rule at this point (?): alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; nocase; pcre:"/\/[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{5}\/\d{1,5}\/\d{2}[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{3}\//sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:?;) DS On Fri, Apr 3, 2009 at 8:14 AM, dxp wrote: > After looking at the GET generation code it appears this particular variant > will create URIs with this form: > > / base64 / base64 Y5 / X? / Z2 base64 / base64 W3 / > > where: > > base64 = base64 encoded crypted string based on embeded strings and random > numbers > Y5 = randomly generated integer 5 digits long > X? = randomly generated integer, varying digit lengths > Z2 = randomly generated integer 2 digits long > W3 = randomly generated integer 3 digits long > > These integers are part of the encryption key used to create the base64 > strings and thus needed to decode on the server side.? The data encoded in > the strings is not based on user's information rather on embeded constants > in the malware.? Perhaps some form of identification scheme. > > Here are the PCREs for each segment of the URI: > > /AWsPa39hKhs??????????????????????? \/[A-Za-z0-9]{2,16} > /XTJdbT85bE021115?????????????? \/[A-Za-z0-9]{2,16}\d{5} > /9347????????????????????????????????????? \/\d{1,5} > /42DmQLPmg3bw??????????????????? \/\d{2}[A-Za-z0-9]{2,16} > /QDBcPTkzbU1jbFgM223/??????? \/[A-Za-z0-9]{2,16}\d{3}\/ > > The length of Base64 encoded strings may vary between variants as it depends > on 2 constant strings which may serve as some form of identification.? In > this case it was: "liberate", and two integers represented as ascii. > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > On Thu, 2009-04-02 at 16:34 -0700, Darren Spruell wrote: > > Looks like the pcre we settled on for the committed revision of this > rule was too specific; we dug out another compromised client from > proxy logs and found the following requests which had some differences > in the URI: > > /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ > /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ > /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ > /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ > /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ > /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ > /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ > /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ > /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ > /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ > /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ > /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ > /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ > /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ > /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ > /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ > /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ > /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ > /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ > /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ > /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ > /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ > /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ > /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ > /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ > /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ > /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ > /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ > /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ > /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ > /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ > /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ > /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ > /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ > /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ > /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ > /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ > /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ > /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ > /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ > /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ > /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ > /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ > /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ > /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ > /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ > /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ > /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ > > Namely, several of the characters in the leading classes were > different, the number of digits in the third section were less than > anticipated, and the final section was of lesser length. I made > adjustments and came up with the following altered regex: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Trojan.Win32.Inject.esi Outbound Communication"; > flow:established,to_server; content:"GET "; depth:4; > isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; > nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2009125; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; > sid:2009125; rev:?;) > > I hesitate to make the matches much tighter as we've also had reports > of other variations of the C2 requests so more general may be the way > to go. Feedback of course welcome. > > DS > > On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: >> Just going through the sandnet database and there's not a single entry >> that has the same typo, so we'll have to assume it unique to this >> rolling of this variant. >> >> I'll keep an eye out and see if it shows up with anything else. Very >> interesting one. >> >> Matt >> >> Joel Esler wrote: >>> I think the rule might be good enough with the en-en match. ?That's >>> pretty specific. >>> >>> J >>> >>> On Wed, Mar 11, 2009 at 2:46 PM, dxp >> > wrote: >>> >>> ? ? Here's another one, noticed it only after disecting the binary. >>> ? ? The UAS is missing a space between IE version string and Windows >>> ? ? version string. ?There should be a space after the semicolumn. >>> >>> >>> ? ? ? ? /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >>> ? ? ? ? 5.1)/ >>> >>> ? ? - >>> >>> ? ? -=[ dxp ]=- >>> ? ? 0xA3F3C6E3 >>> >>> >>> >>> >>> ? ? On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>>> ? ? Nice catch. >>>> >>>> ? ? On Tue, Mar 10, 2009 at 4:45 PM, dxp >>> ? ? > wrote: >>>> >>>> ? ? ? ? Regarding the "Accept-Language:" header, looks like the value >>>> ? ? ? ? used ("en-en") is not legit. ?That's an anomaly which can be >>>> ? ? ? ? used to extend the language header match. >>>> >>>> ? ? ? ? - >>>> >>>> ? ? ? ? -=[ dxp ]=- >>>> ? ? ? ? 0xA3F3C6E3 >>>> >>>> >>>> >>>> >>>> >>>> ? ? ? ? On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>>> ? ? ? ? How about >>>>> >>>>> >>>>> ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>> ? ? ? ? (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>>> ? ? ? ? flow:stateless; content:"GET "; depth:4; nocase; >>>>> ? ? ? ? isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>>> ? ? ? ? nocase; >>>>> >>>>> pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>>> ? ? ? ? classtype:trojan-activity; sid:2009125; rev:4;) >>>>> >>>>> >>>>> ? ? ? ? Notes: >>>>> ? ? ? ? Flow >>>>> ? ? ? ? isdataat >>>>> ? ? ? ? Accept-Language inclusion >>>>> ? ? ? ? Pcre that is not only more accurate, but it also correct. >>>>> ? ? ? ? ?(the original pcre could be (as was) evaded). >>>>> >>>>> >>>>> ? ? ? ? J >>>>> >>>>> ? ? ? ? On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>>> ? ? ? ? > wrote: >>>>> >>>>> ? ? ? ? ? ? Joel Esler wrote: >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > Is it not unique in the pcap that I was sent. ?The >>>>> ? ? ? ? ? ? accept-language will >>>>> ? ? ? ? ? ? > fire a lot, but you need it for the prequalification >>>>> ? ? ? ? ? ? step in the FP >>>>> ? ? ? ? ? ? > portion of the engine. ?Fire on accept-language, keep >>>>> ? ? ? ? ? ? the "GET", do an >>>>> ? ? ? ? ? ? > anchor at offset of 0, use an isdataat to test length, >>>>> ? ? ? ? ? ? pcre to qualify >>>>> ? ? ? ? ? ? > and fire. ?Test the difference in between the two rules >>>>> ? ? ? ? ? ? with rule >>>>> ? ? ? ? ? ? > profiling. ?See how it goes. >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > >>>>> >>>>> >>>>> ? ? ? ? ? ? The GET has a depth of 4 so that's equivalent to >>>>> ? ? ? ? ? ? offset 0 no? >>>>> >>>>> ? ? ? ? ? ? Isdadaat is a good idea. There will ilkely be data after >>>>> ? ? ? ? ? ? the url string >>>>> ? ? ? ? ? ? length, so maybe just a content:!"|0d 0a|"; within:62; >>>>> >>>>> ? ? ? ? ? ? The uri is between 64 and 67 bytes in the samples >>>>> ? ? ? ? ? ? depending on the >>>>> ? ? ? ? ? ? length of that numeric string so I went 62 just in case. >>>>> >>>>> ? ? ? ? ? ? So: >>>>> ? ? ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>> ? ? ? ? ? ? (msg:"ET TROJAN >>>>> ? ? ? ? ? ? Trojan.Win32.Inject.esi Outbound Communication"; >>>>> ? ? ? ? ? ? flow:established,to_server; content:"GET "; depth:4; >>>>> ? ? ? ? ? ? content:"/"; >>>>> >>>>> ? ? ? ? ? ? distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>>> ? ? ? ? ? ? distance:16; >>>>> ? ? ? ? ? ? within:1; content:"/"; distance:3; within:5; content:"/"; >>>>> ? ? ? ? ? ? distance:12; >>>>> ? ? ? ? ? ? within:1; content:"/|0d 0a|"; distance:17; within:3; >>>>> >>>>> pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>>> >>>>> ? ? ? ? ? ? classtype:trojan-activity; sid:2009125; rev:3;) >>>>> >>>>> ? ? ? ? ? ? Is that going to work? The negated content isn't going to >>>>> ? ? ? ? ? ? put the ptr at >>>>> ? ? ? ? ? ? the end of 62 is it? hmmmm >>>>> >>>>> >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > So if I was a malware writer, all I have to do is use a >>>>> ? ? ? ? ? ? POST and I >>>>> ? ? ? ? ? ? > bypass your rule. ?You do NOT want to eliminate the >>>>> ? ? ? ? ? ? others, as that will >>>>> ? ? ? ? ? ? > open you to false negatives. ?Up to you. ?For this >>>>> ? ? ? ? ? ? particular sample, >>>>> ? ? ? ? ? ? > you can keep your GET, I just want you to be aware that >>>>> ? ? ? ? ? ? overall, a check >>>>> ? ? ? ? ? ? > for GET is usually bad. ?In all of the rules the VRT >>>>> ? ? ? ? ? ? has written, >>>>> ? ? ? ? ? ? > (14,000+) as of current build, there are 38 live rules >>>>> ? ? ? ? ? ? that do a content >>>>> ? ? ? ? ? ? > check for GET. ?If you look at them, you will see why >>>>> ? ? ? ? ? ? it had to be done >>>>> ? ? ? ? ? ? > that way. >>>>> >>>>> >>>>> ? ? ? ? ? ? In other rules I'd agree with you that making an easy >>>>> ? ? ? ? ? ? evasion is bad. >>>>> ? ? ? ? ? ? But in the malware side we have so many things that are >>>>> ? ? ? ? ? ? intended to look >>>>> ? ? ? ? ? ? like normal traffic. >>>>> >>>>> ? ? ? ? ? ? So in the malware side I err toward evadable but reliable >>>>> ? ? ? ? ? ? for a few reasons: >>>>> >>>>> ? ? ? ? ? ? 1. We've had many sigs out for years that are easily >>>>> ? ? ? ? ? ? evadable but the >>>>> ? ? ? ? ? ? malware authors just DON'T try to evade. And the strains >>>>> ? ? ? ? ? ? come and go >>>>> ? ? ? ? ? ? quickly sometimes. >>>>> >>>>> ? ? ? ? ? ? 2. False positives in these sigs are costly. In most >>>>> ? ? ? ? ? ? places that means >>>>> ? ? ? ? ? ? an IT guy has to go visit a workstation and check it out >>>>> ? ? ? ? ? ? by hand. Costs >>>>> ? ? ? ? ? ? money and costs the security group their reputation for >>>>> ? ? ? ? ? ? reliability. >>>>> >>>>> ? ? ? ? ? ? 3. If they do try to evade we'll generally catch the >>>>> ? ? ? ? ? ? change in the >>>>> ? ? ? ? ? ? sandnet or in the analysis' put up by av vendors and the >>>>> ? ? ? ? ? ? like. >>>>> >>>>> ? ? ? ? ? ? Anyone have a differing argument for this philosophy? >>>>> ? ? ? ? ? ? It's what I tend >>>>> ? ? ? ? ? ? to apply to all of the virus/malware and spyware sigs. >>>>> >>>>> ? ? ? ? ? ? Matt >>>>> >>>>> >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > >>>>> >>>>> ------------------------------------------------------------------------ >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > _______________________________________________ >>>>> ? ? ? ? ? ? > Emerging-sigs mailing list >>>>> ? ? ? ? ? ? > Emerging-sigs at emergingthreats.net >>>>> ? ? ? ? ? ? >>>>> ? ? ? ? ? ? > >>>>> >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> ? ? ? ? ? ? -- >>>>> ? ? ? ? ? ? -------------------------------------------- >>>>> >>>>> >>>>> ? ? ? ? ? ? Matthew Jonkman >>>>> ? ? ? ? ? ? Emerging Threats >>>>> ? ? ? ? ? ? Phone 765-429-0398 >>>>> ? ? ? ? ? ? Fax 312-264-0205 >>>>> ? ? ? ? ? ? http://www.emergingthreats.net >>>>> ? ? ? ? ? ? -------------------------------------------- >>>>> >>>>> ? ? ? ? ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ? ? ? ? -- >>>>> ? ? ? ? Joel Esler >>>>> ? ? ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>> ? ? ? ? >>>>> ? ? ? ? [m] >>>>> >>>>> ? ? ? ? _______________________________________________ >>>>> ? ? ? ? Emerging-sigs mailing list >>>>> ? ? ? ? Emerging-sigs at emergingthreats.net >>>>> >>>>> ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>>> >>>> >>>> ? ? -- >>>> ? ? Joel Esler >>>> ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>> ? ? >>>> ? ? [m] >>> >>> >>> >>> >>> -- >>> Joel Esler >>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>> >>> [m] >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > > > -- Darren Spruell phatbuckett at gmail.com From jgimer at gmail.com Fri Apr 3 11:08:43 2009 From: jgimer at gmail.com (Joshua Gimer) Date: Fri, 3 Apr 2009 10:08:43 -0600 Subject: [Emerging-Sigs] PowerPoint zero-day vulnerability (969136) Message-ID: Does anyone have anymore information about this that could be used for generating a sig? -- Thx Joshua Gimer From David.R.Wharton at regions.com Fri Apr 3 11:17:14 2009 From: David.R.Wharton at regions.com (David.R.Wharton@regions.com) Date: Fri, 3 Apr 2009 11:17:14 -0500 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <1238771673.7285.27.camel@kinta> Message-ID: If it is base64 encoded wouldn't you expect some '=' characters or is the length always a multiple of three? -David dxp Sent by: emerging-sigs-bounces at emergingthreats.net 04/03/2009 10:14 AM To Darren Spruell cc Emerging Threats Signatures Subject Re: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A After looking at the GET generation code it appears this particular variant will create URIs with this form: / base64 / base64 Y5 / X? / Z2 base64 / base64 W3 / where: base64 = base64 encoded crypted string based on embeded strings and random numbers Y5 = randomly generated integer 5 digits long X? = randomly generated integer, varying digit lengths Z2 = randomly generated integer 2 digits long W3 = randomly generated integer 3 digits long These integers are part of the encryption key used to create the base64 strings and thus needed to decode on the server side. The data encoded in the strings is not based on user's information rather on embeded constants in the malware. Perhaps some form of identification scheme. Here are the PCREs for each segment of the URI: /AWsPa39hKhs \/[A-Za-z0-9]{2,16} /XTJdbT85bE021115 \/[A-Za-z0-9]{2,16}\d{5} /9347 \/\d{1,5} /42DmQLPmg3bw \/\d{2}[A-Za-z0-9]{2,16} /QDBcPTkzbU1jbFgM223/ \/[A-Za-z0-9]{2,16}\d{3}\/ The length of Base64 encoded strings may vary between variants as it depends on 2 constant strings which may serve as some form of identification. In this case it was: "liberate", and two integers represented as ascii. - -=[ dxp ]=- 0xA3F3C6E3 On Thu, 2009-04-02 at 16:34 -0700, Darren Spruell wrote: Looks like the pcre we settled on for the committed revision of this rule was too specific; we dug out another compromised client from proxy logs and found the following requests which had some differences in the URI: /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ Namely, several of the characters in the leading classes were different, the number of digits in the third section were less than anticipated, and the final section was of lesser length. I made adjustments and came up with the following altered regex: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:?;) I hesitate to make the matches much tighter as we've also had reports of other variations of the C2 requests so more general may be the way to go. Feedback of course welcome. DS On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: > Just going through the sandnet database and there's not a single entry > that has the same typo, so we'll have to assume it unique to this > rolling of this variant. > > I'll keep an eye out and see if it shows up with anything else. Very > interesting one. > > Matt > > Joel Esler wrote: >> I think the rule might be good enough with the en-en match. That's >> pretty specific. >> >> J >> >> On Wed, Mar 11, 2009 at 2:46 PM, dxp > > wrote: >> >> Here's another one, noticed it only after disecting the binary. >> The UAS is missing a space between IE version string and Windows >> version string. There should be a space after the semicolumn. >> >> >> /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >> 5.1)/ >> >> - >> >> -=[ dxp ]=- >> 0xA3F3C6E3 >> >> >> >> >> On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>> Nice catch. >>> >>> On Tue, Mar 10, 2009 at 4:45 PM, dxp >> > wrote: >>> >>> Regarding the "Accept-Language:" header, looks like the value >>> used ("en-en") is not legit. That's an anomaly which can be >>> used to extend the language header match. >>> >>> - >>> >>> -=[ dxp ]=- >>> 0xA3F3C6E3 >>> >>> >>> >>> >>> >>> On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>> How about >>>> >>>> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>> (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>> flow:stateless; content:"GET "; depth:4; nocase; >>>> isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>> nocase; >>>> pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>> classtype:trojan-activity; sid:2009125; rev:4;) >>>> >>>> >>>> Notes: >>>> Flow >>>> isdataat >>>> Accept-Language inclusion >>>> Pcre that is not only more accurate, but it also correct. >>>> (the original pcre could be (as was) evaded). >>>> >>>> >>>> J >>>> >>>> On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>> > wrote: >>>> >>>> Joel Esler wrote: >>>> > >>>> > Is it not unique in the pcap that I was sent. The >>>> accept-language will >>>> > fire a lot, but you need it for the prequalification >>>> step in the FP >>>> > portion of the engine. Fire on accept-language, keep >>>> the "GET", do an >>>> > anchor at offset of 0, use an isdataat to test length, >>>> pcre to qualify >>>> > and fire. Test the difference in between the two rules >>>> with rule >>>> > profiling. See how it goes. >>>> > >>>> > >>>> >>>> >>>> The GET has a depth of 4 so that's equivalent to >>>> offset 0 no? >>>> >>>> Isdadaat is a good idea. There will ilkely be data after >>>> the url string >>>> length, so maybe just a content:!"|0d 0a|"; within:62; >>>> >>>> The uri is between 64 and 67 bytes in the samples >>>> depending on the >>>> length of that numeric string so I went 62 just in case. >>>> >>>> So: >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>> (msg:"ET TROJAN >>>> Trojan.Win32.Inject.esi Outbound Communication"; >>>> flow:established,to_server; content:"GET "; depth:4; >>>> content:"/"; >>>> >>>> distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>> distance:16; >>>> within:1; content:"/"; distance:3; within:5; content:"/"; >>>> distance:12; >>>> within:1; content:"/|0d 0a|"; distance:17; within:3; >>>> pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>> >>>> classtype:trojan-activity; sid:2009125; rev:3;) >>>> >>>> Is that going to work? The negated content isn't going to >>>> put the ptr at >>>> the end of 62 is it? hmmmm >>>> >>>> >>>> > >>>> > So if I was a malware writer, all I have to do is use a >>>> POST and I >>>> > bypass your rule. You do NOT want to eliminate the >>>> others, as that will >>>> > open you to false negatives. Up to you. For this >>>> particular sample, >>>> > you can keep your GET, I just want you to be aware that >>>> overall, a check >>>> > for GET is usually bad. In all of the rules the VRT >>>> has written, >>>> > (14,000+) as of current build, there are 38 live rules >>>> that do a content >>>> > check for GET. If you look at them, you will see why >>>> it had to be done >>>> > that way. >>>> >>>> >>>> In other rules I'd agree with you that making an easy >>>> evasion is bad. >>>> But in the malware side we have so many things that are >>>> intended to look >>>> like normal traffic. >>>> >>>> So in the malware side I err toward evadable but reliable >>>> for a few reasons: >>>> >>>> 1. We've had many sigs out for years that are easily >>>> evadable but the >>>> malware authors just DON'T try to evade. And the strains >>>> come and go >>>> quickly sometimes. >>>> >>>> 2. False positives in these sigs are costly. In most >>>> places that means >>>> an IT guy has to go visit a workstation and check it out >>>> by hand. Costs >>>> money and costs the security group their reputation for >>>> reliability. >>>> >>>> 3. If they do try to evade we'll generally catch the >>>> change in the >>>> sandnet or in the analysis' put up by av vendors and the >>>> like. >>>> >>>> Anyone have a differing argument for this philosophy? >>>> It's what I tend >>>> to apply to all of the virus/malware and spyware sigs. >>>> >>>> Matt >>>> >>>> >>>> > >>>> > >>>> ------------------------------------------------------------------------ >>>> > >>>> > _______________________________________________ >>>> > Emerging-sigs mailing list >>>> > Emerging-sigs at emergingthreats.net >>>> >>>> > >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> -- >>>> -------------------------------------------- >>>> >>>> >>>> Matthew Jonkman >>>> Emerging Threats >>>> Phone 765-429-0398 >>>> Fax 312-264-0205 >>>> http://www.emergingthreats.net >>>> -------------------------------------------- >>>> >>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Joel Esler >>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>> >>>> [m] >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net < mailto:Emerging-sigs at emergingthreats.net> >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >>> >>> >>> -- >>> Joel Esler >>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>> >>> [m] >> >> >> >> >> -- >> Joel Esler >> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >> >> [m] >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 196 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090403/da3c11de/signature-0001.obj From jonkman at jonkmans.com Fri Apr 3 14:05:51 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 03 Apr 2009 15:05:51 -0400 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <839aec700904030836t7e430c84k8ea30a6714f7afae@mail.gmail.com> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <49B69DCD.7000703@jonkmans.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> <1238771673.7285.27.camel@kinta> <839aec700904030836t7e430c84k8ea30a6714f7afae@mail.gmail.com> Message-ID: <49D65E0F.1010000@jonkmans.com> Great detective work everyone!!! I've replaced the pcre and it's pushing out now. Matt Darren Spruell wrote: > I can verify that this expression matches all requests i've got record > of. Adjusted rule at this point (?): > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Trojan.Win32.Inject.esi Outbound Communication"; > flow:established,to_server; content:"GET "; depth:4; > isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; > nocase; pcre:"/\/[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{5}\/\d{1,5}\/\d{2}[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{3}\//sm"; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2009125; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; > sid:2009125; rev:?;) > > DS > > On Fri, Apr 3, 2009 at 8:14 AM, dxp wrote: >> After looking at the GET generation code it appears this particular variant >> will create URIs with this form: >> >> / base64 / base64 Y5 / X? / Z2 base64 / base64 W3 / >> >> where: >> >> base64 = base64 encoded crypted string based on embeded strings and random >> numbers >> Y5 = randomly generated integer 5 digits long >> X? = randomly generated integer, varying digit lengths >> Z2 = randomly generated integer 2 digits long >> W3 = randomly generated integer 3 digits long >> >> These integers are part of the encryption key used to create the base64 >> strings and thus needed to decode on the server side. The data encoded in >> the strings is not based on user's information rather on embeded constants >> in the malware. Perhaps some form of identification scheme. >> >> Here are the PCREs for each segment of the URI: >> >> /AWsPa39hKhs \/[A-Za-z0-9]{2,16} >> /XTJdbT85bE021115 \/[A-Za-z0-9]{2,16}\d{5} >> /9347 \/\d{1,5} >> /42DmQLPmg3bw \/\d{2}[A-Za-z0-9]{2,16} >> /QDBcPTkzbU1jbFgM223/ \/[A-Za-z0-9]{2,16}\d{3}\/ >> >> The length of Base64 encoded strings may vary between variants as it depends >> on 2 constant strings which may serve as some form of identification. In >> this case it was: "liberate", and two integers represented as ascii. >> >> - >> >> -=[ dxp ]=- >> 0xA3F3C6E3 >> >> >> >> On Thu, 2009-04-02 at 16:34 -0700, Darren Spruell wrote: >> >> Looks like the pcre we settled on for the committed revision of this >> rule was too specific; we dug out another compromised client from >> proxy logs and found the following requests which had some differences >> in the URI: >> >> /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ >> /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ >> /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ >> /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ >> /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ >> /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ >> /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ >> /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ >> /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ >> /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ >> /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ >> /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ >> /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ >> /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ >> /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ >> /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ >> /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ >> /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ >> /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ >> /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ >> /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ >> /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ >> /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ >> /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ >> /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ >> /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ >> /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ >> /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ >> /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ >> /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ >> /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ >> /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ >> /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ >> /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ >> /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ >> /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ >> /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ >> /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ >> /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ >> /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ >> /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ >> /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ >> /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ >> /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ >> /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ >> /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ >> /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ >> /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ >> >> Namely, several of the characters in the leading classes were >> different, the number of digits in the third section were less than >> anticipated, and the final section was of lesser length. I made >> adjustments and came up with the following altered regex: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Trojan.Win32.Inject.esi Outbound Communication"; >> flow:established,to_server; content:"GET "; depth:4; >> isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; >> nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; >> classtype:trojan-activity; >> reference:url,doc.emergingthreats.net/2009125; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; >> sid:2009125; rev:?;) >> >> I hesitate to make the matches much tighter as we've also had reports >> of other variations of the C2 requests so more general may be the way >> to go. Feedback of course welcome. >> >> DS >> >> On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: >>> Just going through the sandnet database and there's not a single entry >>> that has the same typo, so we'll have to assume it unique to this >>> rolling of this variant. >>> >>> I'll keep an eye out and see if it shows up with anything else. Very >>> interesting one. >>> >>> Matt >>> >>> Joel Esler wrote: >>>> I think the rule might be good enough with the en-en match. That's >>>> pretty specific. >>>> >>>> J >>>> >>>> On Wed, Mar 11, 2009 at 2:46 PM, dxp >>> > wrote: >>>> >>>> Here's another one, noticed it only after disecting the binary. >>>> The UAS is missing a space between IE version string and Windows >>>> version string. There should be a space after the semicolumn. >>>> >>>> >>>> /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >>>> 5.1)/ >>>> >>>> - >>>> >>>> -=[ dxp ]=- >>>> 0xA3F3C6E3 >>>> >>>> >>>> >>>> >>>> On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>>>> Nice catch. >>>>> >>>>> On Tue, Mar 10, 2009 at 4:45 PM, dxp >>>> > wrote: >>>>> >>>>> Regarding the "Accept-Language:" header, looks like the value >>>>> used ("en-en") is not legit. That's an anomaly which can be >>>>> used to extend the language header match. >>>>> >>>>> - >>>>> >>>>> -=[ dxp ]=- >>>>> 0xA3F3C6E3 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>>>> How about >>>>>> >>>>>> >>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>>> (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>>>> flow:stateless; content:"GET "; depth:4; nocase; >>>>>> isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>>>> nocase; >>>>>> >>>>>> pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>>>> classtype:trojan-activity; sid:2009125; rev:4;) >>>>>> >>>>>> >>>>>> Notes: >>>>>> Flow >>>>>> isdataat >>>>>> Accept-Language inclusion >>>>>> Pcre that is not only more accurate, but it also correct. >>>>>> (the original pcre could be (as was) evaded). >>>>>> >>>>>> >>>>>> J >>>>>> >>>>>> On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>>>> > wrote: >>>>>> >>>>>> Joel Esler wrote: >>>>>> > >>>>>> > Is it not unique in the pcap that I was sent. The >>>>>> accept-language will >>>>>> > fire a lot, but you need it for the prequalification >>>>>> step in the FP >>>>>> > portion of the engine. Fire on accept-language, keep >>>>>> the "GET", do an >>>>>> > anchor at offset of 0, use an isdataat to test length, >>>>>> pcre to qualify >>>>>> > and fire. Test the difference in between the two rules >>>>>> with rule >>>>>> > profiling. See how it goes. >>>>>> > >>>>>> > >>>>>> >>>>>> >>>>>> The GET has a depth of 4 so that's equivalent to >>>>>> offset 0 no? >>>>>> >>>>>> Isdadaat is a good idea. There will ilkely be data after >>>>>> the url string >>>>>> length, so maybe just a content:!"|0d 0a|"; within:62; >>>>>> >>>>>> The uri is between 64 and 67 bytes in the samples >>>>>> depending on the >>>>>> length of that numeric string so I went 62 just in case. >>>>>> >>>>>> So: >>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>>> (msg:"ET TROJAN >>>>>> Trojan.Win32.Inject.esi Outbound Communication"; >>>>>> flow:established,to_server; content:"GET "; depth:4; >>>>>> content:"/"; >>>>>> >>>>>> distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>>>> distance:16; >>>>>> within:1; content:"/"; distance:3; within:5; content:"/"; >>>>>> distance:12; >>>>>> within:1; content:"/|0d 0a|"; distance:17; within:3; >>>>>> >>>>>> pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>>>> >>>>>> classtype:trojan-activity; sid:2009125; rev:3;) >>>>>> >>>>>> Is that going to work? The negated content isn't going to >>>>>> put the ptr at >>>>>> the end of 62 is it? hmmmm >>>>>> >>>>>> >>>>>> > >>>>>> > So if I was a malware writer, all I have to do is use a >>>>>> POST and I >>>>>> > bypass your rule. You do NOT want to eliminate the >>>>>> others, as that will >>>>>> > open you to false negatives. Up to you. For this >>>>>> particular sample, >>>>>> > you can keep your GET, I just want you to be aware that >>>>>> overall, a check >>>>>> > for GET is usually bad. In all of the rules the VRT >>>>>> has written, >>>>>> > (14,000+) as of current build, there are 38 live rules >>>>>> that do a content >>>>>> > check for GET. If you look at them, you will see why >>>>>> it had to be done >>>>>> > that way. >>>>>> >>>>>> >>>>>> In other rules I'd agree with you that making an easy >>>>>> evasion is bad. >>>>>> But in the malware side we have so many things that are >>>>>> intended to look >>>>>> like normal traffic. >>>>>> >>>>>> So in the malware side I err toward evadable but reliable >>>>>> for a few reasons: >>>>>> >>>>>> 1. We've had many sigs out for years that are easily >>>>>> evadable but the >>>>>> malware authors just DON'T try to evade. And the strains >>>>>> come and go >>>>>> quickly sometimes. >>>>>> >>>>>> 2. False positives in these sigs are costly. In most >>>>>> places that means >>>>>> an IT guy has to go visit a workstation and check it out >>>>>> by hand. Costs >>>>>> money and costs the security group their reputation for >>>>>> reliability. >>>>>> >>>>>> 3. If they do try to evade we'll generally catch the >>>>>> change in the >>>>>> sandnet or in the analysis' put up by av vendors and the >>>>>> like. >>>>>> >>>>>> Anyone have a differing argument for this philosophy? >>>>>> It's what I tend >>>>>> to apply to all of the virus/malware and spyware sigs. >>>>>> >>>>>> Matt >>>>>> >>>>>> >>>>>> > >>>>>> > >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> > >>>>>> > _______________________________________________ >>>>>> > Emerging-sigs mailing list >>>>>> > Emerging-sigs at emergingthreats.net >>>>>> >>>>>> > >>>>>> >>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>> >>>>>> -- >>>>>> -------------------------------------------- >>>>>> >>>>>> >>>>>> Matthew Jonkman >>>>>> Emerging Threats >>>>>> Phone 765-429-0398 >>>>>> Fax 312-264-0205 >>>>>> http://www.emergingthreats.net >>>>>> -------------------------------------------- >>>>>> >>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Joel Esler >>>>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>>> >>>>>> [m] >>>>>> >>>>>> _______________________________________________ >>>>>> Emerging-sigs mailing list >>>>>> Emerging-sigs at emergingthreats.net >>>>>> >>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> >>>>> >>>>> -- >>>>> Joel Esler >>>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>> >>>>> [m] >>>> >>>> >>>> >>>> -- >>>> Joel Esler >>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>> >>>> [m] >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> -- >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> >> >> > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From david.glosser at gmail.com Fri Apr 3 14:30:30 2009 From: david.glosser at gmail.com (David Glosser) Date: Fri, 3 Apr 2009 15:30:30 -0400 Subject: [Emerging-Sigs] conficker Message-ID: can any information from the following be useful in creating conficker P2P sig? https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer From jonkman at jonkmans.com Fri Apr 3 14:37:09 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 03 Apr 2009 15:37:09 -0400 Subject: [Emerging-Sigs] conficker In-Reply-To: References: Message-ID: <49D66565.80608@jonkmans.com> There are some sigs out, just looking to test them and see how they fare: http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/NetworkDetection By Shirkdog. Sample snort signatures for UDP p2p traffic (by Shirkdog - Emerging Threats) alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/ ; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ; sid:666661; rev:3;) alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/ ; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ; sid:666662; rev:3;) alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ; sid:666663; rev:3;) alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/ ; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ; sid:666664; rev:3;) David Glosser wrote: > can any information from the following be useful in creating conficker P2P sig? > > https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Fri Apr 3 14:41:23 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 03 Apr 2009 15:41:23 -0400 Subject: [Emerging-Sigs] conficker In-Reply-To: References: Message-ID: <49D66663.1020803@jonkmans.com> I went ahead and posted these. I've had positive feedback on accuracy. Please let us all know if anyone sees false positive issues. Matt David Glosser wrote: > can any information from the following be useful in creating conficker P2P sig? > > https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Fri Apr 3 14:41:45 2009 From: eslerj at gmail.com (Joel Esler) Date: Fri, 3 Apr 2009 15:41:45 -0400 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <839aec700904030836t7e430c84k8ea30a6714f7afae@mail.gmail.com> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> <1238771673.7285.27.camel@kinta> <839aec700904030836t7e430c84k8ea30a6714f7afae@mail.gmail.com> Message-ID: <314cf0830904031241n28f78badte389717e184702b3@mail.gmail.com> Yes, and it's also very very intensive and wide open, which is why I wrote what I did. I would suggest taking the time to write the correct pcre. It took me about 10 minutes to write the other one. J On Fri, Apr 3, 2009 at 11:36 AM, Darren Spruell wrote: > I can verify that this expression matches all requests i've got record > of. Adjusted rule at this point (?): > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Trojan.Win32.Inject.esi Outbound Communication"; > flow:established,to_server; content:"GET "; depth:4; > isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; > nocase; pcre:"/\/[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{5}\/\d{1,5}\/\d{2}[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{3}\//sm"; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2009125; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; > sid:2009125; rev:?;) > > DS > > On Fri, Apr 3, 2009 at 8:14 AM, dxp wrote: >> After looking at the GET generation code it appears this particular variant >> will create URIs with this form: >> >> / base64 / base64 Y5 / X? / Z2 base64 / base64 W3 / >> >> where: >> >> base64 = base64 encoded crypted string based on embeded strings and random >> numbers >> Y5 = randomly generated integer 5 digits long >> X? = randomly generated integer, varying digit lengths >> Z2 = randomly generated integer 2 digits long >> W3 = randomly generated integer 3 digits long >> >> These integers are part of the encryption key used to create the base64 >> strings and thus needed to decode on the server side.? The data encoded in >> the strings is not based on user's information rather on embeded constants >> in the malware.? Perhaps some form of identification scheme. >> >> Here are the PCREs for each segment of the URI: >> >> /AWsPa39hKhs??????????????????????? \/[A-Za-z0-9]{2,16} >> /XTJdbT85bE021115?????????????? \/[A-Za-z0-9]{2,16}\d{5} >> /9347????????????????????????????????????? \/\d{1,5} >> /42DmQLPmg3bw??????????????????? \/\d{2}[A-Za-z0-9]{2,16} >> /QDBcPTkzbU1jbFgM223/??????? \/[A-Za-z0-9]{2,16}\d{3}\/ >> >> The length of Base64 encoded strings may vary between variants as it depends >> on 2 constant strings which may serve as some form of identification.? In >> this case it was: "liberate", and two integers represented as ascii. >> >> - >> >> -=[ dxp ]=- >> 0xA3F3C6E3 >> >> >> >> On Thu, 2009-04-02 at 16:34 -0700, Darren Spruell wrote: >> >> Looks like the pcre we settled on for the committed revision of this >> rule was too specific; we dug out another compromised client from >> proxy logs and found the following requests which had some differences >> in the URI: >> >> /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ >> /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ >> /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ >> /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ >> /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ >> /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ >> /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ >> /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ >> /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ >> /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ >> /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ >> /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ >> /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ >> /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ >> /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ >> /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ >> /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ >> /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ >> /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ >> /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ >> /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ >> /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ >> /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ >> /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ >> /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ >> /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ >> /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ >> /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ >> /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ >> /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ >> /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ >> /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ >> /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ >> /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ >> /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ >> /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ >> /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ >> /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ >> /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ >> /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ >> /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ >> /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ >> /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ >> /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ >> /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ >> /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ >> /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ >> /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ >> >> Namely, several of the characters in the leading classes were >> different, the number of digits in the third section were less than >> anticipated, and the final section was of lesser length. I made >> adjustments and came up with the following altered regex: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Trojan.Win32.Inject.esi Outbound Communication"; >> flow:established,to_server; content:"GET "; depth:4; >> isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; >> nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; >> classtype:trojan-activity; >> reference:url,doc.emergingthreats.net/2009125; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; >> sid:2009125; rev:?;) >> >> I hesitate to make the matches much tighter as we've also had reports >> of other variations of the C2 requests so more general may be the way >> to go. Feedback of course welcome. >> >> DS >> >> On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: >>> Just going through the sandnet database and there's not a single entry >>> that has the same typo, so we'll have to assume it unique to this >>> rolling of this variant. >>> >>> I'll keep an eye out and see if it shows up with anything else. Very >>> interesting one. >>> >>> Matt >>> >>> Joel Esler wrote: >>>> I think the rule might be good enough with the en-en match. ?That's >>>> pretty specific. >>>> >>>> J >>>> >>>> On Wed, Mar 11, 2009 at 2:46 PM, dxp >>> > wrote: >>>> >>>> ? ? Here's another one, noticed it only after disecting the binary. >>>> ? ? The UAS is missing a space between IE version string and Windows >>>> ? ? version string. ?There should be a space after the semicolumn. >>>> >>>> >>>> ? ? ? ? /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >>>> ? ? ? ? 5.1)/ >>>> >>>> ? ? - >>>> >>>> ? ? -=[ dxp ]=- >>>> ? ? 0xA3F3C6E3 >>>> >>>> >>>> >>>> >>>> ? ? On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>>>> ? ? Nice catch. >>>>> >>>>> ? ? On Tue, Mar 10, 2009 at 4:45 PM, dxp >>>> ? ? > wrote: >>>>> >>>>> ? ? ? ? Regarding the "Accept-Language:" header, looks like the value >>>>> ? ? ? ? used ("en-en") is not legit. ?That's an anomaly which can be >>>>> ? ? ? ? used to extend the language header match. >>>>> >>>>> ? ? ? ? - >>>>> >>>>> ? ? ? ? -=[ dxp ]=- >>>>> ? ? ? ? 0xA3F3C6E3 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ? ? ? ? On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>>>> ? ? ? ? How about >>>>>> >>>>>> >>>>>> ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>>> ? ? ? ? (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>>>> ? ? ? ? flow:stateless; content:"GET "; depth:4; nocase; >>>>>> ? ? ? ? isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>>>> ? ? ? ? nocase; >>>>>> >>>>>> pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>>>> ? ? ? ? classtype:trojan-activity; sid:2009125; rev:4;) >>>>>> >>>>>> >>>>>> ? ? ? ? Notes: >>>>>> ? ? ? ? Flow >>>>>> ? ? ? ? isdataat >>>>>> ? ? ? ? Accept-Language inclusion >>>>>> ? ? ? ? Pcre that is not only more accurate, but it also correct. >>>>>> ? ? ? ? ?(the original pcre could be (as was) evaded). >>>>>> >>>>>> >>>>>> ? ? ? ? J >>>>>> >>>>>> ? ? ? ? On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>>>> ? ? ? ? > wrote: >>>>>> >>>>>> ? ? ? ? ? ? Joel Esler wrote: >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > Is it not unique in the pcap that I was sent. ?The >>>>>> ? ? ? ? ? ? accept-language will >>>>>> ? ? ? ? ? ? > fire a lot, but you need it for the prequalification >>>>>> ? ? ? ? ? ? step in the FP >>>>>> ? ? ? ? ? ? > portion of the engine. ?Fire on accept-language, keep >>>>>> ? ? ? ? ? ? the "GET", do an >>>>>> ? ? ? ? ? ? > anchor at offset of 0, use an isdataat to test length, >>>>>> ? ? ? ? ? ? pcre to qualify >>>>>> ? ? ? ? ? ? > and fire. ?Test the difference in between the two rules >>>>>> ? ? ? ? ? ? with rule >>>>>> ? ? ? ? ? ? > profiling. ?See how it goes. >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? The GET has a depth of 4 so that's equivalent to >>>>>> ? ? ? ? ? ? offset 0 no? >>>>>> >>>>>> ? ? ? ? ? ? Isdadaat is a good idea. There will ilkely be data after >>>>>> ? ? ? ? ? ? the url string >>>>>> ? ? ? ? ? ? length, so maybe just a content:!"|0d 0a|"; within:62; >>>>>> >>>>>> ? ? ? ? ? ? The uri is between 64 and 67 bytes in the samples >>>>>> ? ? ? ? ? ? depending on the >>>>>> ? ? ? ? ? ? length of that numeric string so I went 62 just in case. >>>>>> >>>>>> ? ? ? ? ? ? So: >>>>>> ? ? ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>>> ? ? ? ? ? ? (msg:"ET TROJAN >>>>>> ? ? ? ? ? ? Trojan.Win32.Inject.esi Outbound Communication"; >>>>>> ? ? ? ? ? ? flow:established,to_server; content:"GET "; depth:4; >>>>>> ? ? ? ? ? ? content:"/"; >>>>>> >>>>>> ? ? ? ? ? ? distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>>>> ? ? ? ? ? ? distance:16; >>>>>> ? ? ? ? ? ? within:1; content:"/"; distance:3; within:5; content:"/"; >>>>>> ? ? ? ? ? ? distance:12; >>>>>> ? ? ? ? ? ? within:1; content:"/|0d 0a|"; distance:17; within:3; >>>>>> >>>>>> pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>>>> >>>>>> ? ? ? ? ? ? classtype:trojan-activity; sid:2009125; rev:3;) >>>>>> >>>>>> ? ? ? ? ? ? Is that going to work? The negated content isn't going to >>>>>> ? ? ? ? ? ? put the ptr at >>>>>> ? ? ? ? ? ? the end of 62 is it? hmmmm >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > So if I was a malware writer, all I have to do is use a >>>>>> ? ? ? ? ? ? POST and I >>>>>> ? ? ? ? ? ? > bypass your rule. ?You do NOT want to eliminate the >>>>>> ? ? ? ? ? ? others, as that will >>>>>> ? ? ? ? ? ? > open you to false negatives. ?Up to you. ?For this >>>>>> ? ? ? ? ? ? particular sample, >>>>>> ? ? ? ? ? ? > you can keep your GET, I just want you to be aware that >>>>>> ? ? ? ? ? ? overall, a check >>>>>> ? ? ? ? ? ? > for GET is usually bad. ?In all of the rules the VRT >>>>>> ? ? ? ? ? ? has written, >>>>>> ? ? ? ? ? ? > (14,000+) as of current build, there are 38 live rules >>>>>> ? ? ? ? ? ? that do a content >>>>>> ? ? ? ? ? ? > check for GET. ?If you look at them, you will see why >>>>>> ? ? ? ? ? ? it had to be done >>>>>> ? ? ? ? ? ? > that way. >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? In other rules I'd agree with you that making an easy >>>>>> ? ? ? ? ? ? evasion is bad. >>>>>> ? ? ? ? ? ? But in the malware side we have so many things that are >>>>>> ? ? ? ? ? ? intended to look >>>>>> ? ? ? ? ? ? like normal traffic. >>>>>> >>>>>> ? ? ? ? ? ? So in the malware side I err toward evadable but reliable >>>>>> ? ? ? ? ? ? for a few reasons: >>>>>> >>>>>> ? ? ? ? ? ? 1. We've had many sigs out for years that are easily >>>>>> ? ? ? ? ? ? evadable but the >>>>>> ? ? ? ? ? ? malware authors just DON'T try to evade. And the strains >>>>>> ? ? ? ? ? ? come and go >>>>>> ? ? ? ? ? ? quickly sometimes. >>>>>> >>>>>> ? ? ? ? ? ? 2. False positives in these sigs are costly. In most >>>>>> ? ? ? ? ? ? places that means >>>>>> ? ? ? ? ? ? an IT guy has to go visit a workstation and check it out >>>>>> ? ? ? ? ? ? by hand. Costs >>>>>> ? ? ? ? ? ? money and costs the security group their reputation for >>>>>> ? ? ? ? ? ? reliability. >>>>>> >>>>>> ? ? ? ? ? ? 3. If they do try to evade we'll generally catch the >>>>>> ? ? ? ? ? ? change in the >>>>>> ? ? ? ? ? ? sandnet or in the analysis' put up by av vendors and the >>>>>> ? ? ? ? ? ? like. >>>>>> >>>>>> ? ? ? ? ? ? Anyone have a differing argument for this philosophy? >>>>>> ? ? ? ? ? ? It's what I tend >>>>>> ? ? ? ? ? ? to apply to all of the virus/malware and spyware sigs. >>>>>> >>>>>> ? ? ? ? ? ? Matt >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > _______________________________________________ >>>>>> ? ? ? ? ? ? > Emerging-sigs mailing list >>>>>> ? ? ? ? ? ? > Emerging-sigs at emergingthreats.net >>>>>> ? ? ? ? ? ? >>>>>> ? ? ? ? ? ? > >>>>>> >>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>> >>>>>> ? ? ? ? ? ? -- >>>>>> ? ? ? ? ? ? -------------------------------------------- >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? Matthew Jonkman >>>>>> ? ? ? ? ? ? Emerging Threats >>>>>> ? ? ? ? ? ? Phone 765-429-0398 >>>>>> ? ? ? ? ? ? Fax 312-264-0205 >>>>>> ? ? ? ? ? ? http://www.emergingthreats.net >>>>>> ? ? ? ? ? ? -------------------------------------------- >>>>>> >>>>>> ? ? ? ? ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ? ? ? ? -- >>>>>> ? ? ? ? Joel Esler >>>>>> ? ? ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>>> ? ? ? ? >>>>>> ? ? ? ? [m] >>>>>> >>>>>> ? ? ? ? _______________________________________________ >>>>>> ? ? ? ? Emerging-sigs mailing list >>>>>> ? ? ? ? Emerging-sigs at emergingthreats.net >>>>>> >>>>>> ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> >>>>> >>>>> >>>>> ? ? -- >>>>> ? ? Joel Esler >>>>> ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>> ? ? >>>>> ? ? [m] >>>> >>>> >>>> >>>> >>>> -- >>>> Joel Esler >>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>> >>>> [m] >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> -- >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> >> >> >> > > > > -- > Darren Spruell > phatbuckett at gmail.com > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From eslerj at gmail.com Fri Apr 3 14:44:18 2009 From: eslerj at gmail.com (Joel Esler) Date: Fri, 3 Apr 2009 15:44:18 -0400 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <314cf0830903100917s44424054w4afb19f819fba94@mail.gmail.com> <49B69DCD.7000703@jonkmans.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> Message-ID: <314cf0830904031244x16372239vf4e395b0bb02b9fc@mail.gmail.com> Darren, Pcap? Joel On Thu, Apr 2, 2009 at 7:34 PM, Darren Spruell wrote: > Looks like the pcre we settled on for the committed revision of this > rule was too specific; we dug out another compromised client from > proxy logs and found the following requests which had some differences > in the URI: > > /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ > /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ > /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ > /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ > /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ > /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ > /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ > /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ > /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ > /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ > /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ > /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ > /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ > /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ > /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ > /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ > /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ > /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ > /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ > /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ > /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ > /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ > /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ > /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ > /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ > /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ > /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ > /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ > /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ > /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ > /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ > /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ > /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ > /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ > /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ > /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ > /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ > /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ > /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ > /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ > /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ > /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ > /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ > /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ > /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ > /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ > /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ > /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ > > Namely, several of the characters in the leading classes were > different, the number of digits in the third section were less than > anticipated, and the final section was of lesser length. I made > adjustments and came up with the following altered regex: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Trojan.Win32.Inject.esi Outbound Communication"; > flow:established,to_server; content:"GET "; depth:4; > isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; > nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2009125; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; > sid:2009125; rev:?;) > > I hesitate to make the matches much tighter as we've also had reports > of other variations of the C2 requests so more general may be the way > to go. Feedback of course welcome. > > DS > > On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: >> Just going through the sandnet database and there's not a single entry >> that has the same typo, so we'll have to assume it unique to this >> rolling of this variant. >> >> I'll keep an eye out and see if it shows up with anything else. Very >> interesting one. >> >> Matt >> >> Joel Esler wrote: >>> I think the rule might be good enough with the en-en match. ?That's >>> pretty specific. >>> >>> J >>> >>> On Wed, Mar 11, 2009 at 2:46 PM, dxp >> > wrote: >>> >>> ? ? Here's another one, noticed it only after disecting the binary. >>> ? ? The UAS is missing a space between IE version string and Windows >>> ? ? version string. ?There should be a space after the semicolumn. >>> >>> >>> ? ? ? ? /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >>> ? ? ? ? 5.1)/ >>> >>> ? ? - >>> >>> ? ? -=[ dxp ]=- >>> ? ? 0xA3F3C6E3 >>> >>> >>> >>> >>> ? ? On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>>> ? ? Nice catch. >>>> >>>> ? ? On Tue, Mar 10, 2009 at 4:45 PM, dxp >>> ? ? > wrote: >>>> >>>> ? ? ? ? Regarding the "Accept-Language:" header, looks like the value >>>> ? ? ? ? used ("en-en") is not legit. ?That's an anomaly which can be >>>> ? ? ? ? used to extend the language header match. >>>> >>>> ? ? ? ? - >>>> >>>> ? ? ? ? -=[ dxp ]=- >>>> ? ? ? ? 0xA3F3C6E3 >>>> >>>> >>>> >>>> >>>> >>>> ? ? ? ? On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>>> ? ? ? ? How about >>>>> >>>>> >>>>> ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>> ? ? ? ? (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>>> ? ? ? ? flow:stateless; content:"GET "; depth:4; nocase; >>>>> ? ? ? ? isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>>> ? ? ? ? nocase; >>>>> ? ? ? ? pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>>> ? ? ? ? classtype:trojan-activity; sid:2009125; rev:4;) >>>>> >>>>> >>>>> ? ? ? ? Notes: >>>>> ? ? ? ? Flow >>>>> ? ? ? ? isdataat >>>>> ? ? ? ? Accept-Language inclusion >>>>> ? ? ? ? Pcre that is not only more accurate, but it also correct. >>>>> ? ? ? ? ?(the original pcre could be (as was) evaded). >>>>> >>>>> >>>>> ? ? ? ? J >>>>> >>>>> ? ? ? ? On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>>> ? ? ? ? > wrote: >>>>> >>>>> ? ? ? ? ? ? Joel Esler wrote: >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > Is it not unique in the pcap that I was sent. ?The >>>>> ? ? ? ? ? ? accept-language will >>>>> ? ? ? ? ? ? > fire a lot, but you need it for the prequalification >>>>> ? ? ? ? ? ? step in the FP >>>>> ? ? ? ? ? ? > portion of the engine. ?Fire on accept-language, keep >>>>> ? ? ? ? ? ? the "GET", do an >>>>> ? ? ? ? ? ? > anchor at offset of 0, use an isdataat to test length, >>>>> ? ? ? ? ? ? pcre to qualify >>>>> ? ? ? ? ? ? > and fire. ?Test the difference in between the two rules >>>>> ? ? ? ? ? ? with rule >>>>> ? ? ? ? ? ? > profiling. ?See how it goes. >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > >>>>> >>>>> >>>>> ? ? ? ? ? ? The GET has a depth of 4 so that's equivalent to >>>>> ? ? ? ? ? ? offset 0 no? >>>>> >>>>> ? ? ? ? ? ? Isdadaat is a good idea. There will ilkely be data after >>>>> ? ? ? ? ? ? the url string >>>>> ? ? ? ? ? ? length, so maybe just a content:!"|0d 0a|"; within:62; >>>>> >>>>> ? ? ? ? ? ? The uri is between 64 and 67 bytes in the samples >>>>> ? ? ? ? ? ? depending on the >>>>> ? ? ? ? ? ? length of that numeric string so I went 62 just in case. >>>>> >>>>> ? ? ? ? ? ? So: >>>>> ? ? ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>> ? ? ? ? ? ? (msg:"ET TROJAN >>>>> ? ? ? ? ? ? Trojan.Win32.Inject.esi Outbound Communication"; >>>>> ? ? ? ? ? ? flow:established,to_server; content:"GET "; depth:4; >>>>> ? ? ? ? ? ? content:"/"; >>>>> >>>>> ? ? ? ? ? ? distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>>> ? ? ? ? ? ? distance:16; >>>>> ? ? ? ? ? ? within:1; content:"/"; distance:3; within:5; content:"/"; >>>>> ? ? ? ? ? ? distance:12; >>>>> ? ? ? ? ? ? within:1; content:"/|0d 0a|"; distance:17; within:3; >>>>> ? ? ? ? ? ? pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>>> >>>>> ? ? ? ? ? ? classtype:trojan-activity; sid:2009125; rev:3;) >>>>> >>>>> ? ? ? ? ? ? Is that going to work? The negated content isn't going to >>>>> ? ? ? ? ? ? put the ptr at >>>>> ? ? ? ? ? ? the end of 62 is it? hmmmm >>>>> >>>>> >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > So if I was a malware writer, all I have to do is use a >>>>> ? ? ? ? ? ? POST and I >>>>> ? ? ? ? ? ? > bypass your rule. ?You do NOT want to eliminate the >>>>> ? ? ? ? ? ? others, as that will >>>>> ? ? ? ? ? ? > open you to false negatives. ?Up to you. ?For this >>>>> ? ? ? ? ? ? particular sample, >>>>> ? ? ? ? ? ? > you can keep your GET, I just want you to be aware that >>>>> ? ? ? ? ? ? overall, a check >>>>> ? ? ? ? ? ? > for GET is usually bad. ?In all of the rules the VRT >>>>> ? ? ? ? ? ? has written, >>>>> ? ? ? ? ? ? > (14,000+) as of current build, there are 38 live rules >>>>> ? ? ? ? ? ? that do a content >>>>> ? ? ? ? ? ? > check for GET. ?If you look at them, you will see why >>>>> ? ? ? ? ? ? it had to be done >>>>> ? ? ? ? ? ? > that way. >>>>> >>>>> >>>>> ? ? ? ? ? ? In other rules I'd agree with you that making an easy >>>>> ? ? ? ? ? ? evasion is bad. >>>>> ? ? ? ? ? ? But in the malware side we have so many things that are >>>>> ? ? ? ? ? ? intended to look >>>>> ? ? ? ? ? ? like normal traffic. >>>>> >>>>> ? ? ? ? ? ? So in the malware side I err toward evadable but reliable >>>>> ? ? ? ? ? ? for a few reasons: >>>>> >>>>> ? ? ? ? ? ? 1. We've had many sigs out for years that are easily >>>>> ? ? ? ? ? ? evadable but the >>>>> ? ? ? ? ? ? malware authors just DON'T try to evade. And the strains >>>>> ? ? ? ? ? ? come and go >>>>> ? ? ? ? ? ? quickly sometimes. >>>>> >>>>> ? ? ? ? ? ? 2. False positives in these sigs are costly. In most >>>>> ? ? ? ? ? ? places that means >>>>> ? ? ? ? ? ? an IT guy has to go visit a workstation and check it out >>>>> ? ? ? ? ? ? by hand. Costs >>>>> ? ? ? ? ? ? money and costs the security group their reputation for >>>>> ? ? ? ? ? ? reliability. >>>>> >>>>> ? ? ? ? ? ? 3. If they do try to evade we'll generally catch the >>>>> ? ? ? ? ? ? change in the >>>>> ? ? ? ? ? ? sandnet or in the analysis' put up by av vendors and the >>>>> ? ? ? ? ? ? like. >>>>> >>>>> ? ? ? ? ? ? Anyone have a differing argument for this philosophy? >>>>> ? ? ? ? ? ? It's what I tend >>>>> ? ? ? ? ? ? to apply to all of the virus/malware and spyware sigs. >>>>> >>>>> ? ? ? ? ? ? Matt >>>>> >>>>> >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? ------------------------------------------------------------------------ >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? > _______________________________________________ >>>>> ? ? ? ? ? ? > Emerging-sigs mailing list >>>>> ? ? ? ? ? ? > Emerging-sigs at emergingthreats.net >>>>> ? ? ? ? ? ? >>>>> ? ? ? ? ? ? > >>>>> ? ? ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> ? ? ? ? ? ? -- >>>>> ? ? ? ? ? ? -------------------------------------------- >>>>> >>>>> >>>>> ? ? ? ? ? ? Matthew Jonkman >>>>> ? ? ? ? ? ? Emerging Threats >>>>> ? ? ? ? ? ? Phone 765-429-0398 >>>>> ? ? ? ? ? ? Fax 312-264-0205 >>>>> ? ? ? ? ? ? http://www.emergingthreats.net >>>>> ? ? ? ? ? ? -------------------------------------------- >>>>> >>>>> ? ? ? ? ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ? ? ? ? -- >>>>> ? ? ? ? Joel Esler >>>>> ? ? ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>> ? ? ? ? >>>>> ? ? ? ? [m] >>>>> >>>>> ? ? ? ? _______________________________________________ >>>>> ? ? ? ? Emerging-sigs mailing list >>>>> ? ? ? ? Emerging-sigs at emergingthreats.net >>>>> ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>>> >>>> >>>> ? ? -- >>>> ? ? Joel Esler >>>> ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>> ? ? >>>> ? ? [m] >>> >>> >>> >>> >>> -- >>> Joel Esler >>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>> >>> [m] >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > > > -- > Darren Spruell > phatbuckett at gmail.com > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From jaime.blasco at alienvault.com Fri Apr 3 14:58:46 2009 From: jaime.blasco at alienvault.com (Jaime Blasco) Date: Fri, 3 Apr 2009 21:58:46 +0200 Subject: [Emerging-Sigs] conficker In-Reply-To: <49D66663.1020803@jonkmans.com> References: <49D66663.1020803@jonkmans.com> Message-ID: <53834cf20904031258m68e271fub657fbd3bd53447d@mail.gmail.com> I've positive matches too. Regards 2009/4/3 Matt Jonkman > I went ahead and posted these. I've had positive feedback on accuracy. > > Please let us all know if anyone sees false positive issues. > > Matt > > David Glosser wrote: > > can any information from the following be useful in creating conficker > P2P sig? > > > > > https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- _______________________________ Jaime Blasco www.ossim.com www.alienvault.com Email: jaime.blasco at alienvault.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090403/8245cef2/attachment.html From emerging at emergingthreats.net Fri Apr 3 15:00:10 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 3 Apr 2009 16:00:10 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090403200010.CE0084501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Apr 3 16:00:10 2009 [***] [+++] Added rules: [+++] 2009205 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging.rules) 2009206 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging.rules) 2009207 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging.rules) 2009208 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging.rules) [///] Modified active rules: [///] 2009125 - ET TROJAN Trojan.Win32.Inject.esi Outbound Communication (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (4): 2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ -> Added to emerging-sid-msg.map.txt (4): 2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (4): 2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (4): 2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From phatbuckett at gmail.com Fri Apr 3 16:16:37 2009 From: phatbuckett at gmail.com (Darren Spruell) Date: Fri, 3 Apr 2009 14:16:37 -0700 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <314cf0830904031244x16372239vf4e395b0bb02b9fc@mail.gmail.com> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <49B69DCD.7000703@jonkmans.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> <314cf0830904031244x16372239vf4e395b0bb02b9fc@mail.gmail.com> Message-ID: <839aec700904031416y70508179tc9a918846e35b0a2@mail.gmail.com> Sorry, none for this round. URIs scraped out of proxy logs. DS On Fri, Apr 3, 2009 at 12:44 PM, Joel Esler wrote: > Darren, > > Pcap? > > Joel > > On Thu, Apr 2, 2009 at 7:34 PM, Darren Spruell wrote: >> Looks like the pcre we settled on for the committed revision of this >> rule was too specific; we dug out another compromised client from >> proxy logs and found the following requests which had some differences >> in the URI: >> >> /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ >> /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ >> /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ >> /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ >> /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ >> /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ >> /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ >> /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ >> /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ >> /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ >> /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ >> /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ >> /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ >> /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ >> /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ >> /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ >> /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ >> /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ >> /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ >> /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ >> /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ >> /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ >> /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ >> /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ >> /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ >> /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ >> /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ >> /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ >> /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ >> /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ >> /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ >> /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ >> /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ >> /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ >> /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ >> /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ >> /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ >> /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ >> /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ >> /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ >> /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ >> /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ >> /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ >> /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ >> /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ >> /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ >> /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ >> /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ >> >> Namely, several of the characters in the leading classes were >> different, the number of digits in the third section were less than >> anticipated, and the final section was of lesser length. I made >> adjustments and came up with the following altered regex: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >> Trojan.Win32.Inject.esi Outbound Communication"; >> flow:established,to_server; content:"GET "; depth:4; >> isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; >> nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; >> classtype:trojan-activity; >> reference:url,doc.emergingthreats.net/2009125; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; >> sid:2009125; rev:?;) >> >> I hesitate to make the matches much tighter as we've also had reports >> of other variations of the C2 requests so more general may be the way >> to go. Feedback of course welcome. >> >> DS >> >> On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: >>> Just going through the sandnet database and there's not a single entry >>> that has the same typo, so we'll have to assume it unique to this >>> rolling of this variant. >>> >>> I'll keep an eye out and see if it shows up with anything else. Very >>> interesting one. >>> >>> Matt >>> >>> Joel Esler wrote: >>>> I think the rule might be good enough with the en-en match. ?That's >>>> pretty specific. >>>> >>>> J >>>> >>>> On Wed, Mar 11, 2009 at 2:46 PM, dxp >>> > wrote: >>>> >>>> ? ? Here's another one, noticed it only after disecting the binary. >>>> ? ? The UAS is missing a space between IE version string and Windows >>>> ? ? version string. ?There should be a space after the semicolumn. >>>> >>>> >>>> ? ? ? ? /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >>>> ? ? ? ? 5.1)/ >>>> >>>> ? ? - >>>> >>>> ? ? -=[ dxp ]=- >>>> ? ? 0xA3F3C6E3 >>>> >>>> >>>> >>>> >>>> ? ? On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>>>> ? ? Nice catch. >>>>> >>>>> ? ? On Tue, Mar 10, 2009 at 4:45 PM, dxp >>>> ? ? > wrote: >>>>> >>>>> ? ? ? ? Regarding the "Accept-Language:" header, looks like the value >>>>> ? ? ? ? used ("en-en") is not legit. ?That's an anomaly which can be >>>>> ? ? ? ? used to extend the language header match. >>>>> >>>>> ? ? ? ? - >>>>> >>>>> ? ? ? ? -=[ dxp ]=- >>>>> ? ? ? ? 0xA3F3C6E3 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ? ? ? ? On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>>>> ? ? ? ? How about >>>>>> >>>>>> >>>>>> ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>>> ? ? ? ? (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>>>> ? ? ? ? flow:stateless; content:"GET "; depth:4; nocase; >>>>>> ? ? ? ? isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>>>> ? ? ? ? nocase; >>>>>> ? ? ? ? pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>>>> ? ? ? ? classtype:trojan-activity; sid:2009125; rev:4;) >>>>>> >>>>>> >>>>>> ? ? ? ? Notes: >>>>>> ? ? ? ? Flow >>>>>> ? ? ? ? isdataat >>>>>> ? ? ? ? Accept-Language inclusion >>>>>> ? ? ? ? Pcre that is not only more accurate, but it also correct. >>>>>> ? ? ? ? ?(the original pcre could be (as was) evaded). >>>>>> >>>>>> >>>>>> ? ? ? ? J >>>>>> >>>>>> ? ? ? ? On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>>>> ? ? ? ? > wrote: >>>>>> >>>>>> ? ? ? ? ? ? Joel Esler wrote: >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > Is it not unique in the pcap that I was sent. ?The >>>>>> ? ? ? ? ? ? accept-language will >>>>>> ? ? ? ? ? ? > fire a lot, but you need it for the prequalification >>>>>> ? ? ? ? ? ? step in the FP >>>>>> ? ? ? ? ? ? > portion of the engine. ?Fire on accept-language, keep >>>>>> ? ? ? ? ? ? the "GET", do an >>>>>> ? ? ? ? ? ? > anchor at offset of 0, use an isdataat to test length, >>>>>> ? ? ? ? ? ? pcre to qualify >>>>>> ? ? ? ? ? ? > and fire. ?Test the difference in between the two rules >>>>>> ? ? ? ? ? ? with rule >>>>>> ? ? ? ? ? ? > profiling. ?See how it goes. >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? The GET has a depth of 4 so that's equivalent to >>>>>> ? ? ? ? ? ? offset 0 no? >>>>>> >>>>>> ? ? ? ? ? ? Isdadaat is a good idea. There will ilkely be data after >>>>>> ? ? ? ? ? ? the url string >>>>>> ? ? ? ? ? ? length, so maybe just a content:!"|0d 0a|"; within:62; >>>>>> >>>>>> ? ? ? ? ? ? The uri is between 64 and 67 bytes in the samples >>>>>> ? ? ? ? ? ? depending on the >>>>>> ? ? ? ? ? ? length of that numeric string so I went 62 just in case. >>>>>> >>>>>> ? ? ? ? ? ? So: >>>>>> ? ? ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>>> ? ? ? ? ? ? (msg:"ET TROJAN >>>>>> ? ? ? ? ? ? Trojan.Win32.Inject.esi Outbound Communication"; >>>>>> ? ? ? ? ? ? flow:established,to_server; content:"GET "; depth:4; >>>>>> ? ? ? ? ? ? content:"/"; >>>>>> >>>>>> ? ? ? ? ? ? distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>>>> ? ? ? ? ? ? distance:16; >>>>>> ? ? ? ? ? ? within:1; content:"/"; distance:3; within:5; content:"/"; >>>>>> ? ? ? ? ? ? distance:12; >>>>>> ? ? ? ? ? ? within:1; content:"/|0d 0a|"; distance:17; within:3; >>>>>> ? ? ? ? ? ? pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>>>> >>>>>> ? ? ? ? ? ? classtype:trojan-activity; sid:2009125; rev:3;) >>>>>> >>>>>> ? ? ? ? ? ? Is that going to work? The negated content isn't going to >>>>>> ? ? ? ? ? ? put the ptr at >>>>>> ? ? ? ? ? ? the end of 62 is it? hmmmm >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > So if I was a malware writer, all I have to do is use a >>>>>> ? ? ? ? ? ? POST and I >>>>>> ? ? ? ? ? ? > bypass your rule. ?You do NOT want to eliminate the >>>>>> ? ? ? ? ? ? others, as that will >>>>>> ? ? ? ? ? ? > open you to false negatives. ?Up to you. ?For this >>>>>> ? ? ? ? ? ? particular sample, >>>>>> ? ? ? ? ? ? > you can keep your GET, I just want you to be aware that >>>>>> ? ? ? ? ? ? overall, a check >>>>>> ? ? ? ? ? ? > for GET is usually bad. ?In all of the rules the VRT >>>>>> ? ? ? ? ? ? has written, >>>>>> ? ? ? ? ? ? > (14,000+) as of current build, there are 38 live rules >>>>>> ? ? ? ? ? ? that do a content >>>>>> ? ? ? ? ? ? > check for GET. ?If you look at them, you will see why >>>>>> ? ? ? ? ? ? it had to be done >>>>>> ? ? ? ? ? ? > that way. >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? In other rules I'd agree with you that making an easy >>>>>> ? ? ? ? ? ? evasion is bad. >>>>>> ? ? ? ? ? ? But in the malware side we have so many things that are >>>>>> ? ? ? ? ? ? intended to look >>>>>> ? ? ? ? ? ? like normal traffic. >>>>>> >>>>>> ? ? ? ? ? ? So in the malware side I err toward evadable but reliable >>>>>> ? ? ? ? ? ? for a few reasons: >>>>>> >>>>>> ? ? ? ? ? ? 1. We've had many sigs out for years that are easily >>>>>> ? ? ? ? ? ? evadable but the >>>>>> ? ? ? ? ? ? malware authors just DON'T try to evade. And the strains >>>>>> ? ? ? ? ? ? come and go >>>>>> ? ? ? ? ? ? quickly sometimes. >>>>>> >>>>>> ? ? ? ? ? ? 2. False positives in these sigs are costly. In most >>>>>> ? ? ? ? ? ? places that means >>>>>> ? ? ? ? ? ? an IT guy has to go visit a workstation and check it out >>>>>> ? ? ? ? ? ? by hand. Costs >>>>>> ? ? ? ? ? ? money and costs the security group their reputation for >>>>>> ? ? ? ? ? ? reliability. >>>>>> >>>>>> ? ? ? ? ? ? 3. If they do try to evade we'll generally catch the >>>>>> ? ? ? ? ? ? change in the >>>>>> ? ? ? ? ? ? sandnet or in the analysis' put up by av vendors and the >>>>>> ? ? ? ? ? ? like. >>>>>> >>>>>> ? ? ? ? ? ? Anyone have a differing argument for this philosophy? >>>>>> ? ? ? ? ? ? It's what I tend >>>>>> ? ? ? ? ? ? to apply to all of the virus/malware and spyware sigs. >>>>>> >>>>>> ? ? ? ? ? ? Matt >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? ------------------------------------------------------------------------ >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? > _______________________________________________ >>>>>> ? ? ? ? ? ? > Emerging-sigs mailing list >>>>>> ? ? ? ? ? ? > Emerging-sigs at emergingthreats.net >>>>>> ? ? ? ? ? ? >>>>>> ? ? ? ? ? ? > >>>>>> ? ? ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>> >>>>>> ? ? ? ? ? ? -- >>>>>> ? ? ? ? ? ? -------------------------------------------- >>>>>> >>>>>> >>>>>> ? ? ? ? ? ? Matthew Jonkman >>>>>> ? ? ? ? ? ? Emerging Threats >>>>>> ? ? ? ? ? ? Phone 765-429-0398 >>>>>> ? ? ? ? ? ? Fax 312-264-0205 >>>>>> ? ? ? ? ? ? http://www.emergingthreats.net >>>>>> ? ? ? ? ? ? -------------------------------------------- >>>>>> >>>>>> ? ? ? ? ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ? ? ? ? -- >>>>>> ? ? ? ? Joel Esler >>>>>> ? ? ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>>> ? ? ? ? >>>>>> ? ? ? ? [m] >>>>>> >>>>>> ? ? ? ? _______________________________________________ >>>>>> ? ? ? ? Emerging-sigs mailing list >>>>>> ? ? ? ? Emerging-sigs at emergingthreats.net >>>>>> ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>> >>>>> >>>>> >>>>> >>>>> ? ? -- >>>>> ? ? Joel Esler >>>>> ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>> ? ? >>>>> ? ? [m] >>>> >>>> >>>> >>>> >>>> -- >>>> Joel Esler >>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>> >>>> [m] >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> -- >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> >> >> >> -- >> Darren Spruell >> phatbuckett at gmail.com >> > > > > -- > joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 > -- Darren Spruell phatbuckett at gmail.com From eslerj at gmail.com Fri Apr 3 16:59:25 2009 From: eslerj at gmail.com (Joel Esler) Date: Fri, 3 Apr 2009 17:59:25 -0400 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: <839aec700904031416y70508179tc9a918846e35b0a2@mail.gmail.com> References: <839aec700903091031h461fa3ebs5a635d6a8afb5abf@mail.gmail.com> <314cf0830903101137u74b57300pbd501c7ce5554ecd@mail.gmail.com> <1236717927.9868.4.camel@kinta> <314cf0830903101423x5e10b9e5x8048b82d17a7a39e@mail.gmail.com> <1236797176.9868.11.camel@kinta> <314cf0830903111300j3c0c79dna2d984a8558cd128@mail.gmail.com> <49B82060.9030506@jonkmans.com> <839aec700904021634k434f9c7cp844e7aae7572a230@mail.gmail.com> <314cf0830904031244x16372239vf4e395b0bb02b9fc@mail.gmail.com> <839aec700904031416y70508179tc9a918846e35b0a2@mail.gmail.com> Message-ID: <314cf0830904031459q2e87fe68l8703514d662a7304@mail.gmail.com> I'll find a chance soon to write up the new pcre. On Fri, Apr 3, 2009 at 5:16 PM, Darren Spruell wrote: > Sorry, none for this round. URIs scraped out of proxy logs. > > DS > > On Fri, Apr 3, 2009 at 12:44 PM, Joel Esler wrote: >> Darren, >> >> Pcap? >> >> Joel >> >> On Thu, Apr 2, 2009 at 7:34 PM, Darren Spruell wrote: >>> Looks like the pcre we settled on for the committed revision of this >>> rule was too specific; we dug out another compromised client from >>> proxy logs and found the following requests which had some differences >>> in the URI: >>> >>> /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ >>> /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ >>> /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ >>> /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ >>> /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ >>> /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ >>> /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ >>> /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ >>> /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ >>> /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ >>> /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ >>> /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ >>> /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ >>> /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ >>> /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ >>> /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ >>> /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ >>> /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ >>> /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ >>> /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ >>> /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ >>> /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ >>> /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ >>> /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ >>> /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ >>> /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ >>> /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ >>> /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ >>> /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ >>> /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ >>> /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ >>> /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ >>> /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ >>> /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ >>> /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ >>> /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ >>> /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ >>> /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ >>> /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ >>> /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ >>> /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ >>> /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ >>> /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ >>> /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ >>> /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ >>> /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ >>> /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ >>> /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ >>> >>> Namely, several of the characters in the leading classes were >>> different, the number of digits in the third section were less than >>> anticipated, and the final section was of lesser length. I made >>> adjustments and came up with the following altered regex: >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN >>> Trojan.Win32.Inject.esi Outbound Communication"; >>> flow:established,to_server; content:"GET "; depth:4; >>> isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; >>> nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; >>> classtype:trojan-activity; >>> reference:url,doc.emergingthreats.net/2009125; >>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; >>> sid:2009125; rev:?;) >>> >>> I hesitate to make the matches much tighter as we've also had reports >>> of other variations of the C2 requests so more general may be the way >>> to go. Feedback of course welcome. >>> >>> DS >>> >>> On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman wrote: >>>> Just going through the sandnet database and there's not a single entry >>>> that has the same typo, so we'll have to assume it unique to this >>>> rolling of this variant. >>>> >>>> I'll keep an eye out and see if it shows up with anything else. Very >>>> interesting one. >>>> >>>> Matt >>>> >>>> Joel Esler wrote: >>>>> I think the rule might be good enough with the en-en match. ?That's >>>>> pretty specific. >>>>> >>>>> J >>>>> >>>>> On Wed, Mar 11, 2009 at 2:46 PM, dxp >>>> > wrote: >>>>> >>>>> ? ? Here's another one, noticed it only after disecting the binary. >>>>> ? ? The UAS is missing a space between IE version string and Windows >>>>> ? ? version string. ?There should be a space after the semicolumn. >>>>> >>>>> >>>>> ? ? ? ? /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT >>>>> ? ? ? ? 5.1)/ >>>>> >>>>> ? ? - >>>>> >>>>> ? ? -=[ dxp ]=- >>>>> ? ? 0xA3F3C6E3 >>>>> >>>>> >>>>> >>>>> >>>>> ? ? On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: >>>>>> ? ? Nice catch. >>>>>> >>>>>> ? ? On Tue, Mar 10, 2009 at 4:45 PM, dxp >>>>> ? ? > wrote: >>>>>> >>>>>> ? ? ? ? Regarding the "Accept-Language:" header, looks like the value >>>>>> ? ? ? ? used ("en-en") is not legit. ?That's an anomaly which can be >>>>>> ? ? ? ? used to extend the language header match. >>>>>> >>>>>> ? ? ? ? - >>>>>> >>>>>> ? ? ? ? -=[ dxp ]=- >>>>>> ? ? ? ? 0xA3F3C6E3 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ? ? ? ? On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: >>>>>>> ? ? ? ? How about >>>>>>> >>>>>>> >>>>>>> ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>>>> ? ? ? ? (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; >>>>>>> ? ? ? ? flow:stateless; content:"GET "; depth:4; nocase; >>>>>>> ? ? ? ? isdataat:62,relative; content:"|0d 0a|Accept-Language"; >>>>>>> ? ? ? ? nocase; >>>>>>> ? ? ? ? pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; >>>>>>> ? ? ? ? classtype:trojan-activity; sid:2009125; rev:4;) >>>>>>> >>>>>>> >>>>>>> ? ? ? ? Notes: >>>>>>> ? ? ? ? Flow >>>>>>> ? ? ? ? isdataat >>>>>>> ? ? ? ? Accept-Language inclusion >>>>>>> ? ? ? ? Pcre that is not only more accurate, but it also correct. >>>>>>> ? ? ? ? ?(the original pcre could be (as was) evaded). >>>>>>> >>>>>>> >>>>>>> ? ? ? ? J >>>>>>> >>>>>>> ? ? ? ? On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman >>>>>>> ? ? ? ? > wrote: >>>>>>> >>>>>>> ? ? ? ? ? ? Joel Esler wrote: >>>>>>> ? ? ? ? ? ? > >>>>>>> ? ? ? ? ? ? > Is it not unique in the pcap that I was sent. ?The >>>>>>> ? ? ? ? ? ? accept-language will >>>>>>> ? ? ? ? ? ? > fire a lot, but you need it for the prequalification >>>>>>> ? ? ? ? ? ? step in the FP >>>>>>> ? ? ? ? ? ? > portion of the engine. ?Fire on accept-language, keep >>>>>>> ? ? ? ? ? ? the "GET", do an >>>>>>> ? ? ? ? ? ? > anchor at offset of 0, use an isdataat to test length, >>>>>>> ? ? ? ? ? ? pcre to qualify >>>>>>> ? ? ? ? ? ? > and fire. ?Test the difference in between the two rules >>>>>>> ? ? ? ? ? ? with rule >>>>>>> ? ? ? ? ? ? > profiling. ?See how it goes. >>>>>>> ? ? ? ? ? ? > >>>>>>> ? ? ? ? ? ? > >>>>>>> >>>>>>> >>>>>>> ? ? ? ? ? ? The GET has a depth of 4 so that's equivalent to >>>>>>> ? ? ? ? ? ? offset 0 no? >>>>>>> >>>>>>> ? ? ? ? ? ? Isdadaat is a good idea. There will ilkely be data after >>>>>>> ? ? ? ? ? ? the url string >>>>>>> ? ? ? ? ? ? length, so maybe just a content:!"|0d 0a|"; within:62; >>>>>>> >>>>>>> ? ? ? ? ? ? The uri is between 64 and 67 bytes in the samples >>>>>>> ? ? ? ? ? ? depending on the >>>>>>> ? ? ? ? ? ? length of that numeric string so I went 62 just in case. >>>>>>> >>>>>>> ? ? ? ? ? ? So: >>>>>>> ? ? ? ? ? ? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>>>>>> ? ? ? ? ? ? (msg:"ET TROJAN >>>>>>> ? ? ? ? ? ? Trojan.Win32.Inject.esi Outbound Communication"; >>>>>>> ? ? ? ? ? ? flow:established,to_server; content:"GET "; depth:4; >>>>>>> ? ? ? ? ? ? content:"/"; >>>>>>> >>>>>>> ? ? ? ? ? ? distance:0; content:!"|0d 0a|"; within:62; content:"/"; >>>>>>> ? ? ? ? ? ? distance:16; >>>>>>> ? ? ? ? ? ? within:1; content:"/"; distance:3; within:5; content:"/"; >>>>>>> ? ? ? ? ? ? distance:12; >>>>>>> ? ? ? ? ? ? within:1; content:"/|0d 0a|"; distance:17; within:3; >>>>>>> ? ? ? ? ? ? pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; >>>>>>> >>>>>>> ? ? ? ? ? ? classtype:trojan-activity; sid:2009125; rev:3;) >>>>>>> >>>>>>> ? ? ? ? ? ? Is that going to work? The negated content isn't going to >>>>>>> ? ? ? ? ? ? put the ptr at >>>>>>> ? ? ? ? ? ? the end of 62 is it? hmmmm >>>>>>> >>>>>>> >>>>>>> ? ? ? ? ? ? > >>>>>>> ? ? ? ? ? ? > So if I was a malware writer, all I have to do is use a >>>>>>> ? ? ? ? ? ? POST and I >>>>>>> ? ? ? ? ? ? > bypass your rule. ?You do NOT want to eliminate the >>>>>>> ? ? ? ? ? ? others, as that will >>>>>>> ? ? ? ? ? ? > open you to false negatives. ?Up to you. ?For this >>>>>>> ? ? ? ? ? ? particular sample, >>>>>>> ? ? ? ? ? ? > you can keep your GET, I just want you to be aware that >>>>>>> ? ? ? ? ? ? overall, a check >>>>>>> ? ? ? ? ? ? > for GET is usually bad. ?In all of the rules the VRT >>>>>>> ? ? ? ? ? ? has written, >>>>>>> ? ? ? ? ? ? > (14,000+) as of current build, there are 38 live rules >>>>>>> ? ? ? ? ? ? that do a content >>>>>>> ? ? ? ? ? ? > check for GET. ?If you look at them, you will see why >>>>>>> ? ? ? ? ? ? it had to be done >>>>>>> ? ? ? ? ? ? > that way. >>>>>>> >>>>>>> >>>>>>> ? ? ? ? ? ? In other rules I'd agree with you that making an easy >>>>>>> ? ? ? ? ? ? evasion is bad. >>>>>>> ? ? ? ? ? ? But in the malware side we have so many things that are >>>>>>> ? ? ? ? ? ? intended to look >>>>>>> ? ? ? ? ? ? like normal traffic. >>>>>>> >>>>>>> ? ? ? ? ? ? So in the malware side I err toward evadable but reliable >>>>>>> ? ? ? ? ? ? for a few reasons: >>>>>>> >>>>>>> ? ? ? ? ? ? 1. We've had many sigs out for years that are easily >>>>>>> ? ? ? ? ? ? evadable but the >>>>>>> ? ? ? ? ? ? malware authors just DON'T try to evade. And the strains >>>>>>> ? ? ? ? ? ? come and go >>>>>>> ? ? ? ? ? ? quickly sometimes. >>>>>>> >>>>>>> ? ? ? ? ? ? 2. False positives in these sigs are costly. In most >>>>>>> ? ? ? ? ? ? places that means >>>>>>> ? ? ? ? ? ? an IT guy has to go visit a workstation and check it out >>>>>>> ? ? ? ? ? ? by hand. Costs >>>>>>> ? ? ? ? ? ? money and costs the security group their reputation for >>>>>>> ? ? ? ? ? ? reliability. >>>>>>> >>>>>>> ? ? ? ? ? ? 3. If they do try to evade we'll generally catch the >>>>>>> ? ? ? ? ? ? change in the >>>>>>> ? ? ? ? ? ? sandnet or in the analysis' put up by av vendors and the >>>>>>> ? ? ? ? ? ? like. >>>>>>> >>>>>>> ? ? ? ? ? ? Anyone have a differing argument for this philosophy? >>>>>>> ? ? ? ? ? ? It's what I tend >>>>>>> ? ? ? ? ? ? to apply to all of the virus/malware and spyware sigs. >>>>>>> >>>>>>> ? ? ? ? ? ? Matt >>>>>>> >>>>>>> >>>>>>> ? ? ? ? ? ? > >>>>>>> ? ? ? ? ? ? > >>>>>>> ? ? ? ? ? ? ------------------------------------------------------------------------ >>>>>>> ? ? ? ? ? ? > >>>>>>> ? ? ? ? ? ? > _______________________________________________ >>>>>>> ? ? ? ? ? ? > Emerging-sigs mailing list >>>>>>> ? ? ? ? ? ? > Emerging-sigs at emergingthreats.net >>>>>>> ? ? ? ? ? ? >>>>>>> ? ? ? ? ? ? > >>>>>>> ? ? ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>>> >>>>>>> ? ? ? ? ? ? -- >>>>>>> ? ? ? ? ? ? -------------------------------------------- >>>>>>> >>>>>>> >>>>>>> ? ? ? ? ? ? Matthew Jonkman >>>>>>> ? ? ? ? ? ? Emerging Threats >>>>>>> ? ? ? ? ? ? Phone 765-429-0398 >>>>>>> ? ? ? ? ? ? Fax 312-264-0205 >>>>>>> ? ? ? ? ? ? http://www.emergingthreats.net >>>>>>> ? ? ? ? ? ? -------------------------------------------- >>>>>>> >>>>>>> ? ? ? ? ? ? PGP: http://www.jonkmans.com/mattjonkman.asc >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ? ? ? ? -- >>>>>>> ? ? ? ? Joel Esler >>>>>>> ? ? ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>>>> ? ? ? ? >>>>>>> ? ? ? ? [m] >>>>>>> >>>>>>> ? ? ? ? _______________________________________________ >>>>>>> ? ? ? ? Emerging-sigs mailing list >>>>>>> ? ? ? ? Emerging-sigs at emergingthreats.net >>>>>>> ? ? ? ? http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ? ? -- >>>>>> ? ? Joel Esler >>>>>> ? ? T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>>> ? ? >>>>>> ? ? [m] >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Joel Esler >>>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com >>>>> >>>>> [m] >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Emerging-sigs mailing list >>>>> Emerging-sigs at emergingthreats.net >>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> -- >>>> -------------------------------------------- >>>> Matthew Jonkman >>>> Emerging Threats >>>> Phone 765-429-0398 >>>> Fax 312-264-0205 >>>> http://www.emergingthreats.net >>>> -------------------------------------------- >>>> >>>> PGP: http://www.jonkmans.com/mattjonkman.asc >>>> >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>> >>> >>> >>> -- >>> Darren Spruell >>> phatbuckett at gmail.com >>> >> >> >> >> -- >> joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 >> > > > > -- > Darren Spruell > phatbuckett at gmail.com > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From dxp2532 at gmail.com Fri Apr 3 17:48:09 2009 From: dxp2532 at gmail.com (dxp) Date: Fri, 03 Apr 2009 18:48:09 -0400 Subject: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A In-Reply-To: References: Message-ID: <1238798889.7285.30.camel@kinta> It specifically chops off the '=' characters. - -=[ dxp ]=- 0xA3F3C6E3 On Fri, 2009-04-03 at 11:17 -0500, David.R.Wharton at regions.com wrote: > If it is base64 encoded wouldn't you expect some '=' characters or is the > length always a multiple of three? > > -David > > > > > dxp > Sent by: emerging-sigs-bounces at emergingthreats.net > 04/03/2009 10:14 AM > > To > Darren Spruell > cc > Emerging Threats Signatures > Subject > Re: [Emerging-Sigs] Trojan.Win32.Inject.esi / Trojan:Win32/Netnam.A > > > > > > > After looking at the GET generation code it appears this particular > variant will create URIs with this form: > / base64 / base64 Y5 / X? / Z2 base64 / base64 W3 / > where: > base64 = base64 encoded crypted string based on embeded strings and random > numbers > Y5 = randomly generated integer 5 digits long > X? = randomly generated integer, varying digit lengths > Z2 = randomly generated integer 2 digits long > W3 = randomly generated integer 3 digits long > These integers are part of the encryption key used to create the base64 > strings and thus needed to decode on the server side. The data encoded in > the strings is not based on user's information rather on embeded constants > in the malware. Perhaps some form of identification scheme. > > Here are the PCREs for each segment of the URI: > > /AWsPa39hKhs \/[A-Za-z0-9]{2,16} > /XTJdbT85bE021115 \/[A-Za-z0-9]{2,16}\d{5} > /9347 \/\d{1,5} > /42DmQLPmg3bw \/\d{2}[A-Za-z0-9]{2,16} > /QDBcPTkzbU1jbFgM223/ \/[A-Za-z0-9]{2,16}\d{3}\/ > The length of Base64 encoded strings may vary between variants as it > depends on 2 constant strings which may serve as some form of > identification. In this case it was: "liberate", and two integers > represented as ascii. > > > - > > -=[ dxp ]=- > 0xA3F3C6E3 > > > > > On Thu, 2009-04-02 at 16:34 -0700, Darren Spruell wrote: > > Looks like the pcre we settled on for the committed revision of this > rule was too specific; we dug out another compromised client from > proxy logs and found the following requests which had some differences > in the URI: > > /C20Lb3VnLh8/UzBdPzI1aHo43323/3503/31UjBdODc2aw/Vw4111/ > /CW0NbndnKB4/UTBbPjA1bkg31813/1562/18UDBbCzU2bQ/VQ4231/ > /CW4Lb3dkLh8/UTNdPzA2aHo21229/1603/21UDNdODU1aw/VQ0213/ > /CWANbnNjJho/UT1bPgExYEw32112/18625/33UD1bCzEyYw/VQM222/ > /CWkPaX5jLxg/UTRtDDkxaU411229/11458/21UDRtPjwyWw/VQo942/ > /CmwJZXFgKh4/UgVfNTYybEg12221/24297/31UwVfMjMxbw/Vg8211/ > /CWsMaHZjLRs/UTZaODExa0013313/13740/21UDZaPwQyaA/VQg122/ > /CWsMaHZjLRs/UTZaODExa0062211/13740/56UDZaPwQyaA/VQg111/ > /Cm4JZHVgKB4/UjNfNDIybkg43226/26283/17UzNfMzcxbQ/Vg0214/ > /CmkDbH5gLxQ/UjRVPDkyaUI31521/21808/15UzRVOzwxWw/Vgo221/ > /CmgKanRgLh0/UjVcOjMyaEs11212/20162/91UzVcPTYxaw/Vgs411/ > /CmoJaXVgLB4/UjdfDDIyWEg51234/22253/12UzdfPjcxaQ/Vgk118/ > /C2oKaHNhLB0/UzdcOAEzWEs73752/32145/47UjdcPzEwaQ/Vwk173/ > /DGACa3JqJxs/YD1UOzU4YU032726/4897/11VT1UPDA7Yg/UAM122/ > /C28Da3VlJhs/UzJVOzI3YE022432/3787/11UjJVPDc0Yw/Vww243/ > /CWAPZHFjJhg/UT1tNDYxYE432222/18487/83UD1tMzMyYw/VQM113/ > /CW4LbnNjKBw/UTNdPgExbko22518/16025/11UDNdCzEybQ/VQ0611/ > /CmoOZXdgLBk/UjdYNTAyWE881112/22591/12UzdYMjUxaQ/Vgk411/ > /VGsPa35hKhs/WDZtOzkzbE024119/8347/17WTZtPDwwbw/XAg311/ > /CW0ObXdnKx0/UTBYPTA1bUs22121/1551/21UDBYOjU2bg/VQ4211/ > /Cm8Pa3RlKhs/UjJtOzM3bE011221/2747/21UzJtPDY0bw/Vgw213/ > /AWsKaH9hLxg/WTZcODgzaU423113/9314/68WDZcPz0wWw/XQg222/ > /Cm8La3RlLhs/UjJdOzM3aE064612/2707/11UzJdPDY0aw/Vgw113/ > /DG0LaXJnLhk/YDBdDDU1aE822832/4505/11VTBdPjA2aw/UA4123/ > /C2kJbnNhLx4/UzRfPgEzaUg12125/31225/28UjRfCzEwWw/Vwo121/ > /CmgCZX9gLhU/UjVUNTgyaEM21221/20999/93UzVUMj0xaw/Vgs133/ > /CWwLanNjKhw/UQVdOgExbEo11223/14065/17UAVdPTEybw/VQ8121/ > /CWwOZH5jKhk/UQVYNDkxbE879137/14588/29UAVYMzwybw/VQ8121/ > /D2wCZXFmJxU/VwVUNTY0YUM86324/7499/12VgVUMjM3Yg/Uw8283/ > /Cm4LZH9gKBw/UjNdNDgybko22811/26089/33UzNdMz0xbQ/Vg0321/ > /CW8OZHNjKRk/UTJYNAExb0822122/17585/31UDJYMzEybA/VQw226/ > /CW4Man9jKBs/UTNaOjgxbk021212/16769/22UDNaPT0ybQ/VQ0212/ > /VGsNaX5hKBk/WDZbDDkzbk822121/8365/12WTZbPjwwbQ/XAg821/ > /AWEIb39rLR8/WTxePzg5a3o29221/9933/88WDxeOD06aA/XQI212/ > /C2kDZHBhLxQ/UzRVNDczaUI21121/31886/33UjRVMzIwWw/Vwo272/ > /AWANa39qKBs/WT1bOzg4bk026921/9867/12WD1bPD07bQ/XQM522/ > /CW4MbnRjKBs/UTNaPjMxbk012611/16722/14UDNaCzYybQ/VQ0142/ > /C2sNbHVhKBw/UzZbPDIzbko92831/3360/21UjZbOzcwbQ/Vwg123/ > /C2wIaHVmLRg/UwVeODI0a0422172/34/12UgVePzc3aA/Vw8322/ > /CWsKanBjLR0/UTZcOjcxa0s22112/13166/71UDZcPTIyaA/VQg921/ > /CWgJaX9jLh4/UTVfDDgxaEg16921/10259/12UDVfPj0yaw/VQs281/ > /VG4CbX5kJx0/WDNUPTk2YUs23127/8691/71WTNUOjw1Yg/XA0291/ > /CmEMaXFgJxs/UjxaDDYyYU033237/29757/11UzxaPjMxYg/VgI121/ > /Dm4CbnBkJx4/VjNUPjc2YUg29262/6692/91VzNUCzI1Yg/Ug0224/ > /C2gJa35hLh4/UzVfOzkzaEg33221/30278/72UjVfPDwwaw/Vws652/ > /DGsLanJhLho/YDZdOjUzaEw11239/4306/22VTZdPTAwaw/UAg131/ > /CmgJbHJgLh4/UjVfPDUyaEg31962/20204/22UzVfOzAxaw/Vgs151/ > /CW4Ma3JjKBs/UTNaOzUxbk023332/16774/51UDNaPDAybQ/VQ0223/ > > Namely, several of the characters in the leading classes were > different, the number of digits in the third section were less than > anticipated, and the final section was of lesser length. I made > adjustments and came up with the following altered regex: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Trojan.Win32.Inject.esi Outbound Communication"; > flow:established,to_server; content:"GET "; depth:4; > isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; > nocase; pcre:"/\/\w{11}\/\w{16}\/\d{1,5}\/\d{2}\w{10}\/\w{6,}/sm"; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2009125; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; > sid:2009125; rev:?;) > > I hesitate to make the matches much tighter as we've also had reports > of other variations of the C2 requests so more general may be the way > to go. Feedback of course welcome. > > DS > > On Wed, Mar 11, 2009 at 1:34 PM, Matt Jonkman > wrote: > > Just going through the sandnet database and there's not a single entry > > that has the same typo, so we'll have to assume it unique to this > > rolling of this variant. > > > > I'll keep an eye out and see if it shows up with anything else. Very > > interesting one. > > > > Matt > > > > Joel Esler wrote: > >> I think the rule might be good enough with the en-en match. That's > >> pretty specific. > >> > >> J > >> > >> On Wed, Mar 11, 2009 at 2:46 PM, dxp >> > wrote: > >> > >> Here's another one, noticed it only after disecting the binary. > >> The UAS is missing a space between IE version string and Windows > >> version string. There should be a space after the semicolumn. > >> > >> > >> /User-Agent: Mozilla/4.0 (compatible; MSIE //*6.0;Windows*// NT > >> 5.1)/ > >> > >> - > >> > >> -=[ dxp ]=- > >> 0xA3F3C6E3 > >> > >> > >> > >> > >> On Tue, 2009-03-10 at 17:23 -0400, Joel Esler wrote: > >>> Nice catch. > >>> > >>> On Tue, Mar 10, 2009 at 4:45 PM, dxp >>> > wrote: > >>> > >>> Regarding the "Accept-Language:" header, looks like the value > >>> used ("en-en") is not legit. That's an anomaly which can be > >>> used to extend the language header match. > >>> > >>> - > >>> > >>> -=[ dxp ]=- > >>> 0xA3F3C6E3 > >>> > >>> > >>> > >>> > >>> > >>> On Tue, 2009-03-10 at 14:37 -0400, Joel Esler wrote: > >>>> How about > >>>> > >>>> > >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > >>>> (msg:"TROJAN Trojan.Win32.Inject.esi Outbound Communication"; > >>>> flow:stateless; content:"GET "; depth:4; nocase; > >>>> isdataat:62,relative; content:"|0d 0a|Accept-Language"; > >>>> nocase; > >>>> > pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; > >>>> classtype:trojan-activity; sid:2009125; rev:4;) > >>>> > >>>> > >>>> Notes: > >>>> Flow > >>>> isdataat > >>>> Accept-Language inclusion > >>>> Pcre that is not only more accurate, but it also correct. > >>>> (the original pcre could be (as was) evaded). > >>>> > >>>> > >>>> J > >>>> > >>>> On Tue, Mar 10, 2009 at 1:05 PM, Matt Jonkman > >>>> > wrote: > >>>> > >>>> Joel Esler wrote: > >>>> > > >>>> > Is it not unique in the pcap that I was sent. The > >>>> accept-language will > >>>> > fire a lot, but you need it for the prequalification > >>>> step in the FP > >>>> > portion of the engine. Fire on accept-language, keep > >>>> the "GET", do an > >>>> > anchor at offset of 0, use an isdataat to test length, > >>>> pcre to qualify > >>>> > and fire. Test the difference in between the two rules > >>>> with rule > >>>> > profiling. See how it goes. > >>>> > > >>>> > > >>>> > >>>> > >>>> The GET has a depth of 4 so that's equivalent to > >>>> offset 0 no? > >>>> > >>>> Isdadaat is a good idea. There will ilkely be data after > >>>> the url string > >>>> length, so maybe just a content:!"|0d 0a|"; within:62; > >>>> > >>>> The uri is between 64 and 67 bytes in the samples > >>>> depending on the > >>>> length of that numeric string so I went 62 just in case. > >>>> > >>>> So: > >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > >>>> (msg:"ET TROJAN > >>>> Trojan.Win32.Inject.esi Outbound Communication"; > >>>> flow:established,to_server; content:"GET "; depth:4; > >>>> content:"/"; > >>>> > >>>> distance:0; content:!"|0d 0a|"; within:62; content:"/"; > >>>> distance:16; > >>>> within:1; content:"/"; distance:3; within:5; content:"/"; > >>>> distance:12; > >>>> within:1; content:"/|0d 0a|"; distance:17; within:3; > >>>> > pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; > >>>> > >>>> classtype:trojan-activity; sid:2009125; rev:3;) > >>>> > >>>> Is that going to work? The negated content isn't going to > >>>> put the ptr at > >>>> the end of 62 is it? hmmmm > >>>> > >>>> > >>>> > > >>>> > So if I was a malware writer, all I have to do is use a > >>>> POST and I > >>>> > bypass your rule. You do NOT want to eliminate the > >>>> others, as that will > >>>> > open you to false negatives. Up to you. For this > >>>> particular sample, > >>>> > you can keep your GET, I just want you to be aware that > >>>> overall, a check > >>>> > for GET is usually bad. In all of the rules the VRT > >>>> has written, > >>>> > (14,000+) as of current build, there are 38 live rules > >>>> that do a content > >>>> > check for GET. If you look at them, you will see why > >>>> it had to be done > >>>> > that way. > >>>> > >>>> > >>>> In other rules I'd agree with you that making an easy > >>>> evasion is bad. > >>>> But in the malware side we have so many things that are > >>>> intended to look > >>>> like normal traffic. > >>>> > >>>> So in the malware side I err toward evadable but reliable > >>>> for a few reasons: > >>>> > >>>> 1. We've had many sigs out for years that are easily > >>>> evadable but the > >>>> malware authors just DON'T try to evade. And the strains > >>>> come and go > >>>> quickly sometimes. > >>>> > >>>> 2. False positives in these sigs are costly. In most > >>>> places that means > >>>> an IT guy has to go visit a workstation and check it out > >>>> by hand. Costs > >>>> money and costs the security group their reputation for > >>>> reliability. > >>>> > >>>> 3. If they do try to evade we'll generally catch the > >>>> change in the > >>>> sandnet or in the analysis' put up by av vendors and the > >>>> like. > >>>> > >>>> Anyone have a differing argument for this philosophy? > >>>> It's what I tend > >>>> to apply to all of the virus/malware and spyware sigs. > >>>> > >>>> Matt > >>>> > >>>> > >>>> > > >>>> > > >>>> > ------------------------------------------------------------------------ > >>>> > > >>>> > _______________________________________________ > >>>> > Emerging-sigs mailing list > >>>> > Emerging-sigs at emergingthreats.net > >>>> > >>>> > > >>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>>> > >>>> -- > >>>> -------------------------------------------- > >>>> > >>>> > >>>> Matthew Jonkman > >>>> Emerging Threats > >>>> Phone 765-429-0398 > >>>> Fax 312-264-0205 > >>>> http://www.emergingthreats.net > >>>> -------------------------------------------- > >>>> > >>>> PGP: http://www.jonkmans.com/mattjonkman.asc > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Joel Esler > >>>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com > >>>> > >>>> [m] > >>>> > >>>> _______________________________________________ > >>>> Emerging-sigs mailing list > >>>> Emerging-sigs at emergingthreats.net < > mailto:Emerging-sigs at emergingthreats.net> > >>>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > >>> > >>> > >>> > >>> > >>> -- > >>> Joel Esler > >>> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com > >>> > >>> [m] > >> > >> > >> > >> > >> -- > >> Joel Esler > >> T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com > >> > >> [m] > >> > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090403/03b7b99f/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090403/03b7b99f/attachment-0001.bin From shirkdog_list at hotmail.com Fri Apr 3 19:09:07 2009 From: shirkdog_list at hotmail.com (Shirk Dog) Date: Fri, 3 Apr 2009 20:09:07 -0400 Subject: [Emerging-Sigs] conficker In-Reply-To: <53834cf20904031258m68e271fub657fbd3bd53447d@mail.gmail.com> References: <49D66663.1020803@jonkmans.com> <53834cf20904031258m68e271fub657fbd3bd53447d@mail.gmail.com> Message-ID: If you received positive matches on these UDP sigs, do you have any other network data coming from the compromised hosts? Shirkdog Free your mind... http://www.shirkdog.us Date: Fri, 3 Apr 2009 21:58:46 +0200 From: jaime.blasco at alienvault.com To: jonkman at jonkmans.com CC: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] conficker I've positive matches too. Regards 2009/4/3 Matt Jonkman I went ahead and posted these. I've had positive feedback on accuracy. Please let us all know if anyone sees false positive issues. Matt David Glosser wrote: > can any information from the following be useful in creating conficker P2P sig? > > https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- _______________________________ Jaime Blasco www.ossim.com www.alienvault.com Email: jaime.blasco at alienvault.com _________________________________________________________________ Windows Live?: Keep your life in sync. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_042009 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090403/c81504e1/attachment.html From gregm at econet.com Fri Apr 3 19:12:09 2009 From: gregm at econet.com (Greg Martin) Date: Fri, 3 Apr 2009 19:12:09 -0500 Subject: [Emerging-Sigs] conficker References: <49D66663.1020803@jonkmans.com> <53834cf20904031258m68e271fub657fbd3bd53447d@mail.gmail.com> Message-ID: These signature has been falseing on VPN traffic, anyone have a pcap of the p2p traffic they care to share? Thanks, Greg -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net on behalf of Shirk Dog Sent: Fri 4/3/2009 7:09 PM To: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] conficker If you received positive matches on these UDP sigs, do you have any other network data coming from the compromised hosts? Shirkdog Free your mind... http://www.shirkdog.us Date: Fri, 3 Apr 2009 21:58:46 +0200 From: jaime.blasco at alienvault.com To: jonkman at jonkmans.com CC: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] conficker I've positive matches too. Regards 2009/4/3 Matt Jonkman I went ahead and posted these. I've had positive feedback on accuracy. Please let us all know if anyone sees false positive issues. Matt David Glosser wrote: > can any information from the following be useful in creating conficker P2P sig? > > https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- _______________________________ Jaime Blasco www.ossim.com www.alienvault.com Email: jaime.blasco at alienvault.com _________________________________________________________________ Windows LiveT: Keep your life in sync. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_042009 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090403/4e8fecc4/attachment.html From scheidell at secnap.net Sat Apr 4 07:32:21 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Sat, 04 Apr 2009 08:32:21 -0400 Subject: [Emerging-Sigs] [Fwd: HackerTrap Alert: FATAL ERROR] Message-ID: <49D75355.7010905@secnap.net> I thought the port list was eliminated on this rule? (matt, hey, from rev 3 to 4, you put ON port rules?) sid:2008759; rev:4;) -------- Original Message -------- Subject: HackerTrap Alert: FATAL ERROR Date: Sat, 4 Apr 2009 03:13:24 +0200 (CEST) From: root at success-ae.hackertrap.net (Success-AE Root) To: maint at success-ae.hackertrap.net Apr 4 03:13:24 success-ae snort[26955]: FATAL ERROR: rules/emerging-malware.rules(635) => Invalid port: [80,8080] -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090404/954260aa/attachment.html From jonkman at jonkmans.com Sat Apr 4 10:20:03 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sat, 04 Apr 2009 11:20:03 -0400 Subject: [Emerging-Sigs] [Fwd: HackerTrap Alert: FATAL ERROR] In-Reply-To: <49D75355.7010905@secnap.net> References: <49D75355.7010905@secnap.net> Message-ID: <49D77AA3.3080202@jonkmans.com> Had a sample come through the sandnet that did the exact same activity on port 80, so added that. Previous samples had run only on port 8080, and I can't confirm they're not still when required. Could split it to 2 rules, should be no significant performance loss... Matt Michael Scheidell wrote: > I thought the port list was eliminated on this rule? > (matt, hey, from rev 3 to 4, you put ON port rules?) > > sid:2008759; rev:4;) > > > -------- Original Message -------- > Subject: HackerTrap Alert: FATAL ERROR > Date: Sat, 4 Apr 2009 03:13:24 +0200 (CEST) > From: root at success-ae.hackertrap.net (Success-AE Root) > To: maint at success-ae.hackertrap.net > > > > Apr 4 03:13:24 success-ae snort[26955]: FATAL ERROR: rules/emerging-malware.rules(635) => Invalid port: [80,8080] > > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 >> *| *SECNAP Network Security Corporation > > * Certified SNORT Integrator > * 2009 Hot Company Award Finalist, World Executive Alliance > * Five-Star Partner Program 2009, VARBusiness > * Best Anti-Spam Product 2008, Network Products Guide > * King of Spam Filters, SC Magazine 2008 > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From scheidell at secnap.net Sat Apr 4 10:22:06 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Sat, 04 Apr 2009 11:22:06 -0400 Subject: [Emerging-Sigs] [Fwd: HackerTrap Alert: FATAL ERROR] In-Reply-To: <49D77AA3.3080202@jonkmans.com> References: <49D75355.7010905@secnap.net> <49D77AA3.3080202@jonkmans.com> Message-ID: <49D77B1E.9050905@secnap.net> or I get my lazy butt working on 2.6.. the conflicter rules seem to have a 5 port ! (exclude) in the src and dst.. not sure why.. but they do. I disabled them on the boxes with 2.4. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090404/283549ae/attachment-0001.html From jaime.blasco at alienvault.com Sat Apr 4 10:40:21 2009 From: jaime.blasco at alienvault.com (Jaime Blasco) Date: Sat, 4 Apr 2009 17:40:21 +0200 Subject: [Emerging-Sigs] FTP Server Banners (Maware) Message-ID: <53834cf20904040840i3184f868v5d3b0282e5b606d@mail.gmail.com> Hi, Revising my honeypot logs, I've seen two unusual FTP Banners used for serving malware, I have look that Cyber-ta people have seen it too. http://www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (fuckFtpd)"; flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; depth:11; offset:0; nocase; classtype:trojan-activity; tag:session; sid:; rev:1;) alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (NzmxFtpd)"; flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; depth:11; offset:0; nocase; classtype:trojan-activity; tag:session; sid:; rev:1;) I attach a capture of one of my hits. Regards -- _______________________________ Jaime Blasco www.ossim.com www.alienvault.com Email: jaime.blasco at alienvault.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090404/4fb72f01/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: ftp.pcap Type: application/octet-stream Size: 2487 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090404/4fb72f01/ftp.obj From emerging at emergingthreats.net Sat Apr 4 15:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 4 Apr 2009 16:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090404200011.05C7D4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Apr 4 16:00:10 2009 [***] [///] Modified active rules: [///] 2009203 - ET TROJAN Alman Dropper Checkin (emerging-virus.rules) 2009204 - ET TROJAN Crypt.CFI.Gen Checkin (emerging-virus.rules) 2009205 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging.rules) 2009206 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging.rules) 2009207 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging.rules) 2009208 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (20): 2009203 || ET TROJAN Alman Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alman || url,doc.emergingthreats.net/2009203 2009204 || ET TROJAN Crypt.CFI.Gen Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Crypt || url,doc.emergingthreats.net/2009204 2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500148 || ET COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500149 || ET COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500150 || ET COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500151 || ET COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500152 || ET COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510148 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510149 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510150 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510151 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510152 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (20): 2009203 || ET TROJAN Alman Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alman || url,doc.emergingthreats.net/2009203 2009204 || ET TROJAN Crypt.CFI.Gen Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Crypt || url,doc.emergingthreats.net/2009204 2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500148 || ET COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500149 || ET COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500150 || ET COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500151 || ET COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500152 || ET COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510148 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510149 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510150 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510151 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510152 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (6): 2009203 || ET TROJAN Alman Dropper Checkin 2009204 || ET TROJAN Crypt.CFI.Gen Checkin 2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ -> Removed from emerging-sid-msg.map.txt (6): 2009203 || ET TROJAN Alman Dropper Checkin 2009204 || ET TROJAN Crypt.CFI.Gen Checkin 2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ From eslerj at gmail.com Sat Apr 4 15:10:22 2009 From: eslerj at gmail.com (Joel Esler) Date: Sat, 4 Apr 2009 16:10:22 -0400 Subject: [Emerging-Sigs] conficker In-Reply-To: References: <49D66663.1020803@jonkmans.com> <53834cf20904031258m68e271fub657fbd3bd53447d@mail.gmail.com> Message-ID: <314cf0830904041310qe25a204ie697e1210c223efa@mail.gmail.com> http://vrt-sourcefire.blogspot.com/2009/04/new-so-rules-for-confickerc-p2p.html Joel On Fri, Apr 3, 2009 at 8:12 PM, Greg Martin wrote: > These signature has been falseing on VPN traffic, anyone have a pcap of the > p2p traffic they care to share? > > Thanks, > > Greg > > > -----Original Message----- > From: emerging-sigs-bounces at emergingthreats.net on behalf of Shirk Dog > Sent: Fri 4/3/2009 7:09 PM > To: emerging-sigs at emergingthreats.net > Subject: Re: [Emerging-Sigs] conficker > > > If you received positive matches on these UDP sigs, do you have any other > network data coming from the compromised hosts? > > > Shirkdog > Free your mind... > http://www.shirkdog.us > > > > Date: Fri, 3 Apr 2009 21:58:46 +0200 > From: jaime.blasco at alienvault.com > To: jonkman at jonkmans.com > CC: emerging-sigs at emergingthreats.net > Subject: Re: [Emerging-Sigs] conficker > > I've positive matches too. > > Regards > > 2009/4/3 Matt Jonkman > > I went ahead and posted these. I've had positive feedback on accuracy. > > > > Please let us all know if anyone sees false positive issues. > > > > Matt > > > > David Glosser wrote: > >> can any information from the following be useful in creating conficker P2P >> sig? > >> > >> >> https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer > >> _______________________________________________ > >> Emerging-sigs mailing list > >> Emerging-sigs at emergingthreats.net > >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > -- > _______________________________ > > Jaime Blasco > > www.ossim.com > www.alienvault.com > > Email: jaime.blasco at alienvault.com > > > _________________________________________________________________ > Windows LiveT: Keep your life in sync. > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_042009 > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From dokas at oitsec.umn.edu Sat Apr 4 16:33:23 2009 From: dokas at oitsec.umn.edu (Paul Dokas) Date: Sat, 04 Apr 2009 16:33:23 -0500 Subject: [Emerging-Sigs] Zeus/Zbot related malware rules Message-ID: <49D7D223.8070202@oitsec.umn.edu> We found a host here infected with malware that was delivered from avprotect.net. Here's a summary of one of the downloaders: http://anubis.iseclab.org/?action=result&task_id=1cd8eee2caa25a5f459f83f19acc17ff4 The snort related bit is that this malware touches two web servers like this: GET /check HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: Cache-Control: no-cache and GET /loads.php?r=17.2 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: knocker Cache-Control: no-cache This is likely somehow related to Zeus/Zbot, but is not triggering those specific rules. Anyway, here are a couple of rules that I wrote to find similar HTTP sessions. They can probably use some cleanup, but they seem to do the job here: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan Dropper Infection - /check"; flow:established,to_server; uricontent:"/check"; content:"|0d 0a|User-Agent\: Microsoft Internet Explorer|0d 0a|"; content:"|0d 0a|Cache-Control\: no-cache|0d 0a|"; within:30; classtype:trojan-activity;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan Dropper Infection - /loads.php"; flow:established,to_server; uricontent:"/loads.php"; uricontent:"?r="; content:"|0d 0a|User-Agent\: Microsoft Internet Explorer"; content:"|0d 0a|Host\: knocker"; within:20; content:"|0d 0a|Cache-Control\: no-cache|0d 0a|"; within:30; classtype:trojan-activity;) We are also running the generic 'User-Agent: Microsoft Internet Explorer' rule, but we're seeing quite a few false positives. Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." From emerging at emergingthreats.net Sat Apr 4 17:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 4 Apr 2009 18:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20090404220011.7198F4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Apr 4 18:00:11 2009 [***] [+++] Added rules: [+++] 2009170 - ET CURRENT_EVENTS Psyb0t Code Download (emerging.rules) 2009171 - ET CURRENT_EVENTS Psyb0t Bot Nick (emerging.rules) 2009172 - ET CURRENT_EVENTS Psyb0t joining an IRC Channel (emerging.rules) 2009173 - ET TROJAN Possible Vundo Trojan Variant reporting to Controller (emerging-virus.rules) 2009174 - ET TROJAN Possible Vundo EXE Download Attempt (emerging-virus.rules) 2009175 - ET TROJAN Zbot/Zeus C&C Access (emerging-virus.rules) 2009176 - ET CURRENT_EVENTS Malware Communication with Control Servers (Possible GhostNet Related Activity) (emerging.rules) 2009178 - ET WEB_ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow (emerging-web.rules) 2009179 - ET WEB_SPECIFIC SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2009180 - ET WEB_SPECIFIC SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2009181 - ET WEB_SPECIFIC SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2009182 - ET WEB_SPECIFIC SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2009184 - ET WEB_ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion (emerging-web.rules) 2009185 - ET WEB_SPECIFIC A Better Member-Based ASP Photo Gallery view.asp entry parameter SQL injection (emerging-web_sql_injection.rules) 2009186 - ET WEB_SPECIFIC Auto Listings Script moreinfo.php itemno Parameter SQL Injection (emerging-web_sql_injection.rules) 2009187 - ET WEB_ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion (emerging-web.rules) 2009188 - ET WEB_SPECIFIC gapicms toolbar.php dirDepth Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2009190 - ET WEB_SPECIFIC YACS update_trailer.php context Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2009191 - ET WEB_SPECIFIC YACS update_trailer.php context Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2009192 - ET WEB_SPECIFIC CMS Faethon info.php item Parameter SQL Injection (emerging-web_sql_injection.rules) 2009194 - ET WEB_SPECIFIC X7 Chat mini.php help_file Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2009195 - ET WEB_SPECIFIC Basebuilder main.inc.php mj_config Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2009196 - ET WEB_SPECIFIC Basebuilder main.inc.php mj_config Parameter Remote File inclusion (emerging-web_sql_injection.rules) 2009198 - ET WEB_SPECIFIC Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection (emerging-web_sql_injection.rules) 2009199 - ET WEB_SPECIFIC Script Toko Online shop_display_products.php cat_id Parameter SQL Injection (emerging-web_sql_injection.rules) 2009200 - ET CURRENT_EVENTS Conficker.a Shellcode (emerging.rules) 2009201 - ET CURRENT_EVENTS Conficker.b Shellcode (emerging.rules) 2009202 - ET CURRENT_EVENTS GhostNet Trojan Reporting (emerging.rules) 2009203 - ET TROJAN Alman Dropper Checkin (emerging-virus.rules) 2009204 - ET TROJAN Crypt.CFI.Gen Checkin (emerging-virus.rules) 2009205 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging.rules) 2009206 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging.rules) 2009207 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging.rules) 2009208 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging.rules) 2404022 - ET DROP Known Bot C&C Server Traffic (group 23) (emerging-botcc.rules) 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406294 - ET RBN Known Russian Business Network Monitored Domains (295) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network Monitored Domains (296) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network Monitored Domains (297) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network Monitored Domains (298) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network Monitored Domains (299) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network Monitored Domains (300) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network Monitored Domains (301) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network Monitored Domains (302) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network Monitored Domains (303) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network Monitored Domains (304) (emerging-rbn.rules) 2407294 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2008759 - ET MALWARE Matcash Trojan Related Spyware Code Download (emerging-malware.rules) 2009125 - ET TROJAN Trojan.Win32.Inject.esi Outbound Communication (emerging-virus.rules) 2009160 - ET WEB_ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite (emerging-web.rules) 2009161 - ET WEB_ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite (emerging-web.rules) 2009162 - ET WEB_ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite (emerging-web.rules) 2009163 - ET WEB_SPECIFIC GBook header.php abspath Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2009164 - ET WEB_SPECIFIC openEngine filepool.php oe_classpath parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2009165 - ET WEB_SPECIFIC Barcode Generator LSTable.php class_dir parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2009166 - ET WEB_SPECIFIC Concord Consortium CoAST header.php sections_file parameter remote file inclusion (emerging-web_sql_injection.rules) 2009167 - ET WEB_SPECIFIC AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion (emerging-web_sql_injection.rules) 2009168 - ET WEB_SPECIFIC Papoo CMS message_class.php pfadhier Local File Inclusion (emerging-web_sql_injection.rules) 2009169 - ET WEB_SPECIFIC Thyme export.php export_to Parameter Local File Inclusion (emerging-web_sql_injection.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2404021 - ET DROP Known Bot C&C Server Traffic (group 22) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network Monitored Domains (229) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network Monitored Domains (230) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network Monitored Domains (231) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network Monitored Domains (232) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network Monitored Domains (233) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network Monitored Domains (234) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network Monitored Domains (235) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network Monitored Domains (236) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network Monitored Domains (237) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network Monitored Domains (238) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network Monitored Domains (239) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network Monitored Domains (240) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network Monitored Domains (241) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network Monitored Domains (242) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network Monitored Domains (243) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network Monitored Domains (244) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network Monitored Domains (245) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network Monitored Domains (246) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network Monitored Domains (247) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network Monitored Domains (248) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network Monitored Domains (249) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network Monitored Domains (250) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network Monitored Domains (251) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network Monitored Domains (252) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network Monitored Domains (253) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network Monitored Domains (254) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network Monitored Domains (255) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network Monitored Domains (256) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network Monitored Domains (257) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network Monitored Domains (258) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network Monitored Domains (259) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network Monitored Domains (260) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network Monitored Domains (261) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network Monitored Domains (262) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network Monitored Domains (263) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network Monitored Domains (264) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network Monitored Domains (265) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network Monitored Domains (266) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network Monitored Domains (267) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network Monitored Domains (268) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network Monitored Domains (269) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network Monitored Domains (270) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network Monitored Domains (271) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network Monitored Domains (272) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network Monitored Domains (273) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network Monitored Domains (274) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network Monitored Domains (275) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network Monitored Domains (276) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network Monitored Domains (277) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network Monitored Domains (278) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network Monitored Domains (279) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network Monitored Domains (280) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network Monitored Domains (281) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network Monitored Domains (282) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network Monitored Domains (283) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network Monitored Domains (284) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network Monitored Domains (285) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network Monitored Domains (286) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network Monitored Domains (287) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network Monitored Domains (288) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network Monitored Domains (289) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network Monitored Domains (290) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network Monitored Domains (291) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network Monitored Domains (292) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network Monitored Domains (293) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network Monitored Domains (294) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407286 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (294) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1499 # Generated 2009-04-04 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1499 # Generated 2009-04-04 00:03:02 EDT -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 121 # Updated 2009-03-29 13:37:05 -> Added to emerging-rbn.rules (2): # VERSION 121 # Updated 2009-03-29 13:37:05 -> Added to emerging-sid-msg.map (88): 2009160 || ET WEB_ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_GeoVision || url,doc.emergingthreats.net/2009160 || url,milw0rm.com/exploits/8059 2009161 || ET WEB_ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_GeoVision || url,doc.emergingthreats.net/2009161 || url,milw0rm.com/exploits/8059 || url,xforce.iss.net/xforce/xfdb/48773 2009162 || ET WEB_ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_GeoVision || url,doc.emergingthreats.net/2009162 || url,milw0rm.com/exploits/8059 || url,xforce.iss.net/xforce/xfdb/48773 2009163 || ET WEB_SPECIFIC GBook header.php abspath Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_GBook || url,doc.emergingthreats.net/2009163 || url,milw0rm.com/exploits/7955 || url,secunia.com/advisories/33768/ 2009164 || ET WEB_SPECIFIC openEngine filepool.php oe_classpath parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_OpenEngine || url,doc.emergingthreats.net/2009164 || url,milw0rm.com/exploits/6585 || bugtraq,31423 2009165 || ET WEB_SPECIFIC Barcode Generator LSTable.php class_dir parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BarcodeGenerator || url,doc.emergingthreats.net/2009165 || url,milw0rm.com/exploits/6575 || bugtraq,31419 2009166 || ET WEB_SPECIFIC Concord Consortium CoAST header.php sections_file parameter remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Concord_Consortium || url,doc.emergingthreats.net/2009166 || url,milw0rm.com/exploits/6598 || bugtraq,31461 2009167 || ET WEB_SPECIFIC AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AdaptCMS || url,doc.emergingthreats.net/2009167 || bugtraq,33698 || url,milw0rm.com/exploits/8016 2009168 || ET WEB_SPECIFIC Papoo CMS message_class.php pfadhier Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Papoo || url,doc.emergingthreats.net/2009168 || url,milw0rm.com/exploits/8030 || bugtraq,33718 2009169 || ET WEB_SPECIFIC Thyme export.php export_to Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Thyme || url,doc.emergingthreats.net/2009169 || url,milw0rm.com/exploits/8029 || bugtraq,33731 2009170 || ET CURRENT_EVENTS Psyb0t Code Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot || url,doc.emergingthreats.net/2009170 || url,www.adam.com.au/bogaurd/PSYB0T.pdf 2009171 || ET CURRENT_EVENTS Psyb0t Bot Nick || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot || url,doc.emergingthreats.net/2009171 || url,www.adam.com.au/bogaurd/PSYB0T.pdf 2009172 || ET CURRENT_EVENTS Psyb0t joining an IRC Channel || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot || url,doc.emergingthreats.net/2009172 || url,www.adam.com.au/bogaurd/PSYB0T.pdf 2009173 || ET TROJAN Possible Vundo Trojan Variant reporting to Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo || url,doc.emergingthreats.net/2009173 2009174 || ET TROJAN Possible Vundo EXE Download Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo || url,doc.emergingthreats.net/2009174 2009175 || ET TROJAN Zbot/Zeus C&C Access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009175 2009176 || ET CURRENT_EVENTS Malware Communication with Control Servers (Possible GhostNet Related Activity) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ghostnet || url,doc.emergingthreats.net/2009176 || url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network 2009178 || ET WEB_ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Nokia_Phoenix || url,doc.emergingthreats.net/2009178 || bugtraq,33726 2009179 || ET WEB_SPECIFIC SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snippetmaster || url,doc.emergingthreats.net/2009179 || url,milw0rm.com/exploits/8017 || url,secunia.com/advisories/33865/ 2009180 || ET WEB_SPECIFIC SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snippetmaster || url,doc.emergingthreats.net/2009180 || url,milw0rm.com/exploits/8017 || url,secunia.com/advisories/33865/ 2009181 || ET WEB_SPECIFIC SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snippetmaster || url,doc.emergingthreats.net/2009181 || url,milw0rm.com/exploits/8017 || url,secunia.com/advisories/33865/ 2009182 || ET WEB_SPECIFIC SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snippetmaster || url,doc.emergingthreats.net/2009182 || url,milw0rm.com/exploits/8017 || url,secunia.com/advisories/33865/ 2009184 || ET WEB_ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_FathFTP || url,doc.emergingthreats.net/2009184 || url,xforce.iss.net/xforce/xfdb/48837 || bugtraq,33842 2009185 || ET WEB_SPECIFIC A Better Member-Based ASP Photo Gallery view.asp entry parameter SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_A_Better_Gallery || url,doc.emergingthreats.net/2009185 || url,milw0rm.com/exploits/8012 || bugtraq,33693 2009186 || ET WEB_SPECIFIC Auto Listings Script moreinfo.php itemno Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Auto_Listings || url,doc.emergingthreats.net/2009186 || url,milw0rm.com/exploits/7003 || bugtraq,32131 2009187 || ET WEB_ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_iDefense_COMRaider || url,doc.emergingthreats.net/2009187 || bugtraq,33942 || bugtraq,33867 2009188 || ET WEB_SPECIFIC gapicms toolbar.php dirDepth Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_gapicms || url,doc.emergingthreats.net/2009188 || url,milw0rm.com/exploits/6036 || url,vupen.com/english/advisories/2008/2059 2009190 || ET WEB_SPECIFIC YACS update_trailer.php context Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_YACS || url,doc.emergingthreats.net/2009190 || url,secunia.com/advisories/33959/ || url,milw0rm.com/exploits/8066 2009191 || ET WEB_SPECIFIC YACS update_trailer.php context Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_YACS || url,doc.emergingthreats.net/2009191 || url,secunia.com/advisories/33959/ || url,milw0rm.com/exploits/8066 2009192 || ET WEB_SPECIFIC CMS Faethon info.php item Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_CMS_Faethon || url,doc.emergingthreats.net/2009192 || url,milw0rm.com/exploits/8054 || bugtraq,33775 2009194 || ET WEB_SPECIFIC X7 Chat mini.php help_file Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_X7_Chat || url,doc.emergingthreats.net/2009194 || bugtraq,31460 || url,milw0rm.com/exploits/6592 2009195 || ET WEB_SPECIFIC Basebuilder main.inc.php mj_config Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Basebuilder || url,doc.emergingthreats.net/2009195 || url,milw0rm.com/exploits/6533 || url,secunia.com/advisories/31947/ 2009196 || ET WEB_SPECIFIC Basebuilder main.inc.php mj_config Parameter Remote File inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Basebuilder || url,doc.emergingthreats.net/2009196 || url,milw0rm.com/exploits/6533 || url,secunia.com/advisories/31947/ 2009198 || ET WEB_SPECIFIC Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Kalptaru || url,doc.emergingthreats.net/2009198 || url,milw0rm.com/exploits/7368 || bugtraq,32672 || cve,2008-5590 2009199 || ET WEB_SPECIFIC Script Toko Online shop_display_products.php cat_id Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Toko || url,doc.emergingthreats.net/2009199 || url,milw0rm.com/exploits/7873 || url,secunia.com/advisories/33661/ || cve,CVE-2009-0296 2009200 || ET CURRENT_EVENTS Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388 2009201 || ET CURRENT_EVENTS Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388 2009202 || ET CURRENT_EVENTS GhostNet Trojan Reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ghostnet || url,doc.emergingthreats.net/2009202 || url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network 2009203 || ET TROJAN Alman Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alman || url,doc.emergingthreats.net/2009203 2009204 || ET TROJAN Crypt.CFI.Gen Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Crypt || url,doc.emergingthreats.net/2009204 2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2404022 || ET DROP Known Bot C&C Server Traffic (group 23) || url,www.shadowserver.org 2405022 || ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2406294 || ET RBN Known Russian Business Network Monitored Domains (295) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406295 || ET RBN Known Russian Business Network Monitored Domains (296) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406296 || ET RBN Known Russian Business Network Monitored Domains (297) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406297 || ET RBN Known Russian Business Network Monitored Domains (298) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406298 || ET RBN Known Russian Business Network Monitored Domains (299) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406299 || ET RBN Known Russian Business Network Monitored Domains (300) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406300 || ET RBN Known Russian Business Network Monitored Domains (301) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406301 || ET RBN Known Russian Business Network Monitored Domains (302) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406302 || ET RBN Known Russian Business Network Monitored Domains (303) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406303 || ET RBN Known Russian Business Network Monitored Domains (304) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407294 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407295 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407296 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407297 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407298 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407299 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407300 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407301 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407302 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407303 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500142 || ET COMPROMISED Known Compromised or Hostile Host Traffic (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500143 || ET COMPROMISED Known Compromised or Hostile Host Traffic (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500144 || ET COMPROMISED Known Compromised or Hostile Host Traffic (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500145 || ET COMPROMISED Known Compromised or Hostile Host Traffic (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500148 || ET COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500149 || ET COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500150 || ET COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500151 || ET COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500152 || ET COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510142 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510143 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510144 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510145 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510148 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510149 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510150 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510151 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510152 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (88): 2009160 || ET WEB_ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_GeoVision || url,doc.emergingthreats.net/2009160 || url,milw0rm.com/exploits/8059 2009161 || ET WEB_ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_GeoVision || url,doc.emergingthreats.net/2009161 || url,milw0rm.com/exploits/8059 || url,xforce.iss.net/xforce/xfdb/48773 2009162 || ET WEB_ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_GeoVision || url,doc.emergingthreats.net/2009162 || url,milw0rm.com/exploits/8059 || url,xforce.iss.net/xforce/xfdb/48773 2009163 || ET WEB_SPECIFIC GBook header.php abspath Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_GBook || url,doc.emergingthreats.net/2009163 || url,milw0rm.com/exploits/7955 || url,secunia.com/advisories/33768/ 2009164 || ET WEB_SPECIFIC openEngine filepool.php oe_classpath parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_OpenEngine || url,doc.emergingthreats.net/2009164 || url,milw0rm.com/exploits/6585 || bugtraq,31423 2009165 || ET WEB_SPECIFIC Barcode Generator LSTable.php class_dir parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BarcodeGenerator || url,doc.emergingthreats.net/2009165 || url,milw0rm.com/exploits/6575 || bugtraq,31419 2009166 || ET WEB_SPECIFIC Concord Consortium CoAST header.php sections_file parameter remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Concord_Consortium || url,doc.emergingthreats.net/2009166 || url,milw0rm.com/exploits/6598 || bugtraq,31461 2009167 || ET WEB_SPECIFIC AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AdaptCMS || url,doc.emergingthreats.net/2009167 || bugtraq,33698 || url,milw0rm.com/exploits/8016 2009168 || ET WEB_SPECIFIC Papoo CMS message_class.php pfadhier Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Papoo || url,doc.emergingthreats.net/2009168 || url,milw0rm.com/exploits/8030 || bugtraq,33718 2009169 || ET WEB_SPECIFIC Thyme export.php export_to Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Thyme || url,doc.emergingthreats.net/2009169 || url,milw0rm.com/exploits/8029 || bugtraq,33731 2009170 || ET CURRENT_EVENTS Psyb0t Code Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot || url,doc.emergingthreats.net/2009170 || url,www.adam.com.au/bogaurd/PSYB0T.pdf 2009171 || ET CURRENT_EVENTS Psyb0t Bot Nick || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot || url,doc.emergingthreats.net/2009171 || url,www.adam.com.au/bogaurd/PSYB0T.pdf 2009172 || ET CURRENT_EVENTS Psyb0t joining an IRC Channel || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot || url,doc.emergingthreats.net/2009172 || url,www.adam.com.au/bogaurd/PSYB0T.pdf 2009173 || ET TROJAN Possible Vundo Trojan Variant reporting to Controller || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo || url,doc.emergingthreats.net/2009173 2009174 || ET TROJAN Possible Vundo EXE Download Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo || url,doc.emergingthreats.net/2009174 2009175 || ET TROJAN Zbot/Zeus C&C Access || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009175 2009176 || ET CURRENT_EVENTS Malware Communication with Control Servers (Possible GhostNet Related Activity) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ghostnet || url,doc.emergingthreats.net/2009176 || url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network 2009178 || ET WEB_ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Nokia_Phoenix || url,doc.emergingthreats.net/2009178 || bugtraq,33726 2009179 || ET WEB_SPECIFIC SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snippetmaster || url,doc.emergingthreats.net/2009179 || url,milw0rm.com/exploits/8017 || url,secunia.com/advisories/33865/ 2009180 || ET WEB_SPECIFIC SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snippetmaster || url,doc.emergingthreats.net/2009180 || url,milw0rm.com/exploits/8017 || url,secunia.com/advisories/33865/ 2009181 || ET WEB_SPECIFIC SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snippetmaster || url,doc.emergingthreats.net/2009181 || url,milw0rm.com/exploits/8017 || url,secunia.com/advisories/33865/ 2009182 || ET WEB_SPECIFIC SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snippetmaster || url,doc.emergingthreats.net/2009182 || url,milw0rm.com/exploits/8017 || url,secunia.com/advisories/33865/ 2009184 || ET WEB_ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_FathFTP || url,doc.emergingthreats.net/2009184 || url,xforce.iss.net/xforce/xfdb/48837 || bugtraq,33842 2009185 || ET WEB_SPECIFIC A Better Member-Based ASP Photo Gallery view.asp entry parameter SQL injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_A_Better_Gallery || url,doc.emergingthreats.net/2009185 || url,milw0rm.com/exploits/8012 || bugtraq,33693 2009186 || ET WEB_SPECIFIC Auto Listings Script moreinfo.php itemno Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Auto_Listings || url,doc.emergingthreats.net/2009186 || url,milw0rm.com/exploits/7003 || bugtraq,32131 2009187 || ET WEB_ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_iDefense_COMRaider || url,doc.emergingthreats.net/2009187 || bugtraq,33942 || bugtraq,33867 2009188 || ET WEB_SPECIFIC gapicms toolbar.php dirDepth Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_gapicms || url,doc.emergingthreats.net/2009188 || url,milw0rm.com/exploits/6036 || url,vupen.com/english/advisories/2008/2059 2009190 || ET WEB_SPECIFIC YACS update_trailer.php context Parameter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_YACS || url,doc.emergingthreats.net/2009190 || url,secunia.com/advisories/33959/ || url,milw0rm.com/exploits/8066 2009191 || ET WEB_SPECIFIC YACS update_trailer.php context Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_YACS || url,doc.emergingthreats.net/2009191 || url,secunia.com/advisories/33959/ || url,milw0rm.com/exploits/8066 2009192 || ET WEB_SPECIFIC CMS Faethon info.php item Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_CMS_Faethon || url,doc.emergingthreats.net/2009192 || url,milw0rm.com/exploits/8054 || bugtraq,33775 2009194 || ET WEB_SPECIFIC X7 Chat mini.php help_file Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_X7_Chat || url,doc.emergingthreats.net/2009194 || bugtraq,31460 || url,milw0rm.com/exploits/6592 2009195 || ET WEB_SPECIFIC Basebuilder main.inc.php mj_config Parameter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Basebuilder || url,doc.emergingthreats.net/2009195 || url,milw0rm.com/exploits/6533 || url,secunia.com/advisories/31947/ 2009196 || ET WEB_SPECIFIC Basebuilder main.inc.php mj_config Parameter Remote File inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Basebuilder || url,doc.emergingthreats.net/2009196 || url,milw0rm.com/exploits/6533 || url,secunia.com/advisories/31947/ 2009198 || ET WEB_SPECIFIC Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Kalptaru || url,doc.emergingthreats.net/2009198 || url,milw0rm.com/exploits/7368 || bugtraq,32672 || cve,2008-5590 2009199 || ET WEB_SPECIFIC Script Toko Online shop_display_products.php cat_id Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Toko || url,doc.emergingthreats.net/2009199 || url,milw0rm.com/exploits/7873 || url,secunia.com/advisories/33661/ || cve,CVE-2009-0296 2009200 || ET CURRENT_EVENTS Conficker.a Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009200 || url,www.honeynet.org/node/388 2009201 || ET CURRENT_EVENTS Conficker.b Shellcode || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,doc.emergingthreats.net/2009201 || url,www.honeynet.org/node/388 2009202 || ET CURRENT_EVENTS GhostNet Trojan Reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ghostnet || url,doc.emergingthreats.net/2009202 || url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network 2009203 || ET TROJAN Alman Dropper Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alman || url,doc.emergingthreats.net/2009203 2009204 || ET TROJAN Crypt.CFI.Gen Checkin || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Crypt || url,doc.emergingthreats.net/2009204 2009205 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,doc.emergingthreats.net/2009205 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009206 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,doc.emergingthreats.net/2009206 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009207 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,doc.emergingthreats.net/2009207 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2009208 || ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,doc.emergingthreats.net/2009208 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker || url,mtc.sri.com/Conficker/addendumC/ 2404022 || ET DROP Known Bot C&C Server Traffic (group 23) || url,www.shadowserver.org 2405022 || ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE || url,www.shadowserver.org 2406294 || ET RBN Known Russian Business Network Monitored Domains (295) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406295 || ET RBN Known Russian Business Network Monitored Domains (296) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406296 || ET RBN Known Russian Business Network Monitored Domains (297) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406297 || ET RBN Known Russian Business Network Monitored Domains (298) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406298 || ET RBN Known Russian Business Network Monitored Domains (299) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406299 || ET RBN Known Russian Business Network Monitored Domains (300) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406300 || ET RBN Known Russian Business Network Monitored Domains (301) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406301 || ET RBN Known Russian Business Network Monitored Domains (302) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406302 || ET RBN Known Russian Business Network Monitored Domains (303) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406303 || ET RBN Known Russian Business Network Monitored Domains (304) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407294 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407295 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407296 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407297 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407298 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407299 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407300 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407301 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407302 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407303 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500142 || ET COMPROMISED Known Compromised or Hostile Host Traffic (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500143 || ET COMPROMISED Known Compromised or Hostile Host Traffic (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500144 || ET COMPROMISED Known Compromised or Hostile Host Traffic (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500145 || ET COMPROMISED Known Compromised or Hostile Host Traffic (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500146 || ET COMPROMISED Known Compromised or Hostile Host Traffic (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500147 || ET COMPROMISED Known Compromised or Hostile Host Traffic (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500148 || ET COMPROMISED Known Compromised or Hostile Host Traffic (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500149 || ET COMPROMISED Known Compromised or Hostile Host Traffic (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500150 || ET COMPROMISED Known Compromised or Hostile Host Traffic (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500151 || ET COMPROMISED Known Compromised or Hostile Host Traffic (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500152 || ET COMPROMISED Known Compromised or Hostile Host Traffic (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510142 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (143) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510143 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (144) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510144 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (145) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510145 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (146) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510146 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (147) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510147 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (148) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510148 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (149) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510149 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (150) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510150 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (151) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510151 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (152) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510152 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (153) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (3): #by Nathaniel Richmond # Since it's a POST, there shouldn't be many false positives #by Jaime Blasco -> Added to emerging.rules (4): #by Tillman Werner #by Martin Holste ##Jaime Blasco Alienvault VRT #PSYB0T related Activity [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1492 # Generated 2009-03-28 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1492 # Generated 2009-03-28 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 120 # Updated 2009-03-26 09:42:14 -> Removed from emerging-rbn.rules (2): # VERSION 120 # Updated 2009-03-26 09:42:14 -> Removed from emerging-sid-msg.map (10): 2009160 || ET WEB_ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/8059 2009161 || ET WEB_ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/8059 || url,xforce.iss.net/xforce/xfdb/48773 2009162 || ET WEB_ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/8059 || url,xforce.iss.net/xforce/xfdb/48773 2009163 || ET WEB_SPECIFIC GBook header.php abspath Parameter Remote File Inclusion || url,milw0rm.com/exploits/7955 || url,secunia.com/advisories/33768/ 2009164 || ET WEB_SPECIFIC openEngine filepool.php oe_classpath parameter Remote File Inclusion || url,milw0rm.com/exploits/6585 || bugtraq,31423 2009165 || ET WEB_SPECIFIC Barcode Generator LSTable.php class_dir parameter Remote File Inclusion || url,milw0rm.com/exploits/6575 || bugtraq,31419 2009166 || ET WEB_SPECIFIC Concord Consortium CoAST header.php sections_file parameter remote file inclusion || url,milw0rm.com/exploits/6598 || bugtraq,31461 2009167 || ET WEB_SPECIFIC AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion || bugtraq,33698 || url,milw0rm.com/exploits/8016 2009168 || ET WEB_SPECIFIC Papoo CMS message_class.php pfadhier Local File Inclusion || url,milw0rm.com/exploits/8030 || bugtraq,33718 2009169 || ET WEB_SPECIFIC Thyme export.php export_to Parameter Local File Inclusion || url,milw0rm.com/exploits/8029 || bugtraq,33731 -> Removed from emerging-sid-msg.map.txt (10): 2009160 || ET WEB_ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/8059 2009161 || ET WEB_ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/8059 || url,xforce.iss.net/xforce/xfdb/48773 2009162 || ET WEB_ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/8059 || url,xforce.iss.net/xforce/xfdb/48773 2009163 || ET WEB_SPECIFIC GBook header.php abspath Parameter Remote File Inclusion || url,milw0rm.com/exploits/7955 || url,secunia.com/advisories/33768/ 2009164 || ET WEB_SPECIFIC openEngine filepool.php oe_classpath parameter Remote File Inclusion || url,milw0rm.com/exploits/6585 || bugtraq,31423 2009165 || ET WEB_SPECIFIC Barcode Generator LSTable.php class_dir parameter Remote File Inclusion || url,milw0rm.com/exploits/6575 || bugtraq,31419 2009166 || ET WEB_SPECIFIC Concord Consortium CoAST header.php sections_file parameter remote file inclusion || url,milw0rm.com/exploits/6598 || bugtraq,31461 2009167 || ET WEB_SPECIFIC AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion || bugtraq,33698 || url,milw0rm.com/exploits/8016 2009168 || ET WEB_SPECIFIC Papoo CMS message_class.php pfadhier Local File Inclusion || url,milw0rm.com/exploits/8030 || bugtraq,33718 2009169 || ET WEB_SPECIFIC Thyme export.php export_to Parameter Local File Inclusion || url,milw0rm.com/exploits/8029 || bugtraq,33731 From randy at procyonlabs.com Sun Apr 5 00:30:52 2009 From: randy at procyonlabs.com (Randal T. Rioux) Date: Sun, 5 Apr 2009 01:30:52 -0400 (EDT) Subject: [Emerging-Sigs] urilen more 2.8 rules? In-Reply-To: <49D267DB.9030705@jonkmans.com> References: <49D1FAF1.7010508@secnap.net> <20090331114904.2C306A402B@medusa.richmond-family.org> <20090331131027.94ABDA402B@medusa.richmond-family.org> <49D267DB.9030705@jonkmans.com> Message-ID: <32cd3585191dea76b2ad1c5b1809b1f9.squirrel@192.168.3.2> Stick with 2.8 rules. I think giving folks a year to upgrade is more than generous. As for the multiple sensor configs issue from this thread, I'd say that rsync is your friend. NFS can be troublesome if there were internal or cross-sensor (depending on deployment method) connection drops. Randy On Tue, March 31, 2009 2:58 pm, Matt Jonkman wrote: > I'm not one to force folks to upgrade, although I'd certainly recommend > it. > > But making a multiple set of rulesets brings in a significantly higher > complexity of backend management, and with that a much higher likelihood > of ruleset errors. And we all know I put enough errors in on my own, > another source scares me.... > > What we could do in the shorter term would be to publish a list of sid's > that are NOT 2.6 compatible for folks that need it, and where possible > an alternative rule. Would that be a reasonable solution? > > Matt > > Nathaniel Richmond wrote: >> According to the changelog, urilen was added 2006-01-19. It hardly >> seems like a stretch to expect people to run a more recent version, >> but maybe I'm a just hopeless optimist. >> >> http://snort.org/docs/change_logs/2.8.3.2/ChangeLog.txt >> >> * src/detection-plugins/sp_urilen_check.h: >> Modularized ASN1 detection code. >> Added URI Length check rule keyword. Thanks to Chris Sherwin >> for the new functionality. >> >> Joel Esler wrote: >>> It might be necessary for Emerging to maintain different versions of >>> the ruleset, much as VRT does. >>> >>> J >>> >>> On Tue, Mar 31, 2009 at 7:13 AM, Michael Scheidell >>> wrote: >>>> more 2.8 rules? >>>> >>>> Mar 31 06:11:30 peoples2 snort[46984]: FATAL ERROR: Warning: >>>> rules/emerging-virus.rules(1861) => Unknown keyword ' urilen' in >>>> rule! >>>> >>>> sid:2009173; rev:2;) >>>> >>>> -- >>>> Michael Scheidell, CTO >>>> Phone: 561-999-5000, x 1259 >>>>> | SECNAP Network Security Corporation >>>> Certified SNORT Integrator >>>> 2009 Hot Company Award Finalist, World Executive Alliance >>>> Five-Star Partner Program 2009, VARBusiness >>>> Best Anti-Spam Product 2008, Network Products Guide >>>> King of Spam Filters, SC Magazine 2008 >>>> >>>> ________________________________ >>>> >>>> This email has been scanned and certified safe by SpammerTrap?. >>>> For Information please see www.secnap.com/products/spammertrap/ >>>> >>>> ________________________________ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> >>> >>> >>> -- >>> joel esler | sourcefire | gtalk: jesler at sourcefire.com | >>> 302-223-5974 >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From emerging at emergingthreats.net Sun Apr 5 16:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sun, 5 Apr 2009 16:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090405200011.4DE574501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sun Apr 5 16:00:11 2009 [***] [*] Rules modifications: [*] None. [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (20): 2500153 || ET COMPROMISED Known Compromised or Hostile Host Traffic (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500154 || ET COMPROMISED Known Compromised or Hostile Host Traffic (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500155 || ET COMPROMISED Known Compromised or Hostile Host Traffic (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500159 || ET COMPROMISED Known Compromised or Hostile Host Traffic (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500160 || ET COMPROMISED Known Compromised or Hostile Host Traffic (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500161 || ET COMPROMISED Known Compromised or Hostile Host Traffic (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500162 || ET COMPROMISED Known Compromised or Hostile Host Traffic (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510153 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510154 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510155 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510159 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510160 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510161 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510162 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (20): 2500153 || ET COMPROMISED Known Compromised or Hostile Host Traffic (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500154 || ET COMPROMISED Known Compromised or Hostile Host Traffic (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500155 || ET COMPROMISED Known Compromised or Hostile Host Traffic (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500159 || ET COMPROMISED Known Compromised or Hostile Host Traffic (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500160 || ET COMPROMISED Known Compromised or Hostile Host Traffic (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500161 || ET COMPROMISED Known Compromised or Hostile Host Traffic (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500162 || ET COMPROMISED Known Compromised or Hostile Host Traffic (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510153 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510154 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510155 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510159 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510160 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510161 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510162 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From eslerj at gmail.com Sun Apr 5 17:48:20 2009 From: eslerj at gmail.com (Joel Esler) Date: Sun, 5 Apr 2009 17:48:20 -0400 Subject: [Emerging-Sigs] conficker In-Reply-To: <314cf0830904041310qe25a204ie697e1210c223efa@mail.gmail.com> References: <49D66663.1020803@jonkmans.com> <53834cf20904031258m68e271fub657fbd3bd53447d@mail.gmail.com> <314cf0830904041310qe25a204ie697e1210c223efa@mail.gmail.com> Message-ID: <314cf0830904051448ge8b201cs32b54a4fa952b0bf@mail.gmail.com> I had a question offline about why these are SO rules, and why aren't they open? My answer -- --- They are open. SO does not mean "closed source", it means "C" rule. "Precompiled" means "closed source". ---- Just because a rule is released as "SO" does not mean that it is closed source. Some of the SO rules that are in the standard ruleset *are* in fact open. Look at the SO rules that are not in the precompiled directory. These rules are not closed source. The precompiled rules that are released on a monthly basis is because of the MAPP program: http://www.microsoft.com/security/msrc/mapp/overview.mspx of which Sourcefire is a partner: http://www.microsoft.com/security/msrc/mapp/partners.mspx These rules are merely a re-write of a preprocessor that was submitted to the VRT by SRI. The blog post points this out, the rules are also open source and licensed under the GPL, as the license is included in the tarball. Joel On Sat, Apr 4, 2009 at 4:10 PM, Joel Esler wrote: > http://vrt-sourcefire.blogspot.com/2009/04/new-so-rules-for-confickerc-p2p.html > > Joel > > On Fri, Apr 3, 2009 at 8:12 PM, Greg Martin wrote: >> These signature has been falseing on VPN traffic, anyone have a pcap of the >> p2p traffic they care to share? >> >> Thanks, >> >> Greg >> >> >> -----Original Message----- >> From: emerging-sigs-bounces at emergingthreats.net on behalf of Shirk Dog >> Sent: Fri 4/3/2009 7:09 PM >> To: emerging-sigs at emergingthreats.net >> Subject: Re: [Emerging-Sigs] conficker >> >> >> If you received positive matches on these UDP sigs, do you have any other >> network data coming from the compromised hosts? >> >> >> Shirkdog >> Free your mind... >> http://www.shirkdog.us >> >> >> >> Date: Fri, 3 Apr 2009 21:58:46 +0200 >> From: jaime.blasco at alienvault.com >> To: jonkman at jonkmans.com >> CC: emerging-sigs at emergingthreats.net >> Subject: Re: [Emerging-Sigs] conficker >> >> I've positive matches too. >> >> Regards >> >> 2009/4/3 Matt Jonkman >> >> I went ahead and posted these. I've had positive feedback on accuracy. >> >> >> >> Please let us all know if anyone sees false positive issues. >> >> >> >> Matt >> >> >> >> David Glosser wrote: >> >>> can any information from the following be useful in creating conficker P2P >>> sig? >> >>> >> >>> >>> https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer >> >>> _______________________________________________ >> >>> Emerging-sigs mailing list >> >>> Emerging-sigs at emergingthreats.net >> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> >> -- >> >> -------------------------------------------- >> >> Matthew Jonkman >> >> Emerging Threats >> >> Phone 765-429-0398 >> >> Fax 312-264-0205 >> >> http://www.emergingthreats.net >> >> -------------------------------------------- >> >> >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> >> >> >> _______________________________________________ >> >> Emerging-sigs mailing list >> >> Emerging-sigs at emergingthreats.net >> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> >> >> -- >> _______________________________ >> >> Jaime Blasco >> >> www.ossim.com >> www.alienvault.com >> >> Email: jaime.blasco at alienvault.com >> >> >> _________________________________________________________________ >> Windows LiveT: Keep your life in sync. >> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_042009 >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > > > -- > joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From nate+emerging at richmond-family.org Sun Apr 5 18:44:22 2009 From: nate+emerging at richmond-family.org (Nathaniel Richmond) Date: Sun, 5 Apr 2009 18:44:22 -0400 (EDT) Subject: [Emerging-Sigs] Fake/rogue antivirus Message-ID: <20090405224422.6DAAFA4055@medusa.richmond-family.org> If it's useful: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL RULES Rogue A/V Win32/FakeXPA GET Request"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?campaign="; uricontent:"&country="; uricontent:"&counter="; uricontent:"&campaign="; uricontent:"&landid="; classtype: trojan-activity; sid:1000052; rev:1;) Most of these sites have been triggering "ET MALWARE Possible Windows executable sent when remote host claims to send FOO", but this traffic has not. I've seen it on a couple different fake A/V domains serving a couple different binaries. http://www.virustotal.com/analisis/4fa405d90b32f6f2141b0aa38963859a http://www.virustotal.com/analisis/66ab3fff0ced325783a6a69e0cd6d73e From mgraham at cj.k12.mo.us Sun Apr 5 20:07:46 2009 From: mgraham at cj.k12.mo.us (Marshal Graham) Date: Sun, 5 Apr 2009 19:07:46 -0500 Subject: [Emerging-Sigs] false positive on 1:2008803:3 Message-ID: <24599F2B10F4184EA410D1F75C3A957761399C3FF9@cjsrv21.cj.k12.mo.us> I only recently discovered the Emerging Threats site and rules. I'm not sure this is the right place to report this. I've been testing the ET rules at home on my cable modem and I discovered that 1:2008803:3 is falsely identifying dyndns updates by my DD-WRT based router. Thanks for the good work. Marshal From thierry.chich at ac-clermont.fr Mon Apr 6 03:29:23 2009 From: thierry.chich at ac-clermont.fr (Thierry CHICH) Date: Mon, 6 Apr 2009 09:29:23 +0200 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encrypted traffic Message-ID: <200904060929.23808.thierry.chich@ac-clermont.fr> Hi I have a lot of false positives for these rules. It is hit by a lot of traffic, it seems (cacti, skype, ...) It will be very difficult to use, I am afraid. -- Thierry CHICH Equipe R?seaux / Rectorat de Clermont-Ferrand From emerging at cyclohexane.net Mon Apr 6 04:29:20 2009 From: emerging at cyclohexane.net (James) Date: Mon, 6 Apr 2009 09:29:20 +0100 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic In-Reply-To: <200904060929.23808.thierry.chich@ac-clermont.fr> References: <200904060929.23808.thierry.chich@ac-clermont.fr> Message-ID: I too am getting hundreds of hits on these. It's possible they really are all infected, but unlikely I think. I've only just got in, but one machine doesn't run Windows. First impression is Bittorrent may be the traffic triggering them. James -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Thierry CHICH Sent: Monday, April 06, 2009 8:29 AM To: emerging-sigs at emergingthreats.net Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic Hi I have a lot of false positives for these rules. It is hit by a lot of traffic, it seems (cacti, skype, ...) It will be very difficult to use, I am afraid. -- Thierry CHICH Equipe R?seaux / Rectorat de Clermont-Ferrand _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From mcholste at gmail.com Mon Apr 6 10:19:42 2009 From: mcholste at gmail.com (Martin Holste) Date: Mon, 6 Apr 2009 09:19:42 -0500 Subject: [Emerging-Sigs] Fake/rogue antivirus In-Reply-To: <20090405224422.6DAAFA4055@medusa.richmond-family.org> References: <20090405224422.6DAAFA4055@medusa.richmond-family.org> Message-ID: I too have been seeing the request param "landid" in a lot of these campaigns, so this should work well. Tangentially, I finally did some quick ruleperf tests on my theory that any time we use uricontent it is slower to also include a content match on GET, and I was correct. Running uricontent rules without the GET check cuts the total number of checks in half and shaves the total microseconds by more than two thirds on my test pcap. This is because having the GET content check forces a check on all non-HTTP traffic as well, even though the presence of a uricontent check means that it is impossible to get a hit. Obviously, the performance gains wil vary with the traffic, but there will always be at least some gain by removing the check. Therefore, I propose removing GET content checks anywhere we're not explicitly trying to rule out POST's (or other options). Thanks, Martin On Sun, Apr 5, 2009 at 5:44 PM, Nathaniel Richmond < nate+emerging at richmond-family.org >wrote: > If it's useful: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL > RULES Rogue A/V Win32/FakeXPA GET Request"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"?campaign="; uricontent:"&country="; > uricontent:"&counter="; uricontent:"&campaign="; > uricontent:"&landid="; classtype: trojan-activity; sid:1000052; > rev:1;) > > Most of these sites have been triggering "ET MALWARE Possible > Windows executable sent when remote host claims to send FOO", but > this traffic has not. I've seen it on a couple different fake A/V > domains serving a couple different binaries. > > http://www.virustotal.com/analisis/4fa405d90b32f6f2141b0aa38963859a > http://www.virustotal.com/analisis/66ab3fff0ced325783a6a69e0cd6d73e > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090406/ffdadb0d/attachment-0001.html From nate+emerging at richmond-family.org Mon Apr 6 10:56:26 2009 From: nate+emerging at richmond-family.org (Nathaniel Richmond) Date: Mon, 6 Apr 2009 10:56:26 -0400 (EDT) Subject: [Emerging-Sigs] Fake/rogue antivirus In-Reply-To: <20090406142047.30FFFA405A@medusa.richmond-family.org> References: <20090405224422.6DAAFA4055@medusa.richmond-family.org> <20090406142047.30FFFA405A@medusa.richmond-family.org> Message-ID: <20090406145626.2A4B0A402B@medusa.richmond-family.org> Martin Holste wrote: > I too have been seeing the request param "landid" in a lot of these > campaigns, so this should work well. > Although probably not needed, I just realized that I did not use 'nocase' for each 'uricontent'. I know a lot of people prefer to use nocase as a default unless it causes too many alerts on non-malicious traffic. > Tangentially, I finally did some quick ruleperf tests on my theory > that any > time we use uricontent it is slower to also include a content match > on GET, > and I was correct. Running uricontent rules without the GET check > cuts the > total number of checks in half and shaves the total microseconds by > more > than two thirds on my test pcap. This is because having the GET > content > check forces a check on all non-HTTP traffic as well, even though > the > presence of a uricontent check means that it is impossible to get a > hit. This is good information. Did you test with rules that use $HTTP_PORTS? Do you get the same kind of results with less common methods like POST? > Obviously, the performance gains wil vary with the traffic, but > there will > always be at least some gain by removing the check. Therefore, I > propose > removing GET content checks anywhere we're not explicitly trying to > rule out > POST's (or other options). It makes sense and HTTP traffic is definitely performance-intensive. I'm all for anything that lowers the performance overhead. From gregm at econet.com Mon Apr 6 11:34:22 2009 From: gregm at econet.com (Greg Martin) Date: Mon, 6 Apr 2009 10:34:22 -0500 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow Message-ID: Feedback and testing appreciated. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; content:"POST"; nocase; uricontent:"/index.jsp?|3b|JSESSIONID="; nocase; content:"Content-Length\: 81"; nocase; content:"|35 44 38 45 51 4b 5a 4c 4b 50 4a 45 48 4c|"; reference:url,infosec20.blogspot.com; classtype:web-application-attack; sid:300999; rev:1;) Thanks, -Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090406/8f7d952d/attachment.html From jonkman at jonkmans.com Mon Apr 6 11:44:55 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Apr 2009 11:44:55 -0400 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic In-Reply-To: References: <200904060929.23808.thierry.chich@ac-clermont.fr> Message-ID: <49DA2377.9000503@jonkmans.com> I agree. I'm getting verified false positives as well. I think we ought to drop these in the face of the SO rules and the preprocessor available from SRI. Those are available here: Preprocessor: http://mtc.sri.com/Conficker/contrib/plugin.html SO Version: http://www.snort.org/vrt/tools/conficker-so-rules.tar.gz Conficker C Network Scanner: Source Code: http://mtc.sri.com/Conficker/contrib/scanner.html Kudos to SRI for decoding and building the preprocessor, and to Sourcefire for converting that into SO rules. Anyone object to us dropping ours in favor of those? Matt James wrote: > I too am getting hundreds of hits on these. It's possible they really are > all infected, but unlikely I think. I've only just got in, but one machine > doesn't run Windows. First impression is Bittorrent may be the traffic > triggering them. > > James > > -----Original Message----- > From: emerging-sigs-bounces at emergingthreats.net > [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Thierry > CHICH > Sent: Monday, April 06, 2009 8:29 AM > To: emerging-sigs at emergingthreats.net > Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P > encryptedtraffic > > Hi > > I have a lot of false positives for these rules. It is hit by a lot of > traffic, it seems (cacti, skype, ...) It will be very difficult to use, I am > afraid. > > -- > Thierry CHICH > Equipe R?seaux / Rectorat de Clermont-Ferrand > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Mon Apr 6 12:05:15 2009 From: eslerj at gmail.com (Joel Esler) Date: Mon, 6 Apr 2009 12:05:15 -0400 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic In-Reply-To: <49DA2377.9000503@jonkmans.com> References: <200904060929.23808.thierry.chich@ac-clermont.fr> <49DA2377.9000503@jonkmans.com> Message-ID: <314cf0830904060905g5c87634ct1d61e32cc7444449@mail.gmail.com> Just to clarify, you should use either/or, not both, as they do the same thing. (Matt, I read your second sentence to mean that you should do both.) The SO rule is much easier to put into production, btw. J On Mon, Apr 6, 2009 at 11:44 AM, Matt Jonkman wrote: > I agree. I'm getting verified false positives as well. > > I think we ought to drop these in the face of the SO rules and the > preprocessor available from SRI. Those are available here: > > > ? ?Preprocessor: ?http://mtc.sri.com/Conficker/contrib/plugin.html > ? ?SO Version: ? http://www.snort.org/vrt/tools/conficker-so-rules.tar.gz > > > Conficker C Network Scanner: > ? ?Source Code: ?http://mtc.sri.com/Conficker/contrib/scanner.html > > > Kudos to SRI for decoding and building the preprocessor, and to > Sourcefire for converting that into SO rules. > > Anyone object to us dropping ours in favor of those? > > Matt > > James wrote: >> I too am getting hundreds of hits on these. It's possible they really are >> all infected, but unlikely I think. I've only just got in, but one machine >> doesn't run Windows. First impression is Bittorrent may be the traffic >> triggering them. >> >> James >> >> -----Original Message----- >> From: emerging-sigs-bounces at emergingthreats.net >> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Thierry >> CHICH >> Sent: Monday, April 06, 2009 8:29 AM >> To: emerging-sigs at emergingthreats.net >> Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P >> encryptedtraffic >> >> Hi >> >> I have a lot of false positives for these rules. It is hit by a ?lot of >> traffic, it seems (cacti, skype, ...) It will be very difficult to use, I am >> afraid. >> >> -- >> Thierry CHICH >> Equipe R?seaux / Rectorat de Clermont-Ferrand >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From mcholste at gmail.com Mon Apr 6 12:05:38 2009 From: mcholste at gmail.com (Martin Holste) Date: Mon, 6 Apr 2009 11:05:38 -0500 Subject: [Emerging-Sigs] Fwd: Fake/rogue antivirus In-Reply-To: <20090406155402.50818A405A@medusa.richmond-family.org> References: <20090405224422.6DAAFA4055@medusa.richmond-family.org> <20090406142047.30FFFA405A@medusa.richmond-family.org> <20090406145626.2A4B0A402B@medusa.richmond-family.org> <20090406152347.7710BA403A@medusa.richmond-family.org> <20090406155402.50818A405A@medusa.richmond-family.org> Message-ID: Oops, forgot to reply-all when resonding to Nathaniel: ---------- Forwarded message ---------- From: Nathaniel Richmond > Date: Mon, Apr 6, 2009 at 10:54 AM Subject: Re: [Emerging-Sigs] Fake/rogue antivirus To: Martin Holste Don't know if you meant to, so feel free to fwd this response if you meant to CC the list. Martin Holste wrote: > I think that nocase would be appropriate here, and yes, we have > historically > added that to rules like these. However, I did another test run > with a > given rule, and then a nocase'd version of it, and it looks like > nocase adds > about %20 overhead onto the rule. So, I am curious, what are the > chances of > the bad guys expending effort to change the case of the URI versus > the > chances of them changing the URI altogether? For that matter, is > there any > evidence that they're even paying attention to our rulesets? So > while we > can all agree that nocase adds coverage, it also significantly > impacts > overall rule performance. Is it worth it? I seem to recall some previous commentary about the bad guys monitoring rules, but I may be mistaken. I'm sure the answer is that some do, some don't. It may not be worth the effort for some while those trying to stay really under the radar obviously may put in extra effort. It is so easy to avoid triggering a rule like this through other means that I think nocase is not worth the performance hit. > > My rules did use HTTP_PORTS and had about equal non-HTTP traffic. > Changing > the GET to POST showed that what used to take about 12 ticks/check > dropped > to 3 ticks/check to rule out traffic. This makes sense since the > engine > only has to inspect the first 5 bytes of the payload and can quickly > toss > the packet in the "no" pile. So, that is an important factor, > because it > shows that there is a big gain by having a content check rule out > packets it > would otherwise have to inspect more thoroughly. In the case of > GET, > though, since most HTTP requests are GET, it detracts from > performance. > > --Martin Good explanation, thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090406/26879b83/attachment.html From gregm at econet.com Mon Apr 6 12:20:04 2009 From: gregm at econet.com (Greg Martin) Date: Mon, 6 Apr 2009 11:20:04 -0500 Subject: [Emerging-Sigs] conficker References: <49D66663.1020803@jonkmans.com><53834cf20904031258m68e271fub657fbd3bd53447d@mail.gmail.com><314cf0830904041310qe25a204ie697e1210c223efa@mail.gmail.com> <314cf0830904051448ge8b201cs32b54a4fa952b0bf@mail.gmail.com> Message-ID: Joel, Thank you for clarifying this, it is confusing as many thought the introduction of VRT SO rules was for protection of intellectual property... and not technical in nature. I distinctly remember at least one conference where a researcher mentioned reversing SO rules in his talk, it made me think about the irony in having to reverse engineer content for an open source security tool. -Greg -----Original Message----- From: jesler at sourcefire.com on behalf of Joel Esler Sent: Sun 4/5/2009 4:48 PM To: Greg Martin Cc: Shirk Dog; emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] conficker I had a question offline about why these are SO rules, and why aren't they open? My answer -- --- They are open. SO does not mean "closed source", it means "C" rule. "Precompiled" means "closed source". ---- Just because a rule is released as "SO" does not mean that it is closed source. Some of the SO rules that are in the standard ruleset *are* in fact open. Look at the SO rules that are not in the precompiled directory. These rules are not closed source. The precompiled rules that are released on a monthly basis is because of the MAPP program: http://www.microsoft.com/security/msrc/mapp/overview.mspx of which Sourcefire is a partner: http://www.microsoft.com/security/msrc/mapp/partners.mspx These rules are merely a re-write of a preprocessor that was submitted to the VRT by SRI. The blog post points this out, the rules are also open source and licensed under the GPL, as the license is included in the tarball. Joel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090406/c83693eb/attachment.html From jonkman at jonkmans.com Mon Apr 6 12:32:19 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Apr 2009 12:32:19 -0400 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic In-Reply-To: <314cf0830904060905g5c87634ct1d61e32cc7444449@mail.gmail.com> References: <200904060929.23808.thierry.chich@ac-clermont.fr> <49DA2377.9000503@jonkmans.com> <314cf0830904060905g5c87634ct1d61e32cc7444449@mail.gmail.com> Message-ID: <49DA2E93.30208@jonkmans.com> Yes, definitely you only need one or the other. I imagine if you're on an older pre-SO rules snort you'll have to take a crack at the preproc. Otherwise the SO rules will surely be faster for you. Matt Joel Esler wrote: > Just to clarify, you should use either/or, not both, as they do the > same thing. (Matt, I read your second sentence to mean that you > should do both.) > > The SO rule is much easier to put into production, btw. > > J > > > On Mon, Apr 6, 2009 at 11:44 AM, Matt Jonkman wrote: >> I agree. I'm getting verified false positives as well. >> >> I think we ought to drop these in the face of the SO rules and the >> preprocessor available from SRI. Those are available here: >> >> >> Preprocessor: http://mtc.sri.com/Conficker/contrib/plugin.html >> SO Version: http://www.snort.org/vrt/tools/conficker-so-rules.tar.gz >> >> >> Conficker C Network Scanner: >> Source Code: http://mtc.sri.com/Conficker/contrib/scanner.html >> >> >> Kudos to SRI for decoding and building the preprocessor, and to >> Sourcefire for converting that into SO rules. >> >> Anyone object to us dropping ours in favor of those? >> >> Matt >> >> James wrote: >>> I too am getting hundreds of hits on these. It's possible they really are >>> all infected, but unlikely I think. I've only just got in, but one machine >>> doesn't run Windows. First impression is Bittorrent may be the traffic >>> triggering them. >>> >>> James >>> >>> -----Original Message----- >>> From: emerging-sigs-bounces at emergingthreats.net >>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Thierry >>> CHICH >>> Sent: Monday, April 06, 2009 8:29 AM >>> To: emerging-sigs at emergingthreats.net >>> Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P >>> encryptedtraffic >>> >>> Hi >>> >>> I have a lot of false positives for these rules. It is hit by a lot of >>> traffic, it seems (cacti, skype, ...) It will be very difficult to use, I am >>> afraid. >>> >>> -- >>> Thierry CHICH >>> Equipe R?seaux / Rectorat de Clermont-Ferrand >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Apr 6 12:39:05 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Apr 2009 12:39:05 -0400 Subject: [Emerging-Sigs] false positive on 1:2008803:3 In-Reply-To: <24599F2B10F4184EA410D1F75C3A957761399C3FF9@cjsrv21.cj.k12.mo.us> References: <24599F2B10F4184EA410D1F75C3A957761399C3FF9@cjsrv21.cj.k12.mo.us> Message-ID: <49DA3029.3010206@jonkmans.com> Hi Marshall. This is definitely the place to report false positives. Unfortunately this is an expected false positive. If you're intentionally using dynamic dns then you're probably best off disabling this rule for now. There are others that'll give you detection of an infection for conficker.A. Although there ought not to be many more of those, they should update to recent conficker versions... Matt Marshal Graham wrote: > I only recently discovered the Emerging Threats site and rules. I'm not sure this is the right place to report this. I've been testing the ET rules at home on my cable modem and I discovered that 1:2008803:3 is falsely identifying dyndns updates by my DD-WRT based router. Thanks for the good work. > > Marshal > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From eslerj at gmail.com Mon Apr 6 12:39:28 2009 From: eslerj at gmail.com (Joel Esler) Date: Mon, 6 Apr 2009 12:39:28 -0400 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic In-Reply-To: <49DA2E93.30208@jonkmans.com> References: <200904060929.23808.thierry.chich@ac-clermont.fr> <49DA2377.9000503@jonkmans.com> <314cf0830904060905g5c87634ct1d61e32cc7444449@mail.gmail.com> <49DA2E93.30208@jonkmans.com> Message-ID: <314cf0830904060939y64c9b1a6k7172d65ff8e1c2fa@mail.gmail.com> If you are on a pre-SO rules version of Snort, you are dead wrong. SO's were, what... 2.6? 2.8.4 comes out this week ladies and gentlepeople... upgrade. upgrade. upgrade. J On Mon, Apr 6, 2009 at 12:32 PM, Matt Jonkman wrote: > Yes, definitely you only need one or the other. I imagine if you're on > an older pre-SO rules snort you'll have to take a crack at the preproc. > Otherwise the SO rules will surely be faster for you. > > Matt > > > > Joel Esler wrote: >> Just to clarify, you should use either/or, not both, as they do the >> same thing. ?(Matt, I read your second sentence to mean that you >> should do both.) >> >> The SO rule is much easier to put into production, btw. >> >> J >> >> >> On Mon, Apr 6, 2009 at 11:44 AM, Matt Jonkman wrote: >>> I agree. I'm getting verified false positives as well. >>> >>> I think we ought to drop these in the face of the SO rules and the >>> preprocessor available from SRI. Those are available here: >>> >>> >>> ? ?Preprocessor: ?http://mtc.sri.com/Conficker/contrib/plugin.html >>> ? ?SO Version: ? http://www.snort.org/vrt/tools/conficker-so-rules.tar.gz >>> >>> >>> Conficker C Network Scanner: >>> ? ?Source Code: ?http://mtc.sri.com/Conficker/contrib/scanner.html >>> >>> >>> Kudos to SRI for decoding and building the preprocessor, and to >>> Sourcefire for converting that into SO rules. >>> >>> Anyone object to us dropping ours in favor of those? >>> >>> Matt >>> >>> James wrote: >>>> I too am getting hundreds of hits on these. It's possible they really are >>>> all infected, but unlikely I think. I've only just got in, but one machine >>>> doesn't run Windows. First impression is Bittorrent may be the traffic >>>> triggering them. >>>> >>>> James >>>> >>>> -----Original Message----- >>>> From: emerging-sigs-bounces at emergingthreats.net >>>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Thierry >>>> CHICH >>>> Sent: Monday, April 06, 2009 8:29 AM >>>> To: emerging-sigs at emergingthreats.net >>>> Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P >>>> encryptedtraffic >>>> >>>> Hi >>>> >>>> I have a lot of false positives for these rules. It is hit by a ?lot of >>>> traffic, it seems (cacti, skype, ...) It will be very difficult to use, I am >>>> afraid. >>>> >>>> -- >>>> Thierry CHICH >>>> Equipe R?seaux / Rectorat de Clermont-Ferrand >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> -- >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> >> >> > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From jonkman at jonkmans.com Mon Apr 6 12:44:30 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Apr 2009 12:44:30 -0400 Subject: [Emerging-Sigs] Fake/rogue antivirus In-Reply-To: References: <20090405224422.6DAAFA4055@medusa.richmond-family.org> Message-ID: <49DA316E.2030603@jonkmans.com> Posted this one without the GET. I agree with you Martin that the GET is overhead and should only be used when we really need to eliminate posts. I'll try to look back through the rules we have and make sure it's being used only when we need. Thanks for the sig Nathaniel! Matt Martin Holste wrote: > I too have been seeing the request param "landid" in a lot of these > campaigns, so this should work well. > > Tangentially, I finally did some quick ruleperf tests on my theory that > any time we use uricontent it is slower to also include a content match > on GET, and I was correct. Running uricontent rules without the GET > check cuts the total number of checks in half and shaves the total > microseconds by more than two thirds on my test pcap. This is because > having the GET content check forces a check on all non-HTTP traffic as > well, even though the presence of a uricontent check means that it is > impossible to get a hit. Obviously, the performance gains wil vary with > the traffic, but there will always be at least some gain by removing the > check. Therefore, I propose removing GET content checks anywhere we're > not explicitly trying to rule out POST's (or other options). > > Thanks, > > Martin > > On Sun, Apr 5, 2009 at 5:44 PM, Nathaniel Richmond > > wrote: > > If it's useful: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL > RULES Rogue A/V Win32/FakeXPA GET Request"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"?campaign="; uricontent:"&country="; > uricontent:"&counter="; uricontent:"&campaign="; > uricontent:"&landid="; classtype: trojan-activity; sid:1000052; > rev:1;) > > Most of these sites have been triggering "ET MALWARE Possible > Windows executable sent when remote host claims to send FOO", but > this traffic has not. I've seen it on a couple different fake A/V > domains serving a couple different binaries. > > http://www.virustotal.com/analisis/4fa405d90b32f6f2141b0aa38963859a > http://www.virustotal.com/analisis/66ab3fff0ced325783a6a69e0cd6d73e > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Apr 6 12:54:18 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Apr 2009 12:54:18 -0400 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow In-Reply-To: References: Message-ID: <49DA33BA.6040806@jonkmans.com> Posted, thanks Greg!! I added a |0d 0a| to start and terminate the content length match, just to avoid matching on a length of 810 vs 81, etc. Thanks!! Matt Greg Martin wrote: > Feedback and testing appreciated. > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Oracle > WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; > flow:to_server,established; content:"POST"; nocase; > uricontent:"/index.jsp?|3b|JSESSIONID="; nocase; > content:"Content-Length\: 81"; nocase; content:"|35 44 38 45 51 4b 5a 4c > 4b 50 4a 45 48 4c|"; reference:url,infosec20.blogspot.com; > classtype:web-application-attack; sid:300999; rev:1;) > > Thanks, > > -Greg > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From bicer.tom at gmail.com Mon Apr 6 12:57:39 2009 From: bicer.tom at gmail.com (Tom Bicer) Date: Mon, 6 Apr 2009 12:57:39 -0400 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic In-Reply-To: References: <200904060929.23808.thierry.chich@ac-clermont.fr> Message-ID: Many false positives as well due to torrent activity. On Mon, Apr 6, 2009 at 4:29 AM, James wrote: > I too am getting hundreds of hits on these. It's possible they really are > all infected, but unlikely I think. I've only just got in, but one machine > doesn't run Windows. First impression is Bittorrent may be the traffic > triggering them. > > James > > -----Original Message----- > From: emerging-sigs-bounces at emergingthreats.net > [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Thierry > CHICH > Sent: Monday, April 06, 2009 8:29 AM > To: emerging-sigs at emergingthreats.net > Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P > encryptedtraffic > > Hi > > I have a lot of false positives for these rules. It is hit by a ?lot of > traffic, it seems (cacti, skype, ...) It will be very difficult to use, I am > afraid. > > -- > Thierry CHICH > Equipe R?seaux / Rectorat de Clermont-Ferrand > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From jonkman at jonkmans.com Mon Apr 6 13:11:04 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Apr 2009 13:11:04 -0400 Subject: [Emerging-Sigs] Zeus/Zbot related malware rules In-Reply-To: <49D7D223.8070202@oitsec.umn.edu> References: <49D7D223.8070202@oitsec.umn.edu> Message-ID: <49DA37A8.1030204@jonkmans.com> I like these, definitely helps reduce the FPs with the UA alone. Thanks Paul, posting now. Matt Paul Dokas wrote: > We found a host here infected with malware that was delivered from avprotect.net. > Here's a summary of one of the downloaders: > > http://anubis.iseclab.org/?action=result&task_id=1cd8eee2caa25a5f459f83f19acc17ff4 > > The snort related bit is that this malware touches two web servers like this: > > GET /check HTTP/1.1 > User-Agent: Microsoft Internet Explorer > Host: > Cache-Control: no-cache > > and > > GET /loads.php?r=17.2 HTTP/1.1 > User-Agent: Microsoft Internet Explorer > Host: knocker > Cache-Control: no-cache > > This is likely somehow related to Zeus/Zbot, but is not triggering those specific > rules. Anyway, here are a couple of rules that I wrote to find similar HTTP sessions. > They can probably use some cleanup, but they seem to do the job here: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan Dropper Infection - /check"; flow:established,to_server; uricontent:"/check"; content:"|0d 0a|User-Agent\: Microsoft Internet > Explorer|0d 0a|"; content:"|0d 0a|Cache-Control\: no-cache|0d 0a|"; within:30; classtype:trojan-activity;) > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan Dropper Infection - /loads.php"; flow:established,to_server; uricontent:"/loads.php"; uricontent:"?r="; content:"|0d > 0a|User-Agent\: Microsoft Internet Explorer"; content:"|0d 0a|Host\: knocker"; within:20; content:"|0d 0a|Cache-Control\: no-cache|0d 0a|"; within:30; classtype:trojan-activity;) > > We are also running the generic 'User-Agent: Microsoft Internet Explorer' rule, > but we're seeing quite a few false positives. > > Paul -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Apr 6 13:16:41 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 06 Apr 2009 13:16:41 -0400 Subject: [Emerging-Sigs] FTP Server Banners (Maware) In-Reply-To: <53834cf20904040840i3184f868v5d3b0282e5b606d@mail.gmail.com> References: <53834cf20904040840i3184f868v5d3b0282e5b606d@mail.gmail.com> Message-ID: <49DA38F9.2030307@jonkmans.com> Nice catch Jaime. I'd like to see these on standard ports as well. I'll add port 21 to these and get them posted. Thanks Matt Jaime Blasco wrote: > Hi, > > Revising my honeypot logs, I've seen two unusual FTP Banners used for > serving malware, I have look that Cyber-ta people have seen it too. > http://www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html > > alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual > FTP Server Banner on High Port (fuckFtpd)"; > flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; > depth:11; offset:0; nocase; classtype:trojan-activity; tag:session; > sid:; rev:1;) > > alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual > FTP Server Banner on High Port (NzmxFtpd)"; > flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; > depth:11; offset:0; nocase; classtype:trojan-activity; tag:session; > sid:; rev:1;) > > I attach a capture of one of my hits. > > Regards > > > -- > _______________________________ > > Jaime Blasco > > www.ossim.com > www.alienvault.com > Email: jaime.blasco at alienvault.com > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mcholste at gmail.com Mon Apr 6 14:19:10 2009 From: mcholste at gmail.com (Martin Holste) Date: Mon, 6 Apr 2009 13:19:10 -0500 Subject: [Emerging-Sigs] Apache Tomcat upload Message-ID: Saw some scans over the weekend on 8080 looking for default Apache Tomcat installations a la sid 2008453. Once found, they would upload a Java-based shell for nasty Java-based fun. Below is a sig that replaces 2008453 by adding a flowbit and then three other sigs. The second looks for "admin:admin" credentials, the third alerts on a successful login (based on flowbits), and the fourth is the URI for uploading the Java-based shell. I have the fourth also using the flowbits, but it would probably be a good standalone sig. It occurred to me that these might be good sigs for generalizing into unencrypted basic auth checks for admin:admin and admin: for any web server with the follow-up sig check for success. I'd also be open to putting a noalert option on the first two attempt sigs, since a lot of us don't care until the default login actually works. I'm not sure how 2008453's thresholding would work with flowbits, so maybe some combination is necessary. Perhaps the simplest thing would be just to add the fourth rule as a standalone. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"LOCAL admin:admin login credentials for Apache Tomcat"; flow:to_server,established; uricontent:"/manager/html"; depth:0; content:"|0d 0a|Authorization: Basic YWRtaW46YWRtaW4=|0d 0a|"; flowbits:set,login_attempt; classtype:attempted-admin; reference:url,http://tomcat.apache.org/; sid:1: rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"LOCAL admin:blank login credentials for Apache Tomcat"; flow:to_server,established; uricontent:"/manager/html"; depth:0; content:"|0d 0a|Authorization: Basic YWRtaW46|0d 0a|"; flowbits:set,login_attempt; classtype:attempted-admin; reference:url,http://tomcat.apache.org/; sid:2: rev:1;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"LOCAL Successful default credential login from external source"; flow:from_server,established; flowbits:isset,login_attempt; content:"HTTP/1."; depth:7; content:" 200 OK"; distance:1; classtype:successful-admin; reference:url,http://tomcat.apache.org/; sid:3; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"LOCAL Tomcat upload from external source"; flow:to_server,established; flowbits:isset,login_attempt; content:"POST "; depth:5; uricontent:"/manager/html/upload"; depth:0; classtype:successful-admin; reference:url,http://tomcat.apache.org/; sid:4; rev:1;) Thanks, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090406/89b31a76/attachment.html From jmkeller at houseofzen.org Mon Apr 6 15:09:18 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Mon, 06 Apr 2009 15:09:18 -0400 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic In-Reply-To: References: <200904060929.23808.thierry.chich@ac-clermont.fr> Message-ID: <49DA535E.3070502@houseofzen.org> Tom Bicer wrote: > Many false positives as well due to torrent activity. > > On Mon, Apr 6, 2009 at 4:29 AM, James wrote: > >> I too am getting hundreds of hits on these. It's possible they really are >> all infected, but unlikely I think. I've only just got in, but one machine >> doesn't run Windows. First impression is Bittorrent may be the traffic >> triggering them. >> >> James >> >> I'm seeing FP hits for Skype p2p traffic hitting on these rules as well. -- James Michael Keller From jmkeller at houseofzen.org Mon Apr 6 15:38:38 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Mon, 06 Apr 2009 15:38:38 -0400 Subject: [Emerging-Sigs] FP Possible Downadup/Conficker-C P2P encryptedtraffic In-Reply-To: <49DA535E.3070502@houseofzen.org> References: <200904060929.23808.thierry.chich@ac-clermont.fr> <49DA535E.3070502@houseofzen.org> Message-ID: <49DA5A3E.7000701@houseofzen.org> James Michael Keller wrote: > Tom Bicer wrote: > >> Many false positives as well due to torrent activity. >> >> On Mon, Apr 6, 2009 at 4:29 AM, James wrote: >> >> >>> I too am getting hundreds of hits on these. It's possible they really are >>> all infected, but unlikely I think. I've only just got in, but one machine >>> doesn't run Windows. First impression is Bittorrent may be the traffic >>> triggering them. >>> >>> James >>> >>> >>> > I'm seeing FP hits for Skype p2p traffic hitting on these rules as well. > > I have pcaps and rule hits from a test starting up the skype client if anyone would like to look at. I just pulled the SO conficker rules as well for comparison. -- James Michael Keller From emerging at emergingthreats.net Mon Apr 6 16:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 6 Apr 2009 16:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090406200011.40DE24501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Apr 6 16:00:11 2009 [***] [+++] Added rules: [+++] 2009209 - ET TROJAN Rogue A/V Win32/FakeXPA GET Request (emerging-virus.rules) 2009210 - ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) (emerging-attack_response.rules) 2009211 - ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) (emerging-attack_response.rules) 2009212 - ET TROJAN Zbot/Zeus Dropper Infection - /check (emerging-virus.rules) 2009213 - ET TROJAN Zbot/Zeus Dropper Infection - /loads.php (emerging-virus.rules) 2009215 - ET TROJAN Farfli HTTP Checkin Activity (emerging-virus.rules) 2009216 - ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit (emerging-exploit.rules) 2406304 - ET RBN Known Russian Business Network Monitored Domains (305) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network Monitored Domains (306) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network Monitored Domains (307) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network Monitored Domains (308) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network Monitored Domains (309) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network Monitored Domains (310) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network Monitored Domains (311) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network Monitored Domains (312) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network Monitored Domains (313) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network Monitored Domains (314) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network Monitored Domains (315) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network Monitored Domains (316) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network Monitored Domains (317) (emerging-rbn.rules) 2406317 - ET RBN Known Russian Business Network Monitored Domains (318) (emerging-rbn.rules) 2407304 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) (emerging-rbn-BLOCK.rules) 2407305 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) (emerging-rbn-BLOCK.rules) 2407306 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) (emerging-rbn-BLOCK.rules) 2407307 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) (emerging-rbn-BLOCK.rules) 2407308 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) (emerging-rbn-BLOCK.rules) 2407309 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) (emerging-rbn-BLOCK.rules) 2407310 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) (emerging-rbn-BLOCK.rules) 2407311 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) (emerging-rbn-BLOCK.rules) 2407312 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) (emerging-rbn-BLOCK.rules) 2407313 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) (emerging-rbn-BLOCK.rules) 2407314 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) (emerging-rbn-BLOCK.rules) 2407315 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) (emerging-rbn-BLOCK.rules) 2407316 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) (emerging-rbn-BLOCK.rules) 2407317 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (318) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network Monitored Domains (229) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network Monitored Domains (230) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network Monitored Domains (231) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network Monitored Domains (232) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network Monitored Domains (233) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network Monitored Domains (234) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network Monitored Domains (235) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network Monitored Domains (236) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network Monitored Domains (237) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network Monitored Domains (238) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network Monitored Domains (239) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network Monitored Domains (240) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network Monitored Domains (241) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network Monitored Domains (242) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network Monitored Domains (243) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network Monitored Domains (244) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network Monitored Domains (245) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network Monitored Domains (246) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network Monitored Domains (247) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network Monitored Domains (248) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network Monitored Domains (249) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network Monitored Domains (250) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network Monitored Domains (251) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network Monitored Domains (252) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network Monitored Domains (253) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network Monitored Domains (254) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network Monitored Domains (255) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network Monitored Domains (256) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network Monitored Domains (257) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network Monitored Domains (258) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network Monitored Domains (259) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network Monitored Domains (260) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network Monitored Domains (261) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network Monitored Domains (262) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network Monitored Domains (263) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network Monitored Domains (264) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network Monitored Domains (265) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network Monitored Domains (266) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network Monitored Domains (267) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network Monitored Domains (268) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network Monitored Domains (269) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network Monitored Domains (270) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network Monitored Domains (271) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network Monitored Domains (272) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network Monitored Domains (273) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network Monitored Domains (274) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network Monitored Domains (275) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network Monitored Domains (276) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network Monitored Domains (277) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network Monitored Domains (278) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network Monitored Domains (279) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network Monitored Domains (280) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network Monitored Domains (281) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network Monitored Domains (282) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network Monitored Domains (283) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network Monitored Domains (284) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network Monitored Domains (285) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network Monitored Domains (286) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network Monitored Domains (287) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network Monitored Domains (288) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network Monitored Domains (289) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network Monitored Domains (290) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network Monitored Domains (291) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network Monitored Domains (292) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network Monitored Domains (293) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network Monitored Domains (294) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network Monitored Domains (295) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network Monitored Domains (296) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network Monitored Domains (297) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network Monitored Domains (298) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network Monitored Domains (299) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network Monitored Domains (300) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network Monitored Domains (301) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network Monitored Domains (302) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network Monitored Domains (303) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network Monitored Domains (304) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407286 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407294 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) (emerging-rbn-BLOCK.rules) [---] Disabled rules: [---] 2009205 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging.rules) 2009206 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging.rules) 2009207 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging.rules) 2009208 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): #by Jaime Blasco -> Added to emerging-exploit.rules (1): #by Greg Martin -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 122 # Updated 2009-04-06 12:39:44 -> Added to emerging-rbn.rules (2): # VERSION 122 # Updated 2009-04-06 12:39:44 -> Added to emerging-sid-msg.map (45): 2009209 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request 2009210 || ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) 2009211 || ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) 2009212 || ET TROJAN Zbot/Zeus Dropper Infection - /check 2009213 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php 2009215 || ET TROJAN Farfli HTTP Checkin Activity || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,infosec20.blogspot.com 2406304 || ET RBN Known Russian Business Network Monitored Domains (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406305 || ET RBN Known Russian Business Network Monitored Domains (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406306 || ET RBN Known Russian Business Network Monitored Domains (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406307 || ET RBN Known Russian Business Network Monitored Domains (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406308 || ET RBN Known Russian Business Network Monitored Domains (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406309 || ET RBN Known Russian Business Network Monitored Domains (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406310 || ET RBN Known Russian Business Network Monitored Domains (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406311 || ET RBN Known Russian Business Network Monitored Domains (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406312 || ET RBN Known Russian Business Network Monitored Domains (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406313 || ET RBN Known Russian Business Network Monitored Domains (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406314 || ET RBN Known Russian Business Network Monitored Domains (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406315 || ET RBN Known Russian Business Network Monitored Domains (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406316 || ET RBN Known Russian Business Network Monitored Domains (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406317 || ET RBN Known Russian Business Network Monitored Domains (318) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407304 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407305 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407306 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407307 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407308 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407309 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407310 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407311 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407312 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407313 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407314 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407315 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407316 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407317 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (318) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500163 || ET COMPROMISED Known Compromised or Hostile Host Traffic (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500164 || ET COMPROMISED Known Compromised or Hostile Host Traffic (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500165 || ET COMPROMISED Known Compromised or Hostile Host Traffic (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500166 || ET COMPROMISED Known Compromised or Hostile Host Traffic (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500167 || ET COMPROMISED Known Compromised or Hostile Host Traffic (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510163 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510164 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510165 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510166 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510167 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (45): 2009209 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request 2009210 || ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) 2009211 || ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) 2009212 || ET TROJAN Zbot/Zeus Dropper Infection - /check 2009213 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php 2009215 || ET TROJAN Farfli HTTP Checkin Activity || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,infosec20.blogspot.com 2406304 || ET RBN Known Russian Business Network Monitored Domains (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406305 || ET RBN Known Russian Business Network Monitored Domains (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406306 || ET RBN Known Russian Business Network Monitored Domains (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406307 || ET RBN Known Russian Business Network Monitored Domains (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406308 || ET RBN Known Russian Business Network Monitored Domains (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406309 || ET RBN Known Russian Business Network Monitored Domains (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406310 || ET RBN Known Russian Business Network Monitored Domains (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406311 || ET RBN Known Russian Business Network Monitored Domains (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406312 || ET RBN Known Russian Business Network Monitored Domains (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406313 || ET RBN Known Russian Business Network Monitored Domains (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406314 || ET RBN Known Russian Business Network Monitored Domains (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406315 || ET RBN Known Russian Business Network Monitored Domains (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406316 || ET RBN Known Russian Business Network Monitored Domains (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406317 || ET RBN Known Russian Business Network Monitored Domains (318) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407304 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407305 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407306 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407307 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407308 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407309 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407310 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407311 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407312 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407313 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407314 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407315 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407316 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407317 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (318) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500163 || ET COMPROMISED Known Compromised or Hostile Host Traffic (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500164 || ET COMPROMISED Known Compromised or Hostile Host Traffic (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500165 || ET COMPROMISED Known Compromised or Hostile Host Traffic (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500166 || ET COMPROMISED Known Compromised or Hostile Host Traffic (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500167 || ET COMPROMISED Known Compromised or Hostile Host Traffic (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510163 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510164 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510165 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510166 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510167 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): # https://sandnet.emergingthreats.net/index.php?q=10493bc6d4d6f2f0d8fe61946315dcbd -> Added to emerging.rules (1): #Disabling in favor of the preproc and SO rules that are now available [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 121 # Updated 2009-03-29 13:37:05 -> Removed from emerging-rbn.rules (2): # VERSION 121 # Updated 2009-03-29 13:37:05 From scheidell at secnap.net Mon Apr 6 22:32:36 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Mon, 06 Apr 2009 22:32:36 -0400 Subject: [Emerging-Sigs] [Fwd: HackerTrap Alert: FATAL ERROR] Message-ID: <49DABB44.7060807@secnap.net> maybe we need a '2.8 only' list we can run through oinkmaster when done? latest two are 2009210,2009211 #snort 2.8 rule modifysid 2008759 "\[\$HTTP_PORTS,8080\]" | "\$HTTP_PORTS" disablesid 2009173,2009174 #ports lists disablesid 2009205,2009206,2009207,2009208,2009210,2009211 -------- Original Message -------- Subject: HackerTrap Alert: FATAL ERROR Date: Tue, 7 Apr 2009 03:11:48 +0200 (CEST) From: root at success-ae.hackertrap.net (Success-AE Root) To: maint at success-ae.hackertrap.net Apr 7 03:11:48 success-ae snort[95725]: FATAL ERROR: rules/emerging-attack_response.rules(96) => Invalid port: [21,1024 -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090406/ff2550c5/attachment.html From scheidell at secnap.net Mon Apr 6 23:27:59 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Mon, 06 Apr 2009 23:27:59 -0400 Subject: [Emerging-Sigs] snort 2.4 to 2.8 conversion, was Re: rule errors/urlen In-Reply-To: <49D2017A.9000507@secnap.net> References: <067401c9b1f0$af986bb0$0d01460a@secnap.com> <8ADCD82E-21F2-4BB9-A783-46579B26C139@sourcefire.com> <49D2017A.9000507@secnap.net> Message-ID: <49DAC83F.2030109@secnap.net> having just had two more rules in emerging rules with ports lists (emerging-attacks, search for 21,1024:) I decided to start to see what and why we were having som much torunle on snort on freebsd. I think I got the non snort-sams ones nailed (finally) use freebsd ports, WITH_DYNAMIC and WITH_FLEXRESP first one I got (and I never had to report these to official snort channels because, seem 2.8.2._2 on freebsd is an anomaly) you have to run make twice. (I suppose the port maintainer gave up, because you can't duplicate it. the first make seems to get something 'ready') first time fails, says something nasty about preprocessors. (I think it needs to install automake 1.10.1 first, but doesn't) second time, fine. then you have to edit all the *.conf files, take our frag2, conversation. then any custom rules need sids (had lots of custom pass rules, no sids) then, snort wines about duplicate rules (that arn't duplicates) so I have to have sid 605 and 611 disabled./ and if you want snort to start as fast as 2.4 did, you need this in *.conf: config detection: search-method ac-bnfa Michael Scheidell wrote: > as a certified snort integrator I know that, but some things are > broken (I was told) in 2.8 on freebsd. don't remember what. > > Ill bitch at the QA team one more time. (and tell them they have till > midnight, april 1 amsterdam time to fix it!) > > > > > Joel Esler wrote: >> Of course I recommend stating current. The community can't be held >> back like that. >> >> -- >> Joel Esler >> Sent from my iDevice >> >> On Mar 31, 2009, at 7:06 AM, "Michael Scheidell" >> wrote: >> >>> Other problems have us stuck at 2.4 >>> >>> -----Original Message----- >>> From: Joel Esler >>> Sent: Tuesday, March 31, 2009 3:58 AM >>> To: Michael Scheidell >>> Cc: emerging-sigs at emergingthreats.net >>> >>> Subject: Re: [Emerging-Sigs] rule errors >>> >>> On Tue, Mar 31, 2009 at 1:00 AM, Michael Scheidell >>> wrote: >>>> I guess its either time for me to fix the last couple of bugs in >>>> snort 2.8 >>>> on freebsd or have you not put in snort 2.8 specific things in the >>>> rules :-) >>>> >>>> FATAL ERROR: rules/emerging.rules(116) => Invalid port: >>>> [80,8000,4501,8005] >>>> Mar 31 06:53:21 success-ae snort[37449]: FATAL ERROR: >>>> rules/emerging.rules(116) => Invalid port: [81,8000,4501,8005] >>>> >>>> this is sid:2009176 >>> >>> BSD *should* handle port lists just fine.... and you say it's 2.8 >>> right? >>> >>> >>> >>> -- >>> joel esler | sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 >>> _________________________________________________________________________ >>> >> >> >>> This email has been scanned and certified safe by SpammerTrap(r). >>> For Information please see http://www.secnap.com/products/spammertrap/ >>> _________________________________________________________________________ >>> >> >> > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 > > *| *SECNAP Network Security Corporation > > * Certified SNORT Integrator > * 2009 Hot Company Award Finalist, World Executive Alliance > * Five-Star Partner Program 2009, VARBusiness > * Best Anti-Spam Product 2008, Network Products Guide > * King of Spam Filters, SC Magazine 2008 > -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090406/e96f10be/attachment.html From lists at keamera.org Tue Apr 7 04:59:29 2009 From: lists at keamera.org (Guido Landi) Date: Tue, 07 Apr 2009 10:59:29 +0200 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow In-Reply-To: <49DA33BA.6040806@jonkmans.com> References: <49DA33BA.6040806@jonkmans.com> Message-ID: <49DB15F1.6050103@keamera.org> hi there, to be effective the signature should check for a JSESSIONID value longer than 6000 chars. Content length, url requested(/index.jsp here) and other parameters are irrilevant. And I don't understand where the binary content comes from. Also, this is CVE-2008-5457. Regards, Guido. Matt Jonkman wrote: > Posted, thanks Greg!! > > I added a |0d 0a| to start and terminate the content length match, just > to avoid matching on a length of 810 vs 81, etc. > > Thanks!! > > Matt > > Greg Martin wrote: >> Feedback and testing appreciated. >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Oracle >> WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; >> flow:to_server,established; content:"POST"; nocase; >> uricontent:"/index.jsp?|3b|JSESSIONID="; nocase; >> content:"Content-Length\: 81"; nocase; content:"|35 44 38 45 51 4b 5a 4c >> 4b 50 4a 45 48 4c|"; reference:url,infosec20.blogspot.com; >> classtype:web-application-attack; sid:300999; rev:1;) >> >> Thanks, >> >> -Greg >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From signatures at stillsecure.com Tue Apr 7 07:35:08 2009 From: signatures at stillsecure.com (signatures) Date: Tue, 7 Apr 2009 05:35:08 -0600 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - April-07-2009 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292A@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP ea-gBook index_inc.php inc_ordner parameter local file inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ea-gBook index_inc.php inc_ordner parameter local file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index_inc.php?"; nocase; uricontent:"inc_ordner="; nocase; content:"../"; classtype:web-application-attack; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; sid:2009081; rev:1;) 2. WEB-PHP ea-gBook index_inc.php inc_ordner parameter remote file inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ea-gBook index_inc.php inc_ordner parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index_inc.php?"; nocase; uricontent:"inc_ordner="; nocase; pcre:"/inc_ordner=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; sid:2009082; rev:1;) 3. WEB-ATTACKS Sopcast SopCore ActiveX Control Remote Code Execution alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Sopcast SopCore ActiveX Control Remote Code Execution"; flow:to_client,established; content:"clsid"; nocase; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; nocase; distance:0; content:"SetExternalPlayer"; nocase; classtype:web-application-attack; reference:bugtraq,33920; reference:url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt; sid:1000060; rev:1;) 4. WEB-PHP eFiction toplists.php list Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP eFiction toplists.php list Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/toplists.php?"; nocase; uricontent:"list="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/30606/; reference:url,milw0rm.com/exploits/5785; sid:2009066; rev:1;) 5. WEB-PHP AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/album.php?"; nocase; uricontent:"UID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:cve,CVE-2008-3386; reference:url,www.milw0rm.com/exploits/6092 ; reference:url,secunia.com/advisories/31134/; sid:2009085; rev:1;) 6. WEB-PHP TECHNOTE shop_this_skin_path Paramter Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TECHNOTE shop_this_skin_path Paramter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/body_default.php?"; nocase; uricontent:"GOODS[no]="; nocase; uricontent:"GOODS[gs_input]="; nocase; uricontent:"shop_this_skin_path="; nocase; pcre:"/shop_this_skin_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33732/; reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; sid:2009093; rev:1;) 7. WEB-PHP TECHNOTE shop_this_skin_path Paramter Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TECHNOTE shop_this_skin_path Paramter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/body_default.php?"; nocase; uricontent:"GOODS[no]="; nocase; uricontent:"GOODS[gs_input]="; nocase; uricontent:"shop_this_skin_path="; nocase; content:"../"; classtype:web-application-attack; reference:url,secunia.com/advisories/33732/; reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; sid:2009094; rev:1;) 8. WEB-PHP Hedgehog CMS header.php c_temp_path Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Hedgehog CMS header.php c_temp_path Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/header.php?"; nocase; uricontent:"c_temp_path="; nocase; content:"../"; classtype:web-application-attack; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; sid:2009095; rev:1;) 9. WEB-PHP Hedgehog CMS footer.php c_temp_path Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Hedgehog CMS footer.php c_temp_path Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/footer.php?"; nocase; uricontent:"c_temp_path"; nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/8028; sid:2009096; rev:1;) 10. WEB-PHP Hedgehog CMS header.php c_temp_path Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Hedgehog CMS header.php c_temp_path Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/header.php?"; nocase; uricontent:"c_temp_path"; nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; sid:2009097; rev:1;) Looking forward for your comments, If any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090407/fd873746/attachment-0001.html From gregm at econet.com Tue Apr 7 08:24:06 2009 From: gregm at econet.com (Greg Martin) Date: Tue, 7 Apr 2009 07:24:06 -0500 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow In-Reply-To: <49DB15F1.6050103@keamera.org> References: <49DA33BA.6040806@jonkmans.com> <49DB15F1.6050103@keamera.org> Message-ID: <6F928CE5-449A-47C1-9A08-0D64878D793C@econet.com> The signature was written for the metasploit module posted on milw0rm. Thanks for the info I will try to get it closer to the vuln. Writing sigs for the exploit is not optimal for obvious reasons. Greg Sent from my iPhone On Apr 7, 2009, at 4:26 AM, "Guido Landi" wrote: > hi there, > > to be effective the signature should check for a JSESSIONID value > longer > than 6000 chars. Content length, url requested(/index.jsp here) and > other parameters are irrilevant. And I don't understand where the > binary > content comes from. > > > Also, this is CVE-2008-5457. > > Regards, > Guido. > > Matt Jonkman wrote: >> Posted, thanks Greg!! >> >> I added a |0d 0a| to start and terminate the content length match, >> just >> to avoid matching on a length of 810 vs 81, etc. >> >> Thanks!! >> >> Matt >> >> Greg Martin wrote: >>> Feedback and testing appreciated. >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Oracle >>> WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; >>> flow:to_server,established; content:"POST"; nocase; >>> uricontent:"/index.jsp?|3b|JSESSIONID="; nocase; >>> content:"Content-Length\: 81"; nocase; content:"|35 44 38 45 51 4b >>> 5a 4c >>> 4b 50 4a 45 48 4c|"; reference:url,infosec20.blogspot.com; >>> classtype:web-application-attack; sid:300999; rev:1;) >>> >>> Thanks, >>> >>> -Greg >>> >>> >>> --- >>> --- >>> ------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > From eslerj at gmail.com Tue Apr 7 10:39:15 2009 From: eslerj at gmail.com (Joel Esler) Date: Tue, 7 Apr 2009 10:39:15 -0400 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow In-Reply-To: <6F928CE5-449A-47C1-9A08-0D64878D793C@econet.com> References: <49DA33BA.6040806@jonkmans.com> <49DB15F1.6050103@keamera.org> <6F928CE5-449A-47C1-9A08-0D64878D793C@econet.com> Message-ID: <314cf0830904070739x9ebf7d3ie5ec49168a2e26c6@mail.gmail.com> Actually, interesting tidbit-- If you take a look at the VRT blog at VRT-Sourcefire.blogspot.com, you will notice that not only did VRT write a rule for this, but that VRT actually discovered the vulnerability, reported it, and has had a rule out to protect subscribers for awhile now. Another use for shared object rules -- 0day protection. Joel On Tue, Apr 7, 2009 at 8:24 AM, Greg Martin wrote: > The signature was written for the metasploit module posted on > milw0rm. ?Thanks for the info I will try to get it closer to the > vuln. ?Writing sigs for the exploit is not optimal for obvious reasons. > > Greg > > Sent from my iPhone > > On Apr 7, 2009, at 4:26 AM, "Guido Landi" wrote: > >> hi there, >> >> to be effective the signature should check for a JSESSIONID value >> longer >> than 6000 chars. Content length, url requested(/index.jsp here) and >> other parameters are irrilevant. And I don't understand where the >> binary >> content comes from. >> >> >> Also, this is CVE-2008-5457. >> >> Regards, >> Guido. >> >> Matt Jonkman wrote: >>> Posted, thanks Greg!! >>> >>> I added a |0d 0a| to start and terminate the content length match, >>> just >>> to avoid matching on a length of 810 vs 81, etc. >>> >>> Thanks!! >>> >>> Matt >>> >>> Greg Martin wrote: >>>> Feedback and testing appreciated. >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Oracle >>>> WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; >>>> flow:to_server,established; content:"POST"; nocase; >>>> uricontent:"/index.jsp?|3b|JSESSIONID="; nocase; >>>> content:"Content-Length\: 81"; nocase; content:"|35 44 38 45 51 4b >>>> 5a 4c >>>> 4b 50 4a 45 48 4c|"; reference:url,infosec20.blogspot.com; >>>> classtype:web-application-attack; sid:300999; rev:1;) >>>> >>>> Thanks, >>>> >>>> -Greg >>>> >>>> >>>> --- >>>> --- >>>> ------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From gregm at econet.com Tue Apr 7 14:55:41 2009 From: gregm at econet.com (Greg Martin) Date: Tue, 7 Apr 2009 13:55:41 -0500 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow References: <49DA33BA.6040806@jonkmans.com> <49DB15F1.6050103@keamera.org> <6F928CE5-449A-47C1-9A08-0D64878D793C@econet.com> Message-ID: How about this update? I confirmed it works on the metasploit PoC and is generic enough to trigger on any sessionid over 1k. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; uricontent:".jsp?"; nocase; uricontent:"JSESSIONID="; nocase; isdataat:1024,relative; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; sid:2009216; rev:3;) Thanks, feedback appreciated. -Greg -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net on behalf of Greg Martin Sent: Tue 4/7/2009 7:24 AM To: Guido Landi Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow The signature was written for the metasploit module posted on milw0rm. Thanks for the info I will try to get it closer to the vuln. Writing sigs for the exploit is not optimal for obvious reasons. Greg Sent from my iPhone On Apr 7, 2009, at 4:26 AM, "Guido Landi" wrote: > hi there, > > to be effective the signature should check for a JSESSIONID value > longer > than 6000 chars. Content length, url requested(/index.jsp here) and > other parameters are irrilevant. And I don't understand where the > binary > content comes from. > > > Also, this is CVE-2008-5457. > > Regards, > Guido. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090407/6037c6e7/attachment.html From gregm at econet.com Tue Apr 7 15:05:07 2009 From: gregm at econet.com (Greg Martin) Date: Tue, 7 Apr 2009 14:05:07 -0500 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow References: <49DA33BA.6040806@jonkmans.com> <49DB15F1.6050103@keamera.org> <6F928CE5-449A-47C1-9A08-0D64878D793C@econet.com> Message-ID: Actually Matt if you could bump that from 1024 to 5132, I forgot to modify before posting. That should make it FP proof. -G -----Original Message----- From: Greg Martin Sent: Tue 4/7/2009 1:55 PM To: Greg Martin; Guido Landi Cc: emerging-sigs at emergingthreats.net Subject: RE: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow How about this update? I confirmed it works on the metasploit PoC and is generic enough to trigger on any sessionid over 1k. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; uricontent:".jsp?"; nocase; uricontent:"JSESSIONID="; nocase; isdataat:1024,relative; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; sid:2009216; rev:3;) Thanks, feedback appreciated. -Greg -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net on behalf of Greg Martin Sent: Tue 4/7/2009 7:24 AM To: Guido Landi Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow The signature was written for the metasploit module posted on milw0rm. Thanks for the info I will try to get it closer to the vuln. Writing sigs for the exploit is not optimal for obvious reasons. Greg Sent from my iPhone On Apr 7, 2009, at 4:26 AM, "Guido Landi" wrote: > hi there, > > to be effective the signature should check for a JSESSIONID value > longer > than 6000 chars. Content length, url requested(/index.jsp here) and > other parameters are irrilevant. And I don't understand where the > binary > content comes from. > > > Also, this is CVE-2008-5457. > > Regards, > Guido. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090407/8cc33585/attachment.html From jonkman at jonkmans.com Tue Apr 7 14:42:13 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 07 Apr 2009 14:42:13 -0400 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow In-Reply-To: References: <49DA33BA.6040806@jonkmans.com> <49DB15F1.6050103@keamera.org> <6F928CE5-449A-47C1-9A08-0D64878D793C@econet.com> Message-ID: <49DB9E85.4020904@jonkmans.com> Got it Greg, thanks for the update. Posting momentarily. Matt Greg Martin wrote: > Actually Matt if you could bump that from 1024 to 5132, I forgot to > modify before posting. That should make it FP proof. > > -G > > > > -----Original Message----- > From: Greg Martin > Sent: Tue 4/7/2009 1:55 PM > To: Greg Martin; Guido Landi > Cc: emerging-sigs at emergingthreats.net > Subject: RE: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow > > How about this update? I confirmed it works on the metasploit PoC and > is generic enough to trigger on any sessionid over 1k. > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT > Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; > flow:to_server,established; uricontent:".jsp?"; nocase; > uricontent:"JSESSIONID="; nocase; isdataat:1024,relative; > reference:cve,2008-5457; > reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; > reference:url,doc.emergingthreats.net/2009216; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; > sid:2009216; rev:3;) > > > Thanks, feedback appreciated. > > -Greg > > > -----Original Message----- > From: emerging-sigs-bounces at emergingthreats.net on behalf of Greg Martin > Sent: Tue 4/7/2009 7:24 AM > To: Guido Landi > Cc: emerging-sigs at emergingthreats.net > Subject: Re: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow > > The signature was written for the metasploit module posted on > milw0rm. Thanks for the info I will try to get it closer to the > vuln. Writing sigs for the exploit is not optimal for obvious reasons. > > Greg > > Sent from my iPhone > > On Apr 7, 2009, at 4:26 AM, "Guido Landi" wrote: > >> hi there, >> >> to be effective the signature should check for a JSESSIONID value >> longer >> than 6000 chars. Content length, url requested(/index.jsp here) and >> other parameters are irrilevant. And I don't understand where the >> binary >> content comes from. >> >> >> Also, this is CVE-2008-5457. >> >> Regards, >> Guido. >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Tue Apr 7 14:59:00 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 07 Apr 2009 14:59:00 -0400 Subject: [Emerging-Sigs] Apache Tomcat upload In-Reply-To: References: Message-ID: <49DBA274.6040507@jonkmans.com> Great ideas Martin. I'm dropping the depth:0's as they're not relevant to the uricontent. I'm not replacing 2008453, I think these stand alone. 2008453 is still valid alone to get an alert on massive attempts. Yours are f interest even at one attempt. Otherwise all good! Thanks Matt Martin Holste wrote: > Saw some scans over the weekend on 8080 looking for default Apache > Tomcat installations a la sid 2008453. Once found, they would upload a > Java-based shell for nasty Java-based fun. Below is a sig that replaces > 2008453 by adding a flowbit and then three other sigs. The second looks > for "admin:admin" credentials, the third alerts on a successful login > (based on flowbits), and the fourth is the URI for uploading the > Java-based shell. I have the fourth also using the flowbits, but it > would probably be a good standalone sig. It occurred to me that these > might be good sigs for generalizing into unencrypted basic auth checks > for admin:admin and admin: for any web server with the follow-up > sig check for success. I'd also be open to putting a noalert option on > the first two attempt sigs, since a lot of us don't care until the > default login actually works. I'm not sure how 2008453's thresholding > would work with flowbits, so maybe some combination is necessary. > Perhaps the simplest thing would be just to add the fourth rule as a > standalone. > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"LOCAL > admin:admin login credentials for Apache Tomcat"; > flow:to_server,established; uricontent:"/manager/html"; depth:0; > content:"|0d 0a|Authorization: Basic YWRtaW46YWRtaW4=|0d 0a|"; > flowbits:set,login_attempt; classtype:attempted-admin; > reference:url,http://tomcat.apache.org/; sid:1: rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"LOCAL > admin:blank login credentials for Apache Tomcat"; > flow:to_server,established; uricontent:"/manager/html"; depth:0; > content:"|0d 0a|Authorization: Basic YWRtaW46|0d 0a|"; > flowbits:set,login_attempt; classtype:attempted-admin; > reference:url,http://tomcat.apache.org/; sid:2: rev:1;) > alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"LOCAL > Successful default credential login from external source"; > flow:from_server,established; flowbits:isset,login_attempt; > content:"HTTP/1."; depth:7; content:" 200 OK"; distance:1; > classtype:successful-admin; reference:url,http://tomcat.apache.org/; > sid:3; rev:1;) > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"LOCAL Tomcat > upload from external source"; flow:to_server,established; > flowbits:isset,login_attempt; content:"POST "; depth:5; > uricontent:"/manager/html/upload"; depth:0; classtype:successful-admin; > reference:url,http://tomcat.apache.org/; sid:4; rev:1;) > > Thanks, > > Martin > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Tue Apr 7 16:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 7 Apr 2009 16:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090407200011.203734501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Apr 7 16:00:11 2009 [***] [///] Modified active rules: [///] 2009209 - ET TROJAN Rogue A/V Win32/FakeXPA GET Request (emerging-virus.rules) 2009210 - ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) (emerging-attack_response.rules) 2009211 - ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) (emerging-attack_response.rules) 2009212 - ET TROJAN Zbot/Zeus Dropper Infection - /check (emerging-virus.rules) 2009213 - ET TROJAN Zbot/Zeus Dropper Infection - /loads.php (emerging-virus.rules) 2009215 - ET TROJAN Farfli HTTP Checkin Activity (emerging-virus.rules) 2009216 - ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (7): 2009209 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_FakeXPA || url,doc.emergingthreats.net/2009209 2009210 || ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/2009210 2009211 || ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/2009211 2009212 || ET TROJAN Zbot/Zeus Dropper Infection - /check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009212 2009213 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009213 2009215 || ET TROJAN Farfli HTTP Checkin Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli || url,doc.emergingthreats.net/2009215 || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2009216 || url,infosec20.blogspot.com -> Added to emerging-sid-msg.map.txt (7): 2009209 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_FakeXPA || url,doc.emergingthreats.net/2009209 2009210 || ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/2009210 2009211 || ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/2009211 2009212 || ET TROJAN Zbot/Zeus Dropper Infection - /check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009212 2009213 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009213 2009215 || ET TROJAN Farfli HTTP Checkin Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli || url,doc.emergingthreats.net/2009215 || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2009216 || url,infosec20.blogspot.com [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (17): 2009209 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request 2009210 || ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) 2009211 || ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) 2009212 || ET TROJAN Zbot/Zeus Dropper Infection - /check 2009213 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php 2009215 || ET TROJAN Farfli HTTP Checkin Activity || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,infosec20.blogspot.com 2500163 || ET COMPROMISED Known Compromised or Hostile Host Traffic (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500164 || ET COMPROMISED Known Compromised or Hostile Host Traffic (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500165 || ET COMPROMISED Known Compromised or Hostile Host Traffic (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500166 || ET COMPROMISED Known Compromised or Hostile Host Traffic (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500167 || ET COMPROMISED Known Compromised or Hostile Host Traffic (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510163 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510164 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510165 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510166 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510167 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (17): 2009209 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request 2009210 || ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) 2009211 || ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) 2009212 || ET TROJAN Zbot/Zeus Dropper Infection - /check 2009213 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php 2009215 || ET TROJAN Farfli HTTP Checkin Activity || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,infosec20.blogspot.com 2500163 || ET COMPROMISED Known Compromised or Hostile Host Traffic (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500164 || ET COMPROMISED Known Compromised or Hostile Host Traffic (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500165 || ET COMPROMISED Known Compromised or Hostile Host Traffic (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500166 || ET COMPROMISED Known Compromised or Hostile Host Traffic (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500167 || ET COMPROMISED Known Compromised or Hostile Host Traffic (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510163 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510164 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510165 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510166 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510167 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From scheidell at secnap.net Wed Apr 8 07:11:18 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Wed, 08 Apr 2009 07:11:18 -0400 Subject: [Emerging-Sigs] sid:2009217 needs : escaped and ; after sid. Message-ID: <49DC8656.8050208@secnap.net> Apr 8 03:14:55 hcri snort[86515]: FATAL ERROR: rules/emerging-scan.rules(213) => No argument passed to keyword "msg" Make sure you didn't forget a ':' or the argument to this keyword! sid 2009217 and 2009218. at least for 2.4... 2.4 complians.. I think 2.8 just disables the rule without complaining at all (just WHAT does -T do?) (matt, you need a copy of 2.4 to 'lint' these rules!, or snort needs to make the -T option really work. admin:admin needs to be admin\:admin sid rule needs to be CLOSED with a ; alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Tomcat admin:admin login credentials"; flow:to_server,established; uricontent:"/manager/html"; content:"|0d 0a|Authorization\: Basic YWRtaW46YWRtaW4=|0d 0a|"; flowbits:set,ET.Tomcat.login.attempt; classtype:attempted-admin; reference:url,tomcat.apache.org; *sid:2009217:* rev:1;) ALSO, at the end sid:2009217: needs to be sid:2009217; and and 2009218 also. same two problems. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090408/ed03132a/attachment.html From jesler at sourcefire.com Tue Apr 7 09:58:11 2009 From: jesler at sourcefire.com (Joel Esler) Date: Tue, 7 Apr 2009 09:58:11 -0400 Subject: [Emerging-Sigs] Oracle Weblogic IIS remote buffer overflow In-Reply-To: <6F928CE5-449A-47C1-9A08-0D64878D793C@econet.com> References: <49DA33BA.6040806@jonkmans.com> <49DB15F1.6050103@keamera.org> <6F928CE5-449A-47C1-9A08-0D64878D793C@econet.com> Message-ID: Actually, interesting tidbit-- If you take a look at the VRT blog at VRT-Sourcefire.blogspot.com, you will notice that not only did VRT write a rule for this, but that VRT actually discovered the vulnerability, reported it, and has had a rule out to protect subscribers for awhile now. Another use for shared object rules -- 0day protection. -- Joel Esler Sent from my iDevice On Apr 7, 2009, at 8:24 AM, "Greg Martin" wrote: > The signature was written for the metasploit module posted on > milw0rm. Thanks for the info I will try to get it closer to the > vuln. Writing sigs for the exploit is not optimal for obvious > reasons. > > Greg > > Sent from my iPhone > > On Apr 7, 2009, at 4:26 AM, "Guido Landi" wrote: > >> hi there, >> >> to be effective the signature should check for a JSESSIONID value >> longer >> than 6000 chars. Content length, url requested(/index.jsp here) and >> other parameters are irrilevant. And I don't understand where the >> binary >> content comes from. >> >> >> Also, this is CVE-2008-5457. >> >> Regards, >> Guido. >> >> Matt Jonkman wrote: >>> Posted, thanks Greg!! >>> >>> I added a |0d 0a| to start and terminate the content length match, >>> just >>> to avoid matching on a length of 810 vs 81, etc. >>> >>> Thanks!! >>> >>> Matt >>> >>> Greg Martin wrote: >>>> Feedback and testing appreciated. >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Oracle >>>> WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; >>>> flow:to_server,established; content:"POST"; nocase; >>>> uricontent:"/index.jsp?|3b|JSESSIONID="; nocase; >>>> content:"Content-Length\: 81"; nocase; content:"|35 44 38 45 51 4b >>>> 5a 4c >>>> 4b 50 4a 45 48 4c|"; reference:url,infosec20.blogspot.com; >>>> classtype:web-application-attack; sid:300999; rev:1;) >>>> >>>> Thanks, >>>> >>>> -Greg >>>> >>>> >>>> --- >>>> --- >>>> ------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Emerging-sigs mailing list >>>> Emerging-sigs at emergingthreats.net >>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From decoder at own-hero.net Wed Apr 8 07:38:43 2009 From: decoder at own-hero.net (decoder) Date: Wed, 08 Apr 2009 13:38:43 +0200 Subject: [Emerging-Sigs] sid:2009217 needs : escaped and ; after sid. In-Reply-To: <49DC8656.8050208@secnap.net> References: <49DC8656.8050208@secnap.net> Message-ID: <49DC8CC3.3090201@own-hero.net> My validator tool detects at least the sid issue with this rule. I will modify the code shortly to check escapings within content fields :) I wrote it for this very purpose so one does not need a snort instance to lint. Also as you said, most recent snort versions don't even complain about some issues. Best regards, Chris Michael Scheidell wrote: > Apr 8 03:14:55 hcri snort[86515]: FATAL ERROR: > rules/emerging-scan.rules(213) => No argument passed to keyword "msg" > Make sure you didn't forget a ':' or the argument to this keyword! > > sid 2009217 and 2009218. > at least for 2.4... 2.4 complians.. I think 2.8 just disables the > rule without complaining at all (just WHAT does -T do?) > > (matt, you need a copy of 2.4 to 'lint' these rules!, or snort needs > to make the -T option really work. > admin:admin needs to be admin\:admin sid rule needs to be CLOSED with a ; > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN > Tomcat admin:admin login credentials"; flow:to_server,established; > uricontent:"/manager/html"; content:"|0d 0a|Authorization\: Basic > YWRtaW46YWRtaW4=|0d 0a|"; flowbits:set,ET.Tomcat.login.attempt; > classtype:attempted-admin; reference:url,tomcat.apache.org; *sid:2009217:* > rev:1;) > > > ALSO, at the end sid:2009217: needs to be sid:2009217; > > and > and 2009218 also. > > same two problems. > > > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 > > *| * SECNAP Network Security Corporation > > * Certified SNORT Integrator > * 2008-9 Hot Company Award Winner, World Executive Alliance > * Five-Star Partner Program 2009, VARBusiness > * Best Anti-Spam Product 2008, Network Products Guide > * King of Spam Filters, SC Magazine 2008 > > > This email has been scanned and certified safe by SpammerTrap?. > For Information please see www.secnap.com/products/spammertrap/ > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3471 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090408/1bbf5c50/smime.bin From jonkman at jonkmans.com Wed Apr 8 09:02:44 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 08 Apr 2009 09:02:44 -0400 Subject: [Emerging-Sigs] sid:2009217 needs : escaped and ; after sid. In-Reply-To: <49DC8CC3.3090201@own-hero.net> References: <49DC8656.8050208@secnap.net> <49DC8CC3.3090201@own-hero.net> Message-ID: <49DCA074.8030108@jonkmans.com> I have the tool integrated into the create process, but hadn't yet given it "veto" power. I think i will do so. I'd added those rules yesterday in a position where I didn't see the output of the add (on the road) They're fixed up now though, thanks all! Matt decoder wrote: > My validator tool detects at least the sid issue with this rule. I will > modify the code shortly to check escapings within content fields :) > > I wrote it for this very purpose so one does not need a snort instance > to lint. Also as you said, most recent snort versions don't even > complain about some issues. > > > > Best regards, > > > Chris > > > Michael Scheidell wrote: >> Apr 8 03:14:55 hcri snort[86515]: FATAL ERROR: >> rules/emerging-scan.rules(213) => No argument passed to keyword "msg" >> Make sure you didn't forget a ':' or the argument to this keyword! >> >> sid 2009217 and 2009218. >> at least for 2.4... 2.4 complians.. I think 2.8 just disables the >> rule without complaining at all (just WHAT does -T do?) >> >> (matt, you need a copy of 2.4 to 'lint' these rules!, or snort needs >> to make the -T option really work. >> admin:admin needs to be admin\:admin sid rule needs to be CLOSED with a ; >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN >> Tomcat admin:admin login credentials"; flow:to_server,established; >> uricontent:"/manager/html"; content:"|0d 0a|Authorization\: Basic >> YWRtaW46YWRtaW4=|0d 0a|"; flowbits:set,ET.Tomcat.login.attempt; >> classtype:attempted-admin; reference:url,tomcat.apache.org; >> *sid:2009217:* >> rev:1;) >> >> >> ALSO, at the end sid:2009217: needs to be sid:2009217; >> >> and >> and 2009218 also. >> >> same two problems. >> >> >> >> -- >> Michael Scheidell, CTO >> Phone: 561-999-5000, x 1259 >> > *| * SECNAP Network Security Corporation >> >> * Certified SNORT Integrator >> * 2008-9 Hot Company Award Winner, World Executive Alliance >> * Five-Star Partner Program 2009, VARBusiness >> * Best Anti-Spam Product 2008, Network Products Guide >> * King of Spam Filters, SC Magazine 2008 >> >> >> This email has been scanned and certified safe by SpammerTrap?. >> For Information please see www.secnap.com/products/spammertrap/ >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From frank at knobbe.us Wed Apr 8 11:26:40 2009 From: frank at knobbe.us (Frank Knobbe) Date: Wed, 8 Apr 2009 10:26:40 -0500 Subject: [Emerging-Sigs] sid:2009217 needs : escaped and ; after sid. In-Reply-To: <49DC8656.8050208@secnap.net> References: <49DC8656.8050208@secnap.net> Message-ID: <20090408152640.GB90283@knobbe.us> On Wed, Apr 08, 2009 at 07:11:18AM -0400, Michael Scheidell wrote: > Apr 8 03:14:55 hcri snort[86515]: FATAL ERROR: > rules/emerging-scan.rules(213) => No argument passed to keyword "msg" > Make sure you didn't forget a ':' or the argument to this keyword! > > ALSO, at the end sid:2009217: needs to be sid:2009217; Was all fixed last night. Michael, you need to hang out in IRC in #emerging-threats :) It's strange though, at the time you wrote the email, the corrected versions were already out (fixed yesterday 5:30pm). Make sure you are always using the most current rules. Pulling the sigs from CVS ensures you have the latest up to the minute. Cheers, Frank From david.glosser at gmail.com Wed Apr 8 14:07:24 2009 From: david.glosser at gmail.com (David Glosser) Date: Wed, 8 Apr 2009 14:07:24 -0400 Subject: [Emerging-Sigs] emerging-virus.rules(1936) => !any is not allowed Message-ID: snort 2.8.4 under win2003 (yeah, I know...) emerging-virus.rules(1936) => !any is not allowed rule it doens't like is: alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flags: S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001689; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_MySQL; sid: 2001689; rev:7;) I guess cause $SQL_SERVERS = $HOME_NET and $HOME_NET = any in my config... From eslerj at gmail.com Wed Apr 8 14:10:34 2009 From: eslerj at gmail.com (Joel Esler) Date: Wed, 8 Apr 2009 14:10:34 -0400 Subject: [Emerging-Sigs] emerging-virus.rules(1936) => !any is not allowed In-Reply-To: References: Message-ID: <314cf0830904081110y6f84fdfdv548500189010ce1f@mail.gmail.com> That's exactly why. You need to define SQL_SERVERS. But rules that may for a !any condition should be off by default IMO. J On Wed, Apr 8, 2009 at 2:07 PM, David Glosser wrote: > snort 2.8.4 under win2003 (yeah, I know...) > > emerging-virus.rules(1936) => !any is not allowed > > rule it doens't like is: > alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential > MySQL bot scanning for SQL server"; flags: S,12; > reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: > trojan-activity; reference:url,doc.emergingthreats.net/2001689; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_MySQL; > sid: 2001689; rev:7;) > > I guess cause $SQL_SERVERS = $HOME_NET ?and $HOME_NET = any in my config... > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 From jdell at activeworx.com Wed Apr 8 14:24:00 2009 From: jdell at activeworx.com (Jeff Dell) Date: Wed, 8 Apr 2009 14:24:00 -0400 Subject: [Emerging-Sigs] emerging-virus.rules(1936) => !any is not allowed In-Reply-To: <314cf0830904081110y6f84fdfdv548500189010ce1f@mail.gmail.com> References: <314cf0830904081110y6f84fdfdv548500189010ce1f@mail.gmail.com> Message-ID: <054d01c9b877$30d84a70$9288df50$@com> The problem is most IP variables are set to 'any' by default. So when using !$Home_NET or any other variable the load will fail unless you set the IP variables correctly. Jeff -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Joel Esler Sent: Wednesday, April 08, 2009 2:11 PM To: David Glosser Cc: Emerging Threats Signatures Subject: Re: [Emerging-Sigs] emerging-virus.rules(1936) => !any is not allowed That's exactly why. You need to define SQL_SERVERS. But rules that may for a !any condition should be off by default IMO. J On Wed, Apr 8, 2009 at 2:07 PM, David Glosser wrote: > snort 2.8.4 under win2003 (yeah, I know...) > > emerging-virus.rules(1936) => !any is not allowed > > rule it doens't like is: > alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential > MySQL bot scanning for SQL server"; flags: S,12; > reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: > trojan-activity; reference:url,doc.emergingthreats.net/2001689; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_MyS QL; > sid: 2001689; rev:7;) > > I guess cause $SQL_SERVERS = $HOME_NET ?and $HOME_NET = any in my config... > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- joel esler | Sourcefire | gtalk: jesler at sourcefire.com | 302-223-5974 _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From emerging at emergingthreats.net Wed Apr 8 16:00:12 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Wed, 8 Apr 2009 16:00:12 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090408200012.059524504B@goliath.jonkmans.com> [***] Results from Oinkmaster started Wed Apr 8 16:00:11 2009 [***] [+++] Added rules: [+++] 2009217 - ET SCAN Tomcat admin-admin login credentials (emerging-scan.rules) 2009218 - ET SCAN Tomcat admin-blank login credentials (emerging-scan.rules) 2009219 - ET SCAN Tomcat Successful default credential login from external source (emerging-scan.rules) 2009220 - ET SCAN Tomcat upload from external source (emerging-scan.rules) [///] Modified active rules: [///] 2009216 - ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit (emerging-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (23): 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2009216 || url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html || cve,2008-5457 2009217 || ET SCAN Tomcat admin-admin login credentials || url,tomcat.apache.org 2009218 || ET SCAN Tomcat admin-blank login credentials || url,tomcat.apache.org 2009219 || ET SCAN Tomcat Successful default credential login from external source || url,tomcat.apache.org 2009220 || ET SCAN Tomcat upload from external source || url,tomcat.apache.org 2500163 || ET COMPROMISED Known Compromised or Hostile Host Traffic (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500164 || ET COMPROMISED Known Compromised or Hostile Host Traffic (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500165 || ET COMPROMISED Known Compromised or Hostile Host Traffic (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500166 || ET COMPROMISED Known Compromised or Hostile Host Traffic (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500167 || ET COMPROMISED Known Compromised or Hostile Host Traffic (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500168 || ET COMPROMISED Known Compromised or Hostile Host Traffic (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500169 || ET COMPROMISED Known Compromised or Hostile Host Traffic (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500170 || ET COMPROMISED Known Compromised or Hostile Host Traffic (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500171 || ET COMPROMISED Known Compromised or Hostile Host Traffic (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510163 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510164 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510165 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510166 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510167 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510168 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510169 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510170 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510171 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (23): 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2009216 || url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html || cve,2008-5457 2009217 || ET SCAN Tomcat admin-admin login credentials || url,tomcat.apache.org 2009218 || ET SCAN Tomcat admin-blank login credentials || url,tomcat.apache.org 2009219 || ET SCAN Tomcat Successful default credential login from external source || url,tomcat.apache.org 2009220 || ET SCAN Tomcat upload from external source || url,tomcat.apache.org 2500163 || ET COMPROMISED Known Compromised or Hostile Host Traffic (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500164 || ET COMPROMISED Known Compromised or Hostile Host Traffic (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500165 || ET COMPROMISED Known Compromised or Hostile Host Traffic (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500166 || ET COMPROMISED Known Compromised or Hostile Host Traffic (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500167 || ET COMPROMISED Known Compromised or Hostile Host Traffic (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500168 || ET COMPROMISED Known Compromised or Hostile Host Traffic (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500169 || ET COMPROMISED Known Compromised or Hostile Host Traffic (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500170 || ET COMPROMISED Known Compromised or Hostile Host Traffic (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500171 || ET COMPROMISED Known Compromised or Hostile Host Traffic (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510163 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510164 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510165 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510166 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510167 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510168 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510169 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510170 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510171 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (1): 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2009216 || url,infosec20.blogspot.com -> Removed from emerging-sid-msg.map.txt (1): 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2009216 || url,infosec20.blogspot.com From jules at visionintel.com Thu Apr 9 04:51:51 2009 From: jules at visionintel.com (Jules Pagna Disso) Date: Thu, 9 Apr 2009 09:51:51 +0100 Subject: [Emerging-Sigs] Port 0 Message-ID: <69544300904090151u7549c7daib67295204a9646f7@mail.gmail.com> hi guys, there is an attack on port 0 aiming at knowing what OS is running on the targeted system. How is it called again? sorry lost my memory here thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090409/df39d9c0/attachment.html From pepperjack at afferentsecurity.com Thu Apr 9 09:18:15 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Thu, 09 Apr 2009 08:18:15 -0500 Subject: [Emerging-Sigs] question on 2009221 Message-ID: <20090409081815.ktc1dvbiss4o48cc@mail.afferentsecurity.com> What do we know about Win32.BHO.lng ? I am getting lots of these. The packets look like they perfectly match the rule for variables in the URL. But what is Win32.BHO.lng ? I posted a packet trace to: http://doc.emergingthreats.net/bin/view/Main/2009221 Matt: could you please fix my first wiki post? I forgot to put and I put instead. |( jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From jonkman at jonkmans.com Thu Apr 9 08:38:08 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 09 Apr 2009 08:38:08 -0400 Subject: [Emerging-Sigs] question on 2009221 In-Reply-To: <20090409081815.ktc1dvbiss4o48cc@mail.afferentsecurity.com> References: <20090409081815.ktc1dvbiss4o48cc@mail.afferentsecurity.com> Message-ID: <49DDEC30.7070404@jonkmans.com> I think we're hitting on ad serving with this one as well. I'm going to kill the sig till we get more info... Matt Jack Pepper wrote: > What do we know about Win32.BHO.lng ? I am getting lots of these. > The packets look like they perfectly match the rule for variables in > the URL. But what is Win32.BHO.lng ? > > I posted a packet trace to: > http://doc.emergingthreats.net/bin/view/Main/2009221 > > Matt: could you please fix my first wiki post? I forgot to put > and I put instead. |( > > jp > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jmkeller at houseofzen.org Thu Apr 9 10:12:25 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Thu, 09 Apr 2009 10:12:25 -0400 Subject: [Emerging-Sigs] question on 2009221 In-Reply-To: <20090409081815.ktc1dvbiss4o48cc@mail.afferentsecurity.com> References: <20090409081815.ktc1dvbiss4o48cc@mail.afferentsecurity.com> Message-ID: <49DE0249.4080200@houseofzen.org> Jack Pepper wrote: > What do we know about Win32.BHO.lng ? I am getting lots of these. > The packets look like they perfectly match the rule for variables in > the URL. But what is Win32.BHO.lng ? > > I posted a packet trace to: > http://doc.emergingthreats.net/bin/view/Main/2009221 > > Matt: could you please fix my first wiki post? I forgot to put > and I put instead. |( > > jp > > I'm having to suppress alerts for yahoo.com host netblocks, appears to be FPs on yahoo chat and toolbar traffic. Came in this morning to 9K alerts for this after it was added. -- James Michael Keller From daniel.clemens at packetninjas.net Thu Apr 9 12:35:57 2009 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Thu, 9 Apr 2009 11:35:57 -0500 Subject: [Emerging-Sigs] User Agent Indy seen with BankerTrojan Message-ID: <234EBD22-A8D7-478A-9ABD-8520DAEE61D1@packetninjas.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Random Notes: # Key's on Mozilla/3.0 (compatible; Indy Library) # appears to be apart of Bancos,aka PWS-Banker,Bancos,Generic Banker Trojan / Rapid Antivirus # created mutex 9gYAAAAIAgFjNtA4 msiconf.exe # Other references: # https://cwsandbox.org/?page=report&analysisid=1027348&password=ftqgd # MD5 of file 10fd04a888847e58c490d450da31b2ac # Possible false positives: # Internet Direct Library for Borland (often used as e-mail address collector and mass mailing tool) # http://forge.novell.com/modules/xfmod/project/?indy-net # http://www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb # Other references: http://support.free-conversant.com/2701 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Potential Banload/Generic Banker Trojan"; flow:established,to_server; content:" HTTP/1.0|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; classtype:trojan-activity; reference:url,cwsandbox.org/? page=report&analysisid=1027348&password=ftqgd; reference:url,forge.novell.com/modules/xfmod/project/?indy-net; reference:url,www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb ; reference:url,support.free-conversant.com/2701; reference:url,www.packetninjas.net;sid:xxx; rev:1;) Frank, Matt | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 | | o. 866.267.8851 "The secret to creativity is knowing how to hide your sources" Einstein -----BEGIN PGP SIGNATURE----- iD8DBQFJ3iPtlZy1vkUrR4MRAppYAJ9g4SQlW4xQhIuq2RXK1t/f+/4JFQCgivmk UwZ7So1tU6MLn1BbC6S9eow= =UN99 -----END PGP SIGNATURE----- From mcholste at gmail.com Thu Apr 9 13:01:50 2009 From: mcholste at gmail.com (Martin Holste) Date: Thu, 9 Apr 2009 12:01:50 -0500 Subject: [Emerging-Sigs] User Agent Indy seen with BankerTrojan In-Reply-To: <234EBD22-A8D7-478A-9ABD-8520DAEE61D1@packetninjas.net> References: <234EBD22-A8D7-478A-9ABD-8520DAEE61D1@packetninjas.net> Message-ID: I too have seen banker Trojans using that. Has anyone seen a legit use of "Indy Library?" I seem to recall that there were some. --Martin On Thu, Apr 9, 2009 at 11:35 AM, Daniel Clemens < daniel.clemens at packetninjas.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Random Notes: > # Key's on Mozilla/3.0 (compatible; Indy Library) > # appears to be apart of Bancos,aka PWS-Banker,Bancos,Generic Banker > Trojan / Rapid Antivirus > # created mutex 9gYAAAAIAgFjNtA4 msiconf.exe > # Other references: > # https://cwsandbox.org/?page=report&analysisid=1027348&password=ftqgd > # MD5 of file 10fd04a888847e58c490d450da31b2ac > # Possible false positives: > # Internet Direct Library for Borland (often used as e-mail address > collector and mass mailing tool) > # http://forge.novell.com/modules/xfmod/project/?indy-net > # > http://www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb > # Other references: http://support.free-conversant.com/2701 > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET Potential Banload/Generic Banker Trojan"; > flow:established,to_server; > content:" HTTP/1.0|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible\; Indy > Library)|0d 0a|"; > classtype:trojan-activity; > reference:url,cwsandbox.org/? > page=report&analysisid=1027348&password=ftqgd; > reference:url,forge.novell.com/modules/xfmod/project/?indy-net; > reference:url, > www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb > ; > reference:url,support.free-conversant.com/2701; > reference:url,www.packetninjas.net;sid:xxx; rev:1;) > > Frank, Matt > > | Daniel Uriah Clemens > | Packetninjas L.L.C | | http://www.packetninjas.net > | c. 205.567.6850 | | o. 866.267.8851 > "The secret to creativity is knowing how to hide your sources" Einstein > > -----BEGIN PGP SIGNATURE----- > > iD8DBQFJ3iPtlZy1vkUrR4MRAppYAJ9g4SQlW4xQhIuq2RXK1t/f+/4JFQCgivmk > UwZ7So1tU6MLn1BbC6S9eow= > =UN99 > -----END PGP SIGNATURE----- > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090409/a12a1c37/attachment.html From jaime.blasco at alienvault.com Thu Apr 9 13:08:55 2009 From: jaime.blasco at alienvault.com (Jaime Blasco) Date: Thu, 9 Apr 2009 19:08:55 +0200 Subject: [Emerging-Sigs] User Agent Indy seen with BankerTrojan In-Reply-To: References: <234EBD22-A8D7-478A-9ABD-8520DAEE61D1@packetninjas.net> Message-ID: <53834cf20904091008h7233270dk3be93fedf8699852@mail.gmail.com> Hi!, I've found some references: http://www.pgts.com.au/cgi-bin/psql?robot_info=111 Regards 2009/4/9 Martin Holste > I too have seen banker Trojans using that. Has anyone seen a legit use of > "Indy Library?" I seem to recall that there were some. > > --Martin > > > On Thu, Apr 9, 2009 at 11:35 AM, Daniel Clemens < > daniel.clemens at packetninjas.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Random Notes: >> # Key's on Mozilla/3.0 (compatible; Indy Library) >> # appears to be apart of Bancos,aka PWS-Banker,Bancos,Generic Banker >> Trojan / Rapid Antivirus >> # created mutex 9gYAAAAIAgFjNtA4 msiconf.exe >> # Other references: >> # https://cwsandbox.org/?page=report&analysisid=1027348&password=ftqgd >> # MD5 of file 10fd04a888847e58c490d450da31b2ac >> # Possible false positives: >> # Internet Direct Library for Borland (often used as e-mail address >> collector and mass mailing tool) >> # http://forge.novell.com/modules/xfmod/project/?indy-net >> # >> http://www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb >> # Other references: http://support.free-conversant.com/2701 >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >> (msg:"ET Potential Banload/Generic Banker Trojan"; >> flow:established,to_server; >> content:" HTTP/1.0|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible\; Indy >> Library)|0d 0a|"; >> classtype:trojan-activity; >> reference:url,cwsandbox.org/? >> page=report&analysisid=1027348&password=ftqgd; >> reference:url,forge.novell.com/modules/xfmod/project/?indy-net; >> reference:url, >> www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb >> ; >> reference:url,support.free-conversant.com/2701; >> reference:url,www.packetninjas.net;sid:xxx; rev:1;) >> >> Frank, Matt >> >> | Daniel Uriah Clemens >> | Packetninjas L.L.C | | http://www.packetninjas.net >> | c. 205.567.6850 | | o. 866.267.8851 >> "The secret to creativity is knowing how to hide your sources" Einstein >> >> -----BEGIN PGP SIGNATURE----- >> >> iD8DBQFJ3iPtlZy1vkUrR4MRAppYAJ9g4SQlW4xQhIuq2RXK1t/f+/4JFQCgivmk >> UwZ7So1tU6MLn1BbC6S9eow= >> =UN99 >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- _______________________________ Jaime Blasco www.ossim.com www.alienvault.com Email: jaime.blasco at alienvault.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090409/ec0f8299/attachment.html From mcholste at gmail.com Thu Apr 9 13:53:44 2009 From: mcholste at gmail.com (Martin Holste) Date: Thu, 9 Apr 2009 12:53:44 -0500 Subject: [Emerging-Sigs] User Agent Indy seen with BankerTrojan In-Reply-To: <53834cf20904091008h7233270dk3be93fedf8699852@mail.gmail.com> References: <234EBD22-A8D7-478A-9ABD-8520DAEE61D1@packetninjas.net> <53834cf20904091008h7233270dk3be93fedf8699852@mail.gmail.com> Message-ID: When good projects go bad, eh? Looks like the project is going even farther than RPC for doing things with remote hosts (as in advanced socket tunneling), and the IP's on the pgts.com page look very sketchy. From that, I'd say the sig will do at least as well as the "Microsoft Internet Explorer" sig, and probably better. On Thu, Apr 9, 2009 at 12:08 PM, Jaime Blasco wrote: > Hi!, I've found some references: > > http://www.pgts.com.au/cgi-bin/psql?robot_info=111 > > Regards > > 2009/4/9 Martin Holste > > I too have seen banker Trojans using that. Has anyone seen a legit use of >> "Indy Library?" I seem to recall that there were some. >> >> --Martin >> >> >> On Thu, Apr 9, 2009 at 11:35 AM, Daniel Clemens < >> daniel.clemens at packetninjas.net> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Random Notes: >>> # Key's on Mozilla/3.0 (compatible; Indy Library) >>> # appears to be apart of Bancos,aka PWS-Banker,Bancos,Generic Banker >>> Trojan / Rapid Antivirus >>> # created mutex 9gYAAAAIAgFjNtA4 msiconf.exe >>> # Other references: >>> # https://cwsandbox.org/?page=report&analysisid=1027348&password=ftqgd >>> # MD5 of file 10fd04a888847e58c490d450da31b2ac >>> # Possible false positives: >>> # Internet Direct Library for Borland (often used as e-mail address >>> collector and mass mailing tool) >>> # http://forge.novell.com/modules/xfmod/project/?indy-net >>> # >>> http://www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb >>> # Other references: http://support.free-conversant.com/2701 >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >>> (msg:"ET Potential Banload/Generic Banker Trojan"; >>> flow:established,to_server; >>> content:" HTTP/1.0|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible\; Indy >>> Library)|0d 0a|"; >>> classtype:trojan-activity; >>> reference:url,cwsandbox.org/? >>> page=report&analysisid=1027348&password=ftqgd; >>> reference:url,forge.novell.com/modules/xfmod/project/?indy-net; >>> reference:url, >>> www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb >>> ; >>> reference:url,support.free-conversant.com/2701; >>> reference:url,www.packetninjas.net;sid:xxx; rev:1;) >>> >>> Frank, Matt >>> >>> | Daniel Uriah Clemens >>> | Packetninjas L.L.C | | http://www.packetninjas.net >>> | c. 205.567.6850 | | o. 866.267.8851 >>> "The secret to creativity is knowing how to hide your sources" Einstein >>> >>> -----BEGIN PGP SIGNATURE----- >>> >>> iD8DBQFJ3iPtlZy1vkUrR4MRAppYAJ9g4SQlW4xQhIuq2RXK1t/f+/4JFQCgivmk >>> UwZ7So1tU6MLn1BbC6S9eow= >>> =UN99 >>> -----END PGP SIGNATURE----- >>> _______________________________________________ >>> Emerging-sigs mailing list >>> Emerging-sigs at emergingthreats.net >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >>> >> >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> > > > -- > _______________________________ > > Jaime Blasco > > www.ossim.com > www.alienvault.com > Email: jaime.blasco at alienvault.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090409/9ec8bc88/attachment-0001.html From mcholste at gmail.com Thu Apr 9 13:59:02 2009 From: mcholste at gmail.com (Martin Holste) Date: Thu, 9 Apr 2009 12:59:02 -0500 Subject: [Emerging-Sigs] Zeus Tracker Message-ID: Many of you have probably already seen this page (zeustracker.abuse.ch), but I just found it from one of Dancho Danchev's posts. The blocklist there is fairly short and very good. Matt, if we're not already, can we add those IP's to the ET C&C list? Thanks, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090409/b8ba825b/attachment.html From jonkman at jonkmans.com Thu Apr 9 13:01:40 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 09 Apr 2009 13:01:40 -0400 Subject: [Emerging-Sigs] Zeus Tracker In-Reply-To: References: Message-ID: <49DE29F4.4070509@jonkmans.com> That is a good list, a better url for it is https://zeustracker.abuse.ch/faq.php And yup, we've got it! They're in the compromised ip's list. Matt Martin Holste wrote: > Many of you have probably already seen this page (zeustracker.abuse.ch > ), but I just found it from one of Dancho > Danchev's posts. The blocklist there is fairly short and very good. > Matt, if we're not already, can we add those IP's to the ET C&C list? > > Thanks, > > Martin > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From scheidell at secnap.net Thu Apr 9 14:14:14 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu, 09 Apr 2009 14:14:14 -0400 Subject: [Emerging-Sigs] two rules, one ip, rule 238 and 239. Message-ID: <49DE3AF6.4090701@secnap.net> Two rules, one ip: 04/09-14:08:46 TCP 82.98.86.176:80 --> 192.168.168.85:3204 [1:2407237:122] ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) [Classification: Misc Attack] [Priority: 2] 04/09-14:08:46 TCP 82.98.86.176:80 --> 192.168.168.85:3204 [1:2407238:122] ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) [Classification: Misc Attack] [Priority: 2] -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > | SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From jonkman at jonkmans.com Thu Apr 9 13:42:35 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 09 Apr 2009 13:42:35 -0400 Subject: [Emerging-Sigs] User Agent Indy seen with BankerTrojan In-Reply-To: References: <234EBD22-A8D7-478A-9ABD-8520DAEE61D1@packetninjas.net> <53834cf20904091008h7233270dk3be93fedf8699852@mail.gmail.com> Message-ID: <49DE338B.5060505@jonkmans.com> I did try this one long ago and we had some complaints of false positives on legitimate applications. We also tried the Indy Mail Library sigs as well for smtp and had similar reports of falses. Apparently these are standard Borland libs. So we see them in legit apps as well as south american malware. Why Borland is so popular in south america I've no clue... I personally run a local version of the indy mail library sig with 100% accuracy. But I haven't any apps that use that lib for legitimate uses. I suspect one for the http Indy Library would be as effective. So maybe it's time to move these back into the ruleset, but maybe have them disabled by default? Or a stern warning that some apps may be legitimate and don't complain to us if you run one? :) Thoughts? Matt Martin Holste wrote: > When good projects go bad, eh? Looks like the project is going even > farther than RPC for doing things with remote hosts (as in advanced > socket tunneling), and the IP's on the pgts.com page > look very sketchy. From that, I'd say the sig will do at least as well > as the "Microsoft Internet Explorer" sig, and probably better. > > On Thu, Apr 9, 2009 at 12:08 PM, Jaime Blasco > > wrote: > > Hi!, I've found some references: > > http://www.pgts.com.au/cgi-bin/psql?robot_info=111 > > Regards > > 2009/4/9 Martin Holste > > > I too have seen banker Trojans using that. Has anyone seen a > legit use of "Indy Library?" I seem to recall that there were some. > > --Martin > > > On Thu, Apr 9, 2009 at 11:35 AM, Daniel Clemens > > wrote: > > Random Notes: > # Key's on Mozilla/3.0 (compatible; Indy Library) > # appears to be apart of Bancos,aka > PWS-Banker,Bancos,Generic Banker > Trojan / Rapid Antivirus > # created mutex 9gYAAAAIAgFjNtA4 msiconf.exe > # Other references: > # > https://cwsandbox.org/?page=report&analysisid=1027348&password=ftqgd > > # MD5 of file 10fd04a888847e58c490d450da31b2ac > # Possible false positives: > # Internet Direct Library for Borland (often used as e-mail > address > collector and mass mailing tool) > # http://forge.novell.com/modules/xfmod/project/?indy-net > # > http://www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb > > # Other references: http://support.free-conversant.com/2701 > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET Potential Banload/Generic Banker Trojan"; > flow:established,to_server; > content:" HTTP/1.0|0d 0a|User-Agent|3a| Mozilla/3.0 > (compatible\; Indy > Library)|0d 0a|"; > classtype:trojan-activity; > reference:url,cwsandbox.org/ ? > page=report&analysisid=1027348&password=ftqgd; > reference:url,forge.novell.com/modules/xfmod/project/?indy-net > ; > reference:url,www.user-agents.org/cgi-bin/csv2html.pl?data=allagents.csv&template=detail.html&match=%5Cbid_moz_754%5Cb > > ; > reference:url,support.free-conversant.com/2701 > ; > reference:url,www.packetninjas.net > ;sid:xxx; rev:1;) > > Frank, Matt > > | Daniel Uriah Clemens > | Packetninjas L.L.C | | http://www.packetninjas.net > | c. 205.567.6850 | | o. 866.267.8851 > "The secret to creativity is knowing how to hide your > sources" Einstein > _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- > _______________________________ > Jaime Blasco > www.ossim.com > www.alienvault.com > Email: jaime.blasco at alienvault.com > ------------------------------------------------------------------------ > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From daniel.clemens at packetninjas.net Thu Apr 9 14:44:10 2009 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Thu, 9 Apr 2009 13:44:10 -0500 Subject: [Emerging-Sigs] User Agent Indy seen with BankerTrojan In-Reply-To: References: <234EBD22-A8D7-478A-9ABD-8520DAEE61D1@packetninjas.net> Message-ID: <59736521-BAB5-4DBD-BDC0-EC82A225BFBF@packetninjas.net> On Apr 9, 2009, at 12:01 PM, Martin Holste wrote: > I too have seen banker Trojans using that. Has anyone seen a legit > use of "Indy Library?" I seem to recall that there were some. The Indy user agent caught my eye this time since it was associated with a known banker/bancos trojan. I've also seen a great deal of the banker trojans compiled in borland (for some strange reason)... It looks like the Indy user agents, or some of the other Indy 'projects' utilize special things from borland dev environments. <*/me - Scratching head wondering what universities in Latin America stress the use of Borland rather than other dev environments>.... Even if this sig doesn't get posted its good to have a documented discussion about this incase someone else has a case or piece of malware using this user agent. There is just too much junk going on the net to not post something as time permits when action correlates to another. | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 | | o. 866.267.8851 "The secret to creativity is knowing how to hide your sources" Einstein From jonkman at jonkmans.com Thu Apr 9 13:47:38 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 09 Apr 2009 13:47:38 -0400 Subject: [Emerging-Sigs] two rules, one ip, rule 238 and 239. In-Reply-To: <49DE3AF6.4090701@secnap.net> References: <49DE3AF6.4090701@secnap.net> Message-ID: <49DE34BA.5060501@jonkmans.com> Fixed up, thanks Michael! Matt Michael Scheidell wrote: > Two rules, one ip: > > 04/09-14:08:46 TCP 82.98.86.176:80 --> 192.168.168.85:3204 > [1:2407237:122] ET RBN Known Russian Business Network Monitored Domains > - BLOCKING (238) > [Classification: Misc Attack] [Priority: 2] > > > 04/09-14:08:46 TCP 82.98.86.176:80 --> 192.168.168.85:3204 > [1:2407238:122] ET RBN Known Russian Business Network Monitored Domains > - BLOCKING (239) > [Classification: Misc Attack] [Priority: 2] -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From emerging at emergingthreats.net Thu Apr 9 16:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 9 Apr 2009 16:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090409200011.E98FD4504A@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Apr 9 16:00:11 2009 [***] [+++] Added rules: [+++] 2009222 - ET MALWARE NewWeb User Agent (Lobo Lunar) (emerging-malware.rules) 2009223 - ET MALWARE Fake AV User Agent av1-site.info Related (AV1) (emerging-malware.rules) [///] Modified active rules: [///] 2009217 - ET SCAN Tomcat admin-admin login credentials (emerging-scan.rules) 2009218 - ET SCAN Tomcat admin-blank login credentials (emerging-scan.rules) 2009219 - ET SCAN Tomcat Successful default credential login from external source (emerging-scan.rules) 2009220 - ET SCAN Tomcat upload from external source (emerging-scan.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network Monitored Domains (229) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network Monitored Domains (230) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network Monitored Domains (231) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network Monitored Domains (232) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network Monitored Domains (233) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network Monitored Domains (234) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network Monitored Domains (235) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network Monitored Domains (236) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network Monitored Domains (237) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network Monitored Domains (238) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network Monitored Domains (239) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network Monitored Domains (240) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network Monitored Domains (241) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network Monitored Domains (242) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network Monitored Domains (243) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network Monitored Domains (244) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network Monitored Domains (245) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network Monitored Domains (246) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network Monitored Domains (247) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network Monitored Domains (248) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network Monitored Domains (249) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network Monitored Domains (250) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network Monitored Domains (251) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network Monitored Domains (252) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network Monitored Domains (253) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network Monitored Domains (254) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network Monitored Domains (255) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network Monitored Domains (256) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network Monitored Domains (257) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network Monitored Domains (258) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network Monitored Domains (259) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network Monitored Domains (260) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network Monitored Domains (261) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network Monitored Domains (262) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network Monitored Domains (263) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network Monitored Domains (264) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network Monitored Domains (265) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network Monitored Domains (266) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network Monitored Domains (267) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network Monitored Domains (268) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network Monitored Domains (269) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network Monitored Domains (270) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network Monitored Domains (271) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network Monitored Domains (272) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network Monitored Domains (273) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network Monitored Domains (274) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network Monitored Domains (275) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network Monitored Domains (276) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network Monitored Domains (277) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network Monitored Domains (278) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network Monitored Domains (279) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network Monitored Domains (280) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network Monitored Domains (281) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network Monitored Domains (282) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network Monitored Domains (283) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network Monitored Domains (284) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network Monitored Domains (285) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network Monitored Domains (286) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network Monitored Domains (287) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network Monitored Domains (288) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network Monitored Domains (289) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network Monitored Domains (290) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network Monitored Domains (291) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network Monitored Domains (292) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network Monitored Domains (293) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network Monitored Domains (294) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network Monitored Domains (295) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network Monitored Domains (296) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network Monitored Domains (297) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network Monitored Domains (298) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network Monitored Domains (299) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network Monitored Domains (300) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network Monitored Domains (301) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network Monitored Domains (302) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network Monitored Domains (303) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network Monitored Domains (304) (emerging-rbn.rules) 2406304 - ET RBN Known Russian Business Network Monitored Domains (305) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network Monitored Domains (306) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network Monitored Domains (307) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network Monitored Domains (308) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network Monitored Domains (309) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network Monitored Domains (310) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network Monitored Domains (311) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network Monitored Domains (312) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network Monitored Domains (313) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network Monitored Domains (314) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network Monitored Domains (315) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network Monitored Domains (316) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network Monitored Domains (317) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407286 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407294 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) (emerging-rbn-BLOCK.rules) 2407304 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) (emerging-rbn-BLOCK.rules) 2407305 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) (emerging-rbn-BLOCK.rules) 2407306 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) (emerging-rbn-BLOCK.rules) 2407307 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) (emerging-rbn-BLOCK.rules) 2407308 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) (emerging-rbn-BLOCK.rules) 2407309 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) (emerging-rbn-BLOCK.rules) 2407310 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) (emerging-rbn-BLOCK.rules) 2407311 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) (emerging-rbn-BLOCK.rules) 2407312 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) (emerging-rbn-BLOCK.rules) 2407313 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) (emerging-rbn-BLOCK.rules) 2407314 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) (emerging-rbn-BLOCK.rules) 2407315 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) (emerging-rbn-BLOCK.rules) 2407316 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2406317 - ET RBN Known Russian Business Network Monitored Domains (318) (emerging-rbn.rules) 2407317 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (318) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 123 # Updated 2009-04-09 14:47:09 -> Added to emerging-rbn.rules (2): # VERSION 123 # Updated 2009-04-09 14:47:09 -> Added to emerging-sid-msg.map (6): 2009217 || ET SCAN Tomcat admin-admin login credentials || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009217 || url,tomcat.apache.org 2009218 || ET SCAN Tomcat admin-blank login credentials || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009218 || url,tomcat.apache.org 2009219 || ET SCAN Tomcat Successful default credential login from external source || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009219 || url,tomcat.apache.org 2009220 || ET SCAN Tomcat upload from external source || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009220 || url,tomcat.apache.org 2009222 || ET MALWARE NewWeb User Agent (Lobo Lunar) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009222 2009223 || ET MALWARE Fake AV User Agent av1-site.info Related (AV1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009223 -> Added to emerging-sid-msg.map.txt (6): 2009217 || ET SCAN Tomcat admin-admin login credentials || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009217 || url,tomcat.apache.org 2009218 || ET SCAN Tomcat admin-blank login credentials || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009218 || url,tomcat.apache.org 2009219 || ET SCAN Tomcat Successful default credential login from external source || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009219 || url,tomcat.apache.org 2009220 || ET SCAN Tomcat upload from external source || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009220 || url,tomcat.apache.org 2009222 || ET MALWARE NewWeb User Agent (Lobo Lunar) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009222 2009223 || ET MALWARE Fake AV User Agent av1-site.info Related (AV1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009223 [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 122 # Updated 2009-04-06 12:39:44 -> Removed from emerging-rbn.rules (2): # VERSION 122 # Updated 2009-04-06 12:39:44 -> Removed from emerging-sid-msg.map (6): 2009217 || ET SCAN Tomcat admin-admin login credentials || url,tomcat.apache.org 2009218 || ET SCAN Tomcat admin-blank login credentials || url,tomcat.apache.org 2009219 || ET SCAN Tomcat Successful default credential login from external source || url,tomcat.apache.org 2009220 || ET SCAN Tomcat upload from external source || url,tomcat.apache.org 2406317 || ET RBN Known Russian Business Network Monitored Domains (318) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407317 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (318) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Removed from emerging-sid-msg.map.txt (6): 2009217 || ET SCAN Tomcat admin-admin login credentials || url,tomcat.apache.org 2009218 || ET SCAN Tomcat admin-blank login credentials || url,tomcat.apache.org 2009219 || ET SCAN Tomcat Successful default credential login from external source || url,tomcat.apache.org 2009220 || ET SCAN Tomcat upload from external source || url,tomcat.apache.org 2406317 || ET RBN Known Russian Business Network Monitored Domains (318) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407317 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (318) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork From scheidell at secnap.net Thu Apr 9 17:07:07 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu, 09 Apr 2009 17:07:07 -0400 Subject: [Emerging-Sigs] any more info on Win32.BHO.lng ? sid:2009221? Message-ID: <49DE637B.7040309@secnap.net> lots of fp, for anyone reading any yahoo.com/doubleclick.net server ads. target ip is ad1.rtm-1.vip.rm.ac4.yahoo.com 76.13.216.11 000 : 47 45 54 20 2F 69 6D 70 3F 5A 3D 37 32 38 78 39 GET /imp?Z=728x9 010 : 30 26 73 3D 34 34 33 33 30 34 26 5F 73 61 6C 74 0&s=443304&_salt 020 : 3D 32 31 39 38 39 36 34 38 32 30 26 42 3D 31 30 =2198964820&B=10 030 : 26 75 3D 68 74 74 70 25 33 41 25 32 46 25 32 46 &u=http%3A%2F%2F 040 : 61 64 2D 62 66 70 2E 64 6F 75 62 6C 65 63 6C 69 ad-bfp.doublecli 050 : 63 6B 2E 6E 65 74 25 32 46 61 64 69 25 32 46 61 ck.net%2Fadi%2Fa 060 : 67 69 2E 62 6D 61 2E 65 63 61 72 64 73 25 32 46 gi.bma.ecards%2F 070 : 62 69 72 74 68 64 61 79 25 32 46 66 75 6E 6E 79 birthday%2Ffunny 080 : 25 33 42 70 61 67 65 25 33 44 64 69 73 70 6C 61 %3Bpage%3Ddispla 090 : 79 25 33 42 67 25 33 44 25 33 42 61 25 33 44 25 y%3Bg%3D%3Ba%3D% 0a0 : 33 42 70 72 6F 64 75 63 74 25 33 44 33 30 38 37 3Bproduct%3D3087 0b0 : 35 39 39 25 33 42 6D 65 6D 73 74 61 74 25 33 44 599%3Bmemstat%3D 0c0 : 61 66 75 25 33 42 74 69 6C 65 25 33 44 31 25 33 afu%3Btile%3D1%3 0d0 : 42 64 63 6F 70 74 25 33 44 69 73 74 25 33 42 73 Bdcopt%3Dist%3Bs 0e0 : 7A 25 33 44 37 32 38 78 39 30 25 33 42 6F 72 64 z%3D728x90%3Bord 0f0 : 25 33 44 37 39 34 35 36 38 35 31 37 34 38 39 25 %3D794568517489% 100 : 33 46 26 72 3D 30 20 48 54 54 50 2F 31 2E 31 0D 3F&r=0 HTTP/1.1. 110 : 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 .Accept: */*..Re 120 : 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 61 64 ferer: http://ad 130 : 73 65 72 76 69 6E 67 2E 63 70 78 69 6E 74 65 72 serving.cpxinter 140 : 61 63 74 69 76 65 2E 63 6F 6D 2F 73 74 3F 61 64 active.com/st?ad 150 : 5F 74 79 70 65 3D 69 66 72 61 6D 65 26 61 64 5F _type=iframe&ad_ 160 : 73 69 7A 65 3D 37 32 38 78 39 30 26 73 65 63 74 size=728x90§ 170 : 69 6F 6E 3D 34 34 33 33 30 34 0D 0A 41 63 63 65 ion=443304..Acce 180 : 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D pt-Language: en- 190 : 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 us..Accept-Encod 1a0 : 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 ing: gzip, defla 1b0 : 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 te..User-Agent: 1c0 : 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D Mozilla/4.0 (com 1d0 : 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E patible; MSIE 6. 1e0 : 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 0; Windows NT 5. 1f0 : 31 3B 20 53 56 31 3B 20 49 6E 66 6F 50 61 74 68 1; SV1; InfoPath 200 : 2E 31 3B 20 2E 4E 45 54 20 43 4C 52 20 31 2E 31 .1; .NET CLR 1.1 210 : 2E 34 33 32 32 29 0D 0A 48 6F 73 74 3A 20 61 64 .4322)..Host: ad 220 : 73 65 72 76 69 6E 67 2E 63 70 78 69 6E 74 65 72 serving.cpxinter 230 : 61 63 74 69 76 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E active.com..Conn 240 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 250 : 76 65 0D 0A 0D 0A ve.... -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090409/0b58e68c/attachment.html From jonkman at jonkmans.com Thu Apr 9 16:44:10 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 09 Apr 2009 16:44:10 -0400 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - April-07-2009 In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292A@webmail.latis.com> References: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292A@webmail.latis.com> Message-ID: <49DE5E1A.4030302@jonkmans.com> Posted!! Thanks! matt signatures wrote: > Hi Matt, > > Please find 10 New Signatures below: > > 1. *WEB-PHP ea-gBook index_inc.php inc_ordner parameter local > file inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > ea-gBook index_inc.php inc_ordner parameter local file inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/index_inc.php?"; nocase; uricontent:"inc_ordner="; nocase; > content:"../"; classtype:web-application-attack; > reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; > reference:url,milw0rm.com/exploits/8052; sid:2009081; rev:1;) > > 2. *WEB-PHP ea-gBook index_inc.php inc_ordner parameter remote > file inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > ea-gBook index_inc.php inc_ordner parameter remote file inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/index_inc.php?"; nocase; uricontent:"inc_ordner="; nocase; > pcre:"/inc_ordner=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; > reference:url,milw0rm.com/exploits/8052; sid:2009082; rev:1;) > > 3. *WEB-ATTACKS Sopcast SopCore ActiveX Control Remote Code Execution* > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS > Sopcast SopCore ActiveX Control Remote Code Execution"; > flow:to_client,established; content:"clsid"; nocase; > content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; nocase; distance:0; > content:"SetExternalPlayer"; nocase; classtype:web-application-attack; > reference:bugtraq,33920; > reference:url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt; > sid:1000060; rev:1;) > > 4. *WEB-PHP eFiction toplists.php list Parameter SQL Injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > eFiction toplists.php list Parameter SQL Injection"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/toplists.php?"; nocase; uricontent:"list="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:url,secunia.com/advisories/30606/; > reference:url,milw0rm.com/exploits/5785; sid:2009066; rev:1;) > > 5. *WEB-PHP AlstraSoft Video Share Enterprise album.php UID > Parameter SQL Injection* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > AlstraSoft Video Share Enterprise album.php UID Parameter SQL > Injection"; flow:to_server,established; content:"GET "; depth:4; > uricontent:"/album.php?"; nocase; uricontent:"UID="; nocase; > uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; > pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; > reference:cve,CVE-2008-3386; reference:url,www.milw0rm.com/exploits/6092 > ; > reference:url,secunia.com/advisories/31134/; sid:2009085; rev:1;) > > 6. *WEB-PHP TECHNOTE shop_this_skin_path Paramter Remote File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > TECHNOTE shop_this_skin_path Paramter Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/body_default.php?"; nocase; uricontent:"GOODS[no]="; > nocase; uricontent:"GOODS[gs_input]="; nocase; > uricontent:"shop_this_skin_path="; nocase; > pcre:"/shop_this_skin_path=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/33732/; > reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; > sid:2009093; rev:1;) > > 7. *WEB-PHP TECHNOTE shop_this_skin_path Paramter Local File > Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > TECHNOTE shop_this_skin_path Paramter Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/body_default.php?"; nocase; uricontent:"GOODS[no]="; > nocase; uricontent:"GOODS[gs_input]="; nocase; > uricontent:"shop_this_skin_path="; nocase; content:"../"; > classtype:web-application-attack; > reference:url,secunia.com/advisories/33732/; > reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; > sid:2009094; rev:1;) > > 8. *WEB-PHP Hedgehog CMS header.php c_temp_path Local File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Hedgehog CMS header.php c_temp_path Local File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/includes/header.php?"; nocase; uricontent:"c_temp_path="; > nocase; content:"../"; classtype:web-application-attack; > reference:cve,CVE-2008-2898; > reference:url,secunia.com/advisories/30778/; > reference:url,milw0rm.com/exploits/5904; sid:2009095; rev:1;) > > 9. *WEB-PHP Hedgehog CMS footer.php c_temp_path Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Hedgehog CMS footer.php c_temp_path Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/includes/footer.php?"; nocase; uricontent:"c_temp_path"; > nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; reference:cve,CVE-2008-2898; > reference:url,secunia.com/advisories/30778/; > reference:url,milw0rm.com/exploits/8028; sid:2009096; rev:1;) > > 10. *WEB-PHP Hedgehog CMS header.php c_temp_path Remote File Inclusion* > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP > Hedgehog CMS header.php c_temp_path Remote File Inclusion"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/includes/header.php?"; nocase; uricontent:"c_temp_path"; > nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//Ui"; > classtype:web-application-attack; reference:cve,CVE-2008-2898; > reference:url,secunia.com/advisories/30778/; > reference:url,milw0rm.com/exploits/5904; sid:2009097; rev:1;) > > Looking forward for your comments, If any? > > > Thanks & Regards, > StillSecure > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From sroddy at ligo-la.caltech.edu Thu Apr 9 18:24:29 2009 From: sroddy at ligo-la.caltech.edu (Shannon Roddy) Date: Thu, 09 Apr 2009 17:24:29 -0500 Subject: [Emerging-Sigs] Win32.BHO.lng Checkin on Firefox/OS X Message-ID: <49DE759D.6020003@ligo-la.caltech.edu> I had this sig alert on a Mac OS X/Firefox browser today. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.BHO.lng Checkin"; flow:established,to_server; uricontent:"imp?Z="; uricontent:"&s="; nocase; uricontent:"&_salt="; nocase; uricontent:"&B=10&u=http"; nocase; classtype:trojan-activity; sid:2009221; rev:1;) Looking at the traffic, it is obvious why the traffic triggered the alert, but what is less obvious to me is why this OS X host is making a request that looks like the BHO one would expect to find on Windows. Here is a portion of the requested URI: /imp?Z=160x600&s=578562&_salt=2375968421&B=10&u=http%3A%2F%2Fad.yieldmanager.com%2Fiframe3 Any ideas? Perhaps this is not specific to a particular BHO, and instead is a more generic form of ad delivery? If so... should the description in the signature change? Thanks. From frank at knobbe.us Thu Apr 9 20:08:22 2009 From: frank at knobbe.us (Frank Knobbe) Date: Thu, 09 Apr 2009 19:08:22 -0500 Subject: [Emerging-Sigs] Win32.BHO.lng Checkin on Firefox/OS X In-Reply-To: <49DE759D.6020003@ligo-la.caltech.edu> References: <49DE759D.6020003@ligo-la.caltech.edu> Message-ID: <1239322102.26335.2.camel@localhost> On Thu, 2009-04-09 at 17:24 -0500, Shannon Roddy wrote: > Looking at the traffic, it is obvious why the traffic triggered the > alert, but what is less obvious to me is why this OS X host is making a > request that looks like the BHO one would expect to find on Windows. > > Here is a portion of the requested URI: > > /imp?Z=160x600&s=578562&_salt=2375968421&B=10&u=http%3A%2F%2Fad.yieldmanager.com%2Fiframe3 Looks like advertising, included through an IFRAME from a web site the Mac browsed. What is the Host: header in the request? -Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090409/c4d610fb/attachment.bin From jonkman at jonkmans.com Thu Apr 9 20:49:30 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 09 Apr 2009 20:49:30 -0400 Subject: [Emerging-Sigs] Win32.BHO.lng Checkin on Firefox/OS X In-Reply-To: <49DE759D.6020003@ligo-la.caltech.edu> References: <49DE759D.6020003@ligo-la.caltech.edu> Message-ID: <49DE979A.5040302@jonkmans.com> We killed this sig this morning, it's hitting on too many ads. I'd drop it from your ruleset :) matt Shannon Roddy wrote: > I had this sig alert on a Mac OS X/Firefox browser today. > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN > Win32.BHO.lng Checkin"; flow:established,to_server; uricontent:"imp?Z="; > uricontent:"&s="; nocase; uricontent:"&_salt="; nocase; > uricontent:"&B=10&u=http"; nocase; classtype:trojan-activity; > sid:2009221; rev:1;) > > Looking at the traffic, it is obvious why the traffic triggered the > alert, but what is less obvious to me is why this OS X host is making a > request that looks like the BHO one would expect to find on Windows. > > Here is a portion of the requested URI: > > /imp?Z=160x600&s=578562&_salt=2375968421&B=10&u=http%3A%2F%2Fad.yieldmanager.com%2Fiframe3 > > Any ideas? Perhaps this is not specific to a particular BHO, and > instead is a more generic form of ad delivery? If so... should the > description in the signature change? > > Thanks. > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From r.fulton at auckland.ac.nz Fri Apr 10 00:36:56 2009 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Fri, 10 Apr 2009 16:36:56 +1200 Subject: [Emerging-Sigs] question on 2009221 In-Reply-To: <49DDEC30.7070404@jonkmans.com> References: <20090409081815.ktc1dvbiss4o48cc@mail.afferentsecurity.com> <49DDEC30.7070404@jonkmans.com> Message-ID: On 10/04/2009, at 12:38 AM, Matt Jonkman wrote: > I think we're hitting on ad serving with this one as well. I'm going > to > kill the sig till we get more info... > I think so too! I've got over 450 host hitting this one all the packets I've looked at are a very good match for the one posted on the wiki, right down to the same referrer. Great to have the sample on the wiki!!! Russell > Matt > > Jack Pepper wrote: >> What do we know about Win32.BHO.lng ? I am getting lots of these. >> The packets look like they perfectly match the rule for variables in >> the URL. But what is Win32.BHO.lng ? >> >> I posted a packet trace to: >> http://doc.emergingthreats.net/bin/view/Main/2009221 >> >> Matt: could you please fix my first wiki post? I forgot to put >> and I put instead. |( >> >> jp >> > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From nate+emerging at richmond-family.org Fri Apr 10 09:39:16 2009 From: nate+emerging at richmond-family.org (Nathaniel Richmond) Date: Fri, 10 Apr 2009 09:39:16 -0400 (EDT) Subject: [Emerging-Sigs] Poor performance rules Message-ID: <20090410133917.15A859C088@medusa.richmond-family.org> A few rules that have poor performance because of complex pcre. The Avg/Check on these seems quite high compared to most rules. Anyone have suggestions for improvement on these or a content anchor that can be run to eliminate more traffic prior to the pcre? alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB-MISC cross site scripting stealth attempt to execute Javascript code"; flow: to_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript\:"; nocase; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001090; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; sid: 2001090; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB-MISC cross site scripting stealth attempt to execute VBScript code"; flow: to_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001091; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; sid: 2001091; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB-MISC cross site scripting stealth attempt to access SHELL\:"; flow: to_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i";content:"="; content:!"shell\:"; nocase; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; sid: 2001092; rev:8;) From gregm at econet.com Fri Apr 10 09:44:57 2009 From: gregm at econet.com (Greg Martin) Date: Fri, 10 Apr 2009 08:44:57 -0500 Subject: [Emerging-Sigs] Poor performance rules In-Reply-To: <20090410133917.15A859C088@medusa.richmond-family.org> References: <20090410133917.15A859C088@medusa.richmond-family.org> Message-ID: <48A0B282-0A98-474F-A2C9-67C285E74438@econet.com> Pcre before content match should be disabled by default, agree? Sent from my iPhone On Apr 10, 2009, at 8:40 AM, "Nathaniel Richmond" wrote: > A few rules that have poor performance because of complex pcre. The > Avg/Check on these seems quite high compared to most rules. > > Anyone have suggestions for improvement on these or a content anchor > that can be run to eliminate more traffic prior to the pcre? > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB-MISC cross site scripting stealth attempt to execute Javascript > code"; flow: to_server,established; > pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(])) > [\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a > \x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c > \x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b > \x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a > \x0b\x0c\x0d]*[\:]/i"; > content:"="; content:!"javascript\:"; nocase; classtype: > web-application-attack; > reference:url,doc.emergingthreats.net/2001090; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS > ; > sid: 2001090; rev:7;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB-MISC cross site scripting stealth attempt to execute VBScript > code"; flow: to_server,established; > pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(])) > [\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a > \x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c > \x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b > \x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; > content:"="; content:!"vbscript\:"; nocase; classtype: > web-application-attack; > reference:url,doc.emergingthreats.net/2001091; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS > ; > sid: 2001091; rev:7;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB-MISC cross site scripting stealth attempt to access SHELL\:"; > flow: to_server,established; > pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(])) > [\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a > \x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c > \x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i";content:"="; > content:!"shell\:"; nocase; classtype: web-application-attack; > reference:url,doc.emergingthreats.net/2001092; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS > ; > sid: 2001092; rev:8;) > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs From jonkman at jonkmans.com Fri Apr 10 08:58:18 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 10 Apr 2009 08:58:18 -0400 Subject: [Emerging-Sigs] Poor performance rules In-Reply-To: <20090410133917.15A859C088@medusa.richmond-family.org> References: <20090410133917.15A859C088@medusa.richmond-family.org> Message-ID: <49DF426A.3@jonkmans.com> You're absolutely right! These are some ancient sigs, and I've not been convinced of their effectiveness really. I personally don't run them on the nets I protect. If we were to keep them we could split them out into several rules each to allow a content anchor. I'd rather disable them and put them in for deletion in a few weeks. But they may be of use to some folks, so I'll let people weigh in. So put in your vote: we either drop these, or split them into 4 or so sigs each and get an anchor. Matt Nathaniel Richmond wrote: > A few rules that have poor performance because of complex pcre. The > Avg/Check on these seems quite high compared to most rules. > > Anyone have suggestions for improvement on these or a content anchor > that can be run to eliminate more traffic prior to the pcre? > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB-MISC cross site scripting stealth attempt to execute Javascript > code"; flow: to_server,established; > pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; > content:"="; content:!"javascript\:"; nocase; classtype: > web-application-attack; > reference:url,doc.emergingthreats.net/2001090; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; > sid: 2001090; rev:7;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB-MISC cross site scripting stealth attempt to execute VBScript > code"; flow: to_server,established; > pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; > content:"="; content:!"vbscript\:"; nocase; classtype: > web-application-attack; > reference:url,doc.emergingthreats.net/2001091; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; > sid: 2001091; rev:7;) > > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET > WEB-MISC cross site scripting stealth attempt to access SHELL\:"; > flow: to_server,established; > pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i";content:"="; > content:!"shell\:"; nocase; classtype: web-application-attack; > reference:url,doc.emergingthreats.net/2001092; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; > sid: 2001092; rev:8;) > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From pepperjack at afferentsecurity.com Fri Apr 10 10:16:40 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri, 10 Apr 2009 09:16:40 -0500 Subject: [Emerging-Sigs] Poor performance rules In-Reply-To: <49DF426A.3@jonkmans.com> References: <20090410133917.15A859C088@medusa.richmond-family.org> <49DF426A.3@jonkmans.com> Message-ID: <20090410091640.pae5zhri804kk44k@mail.afferentsecurity.com> I have disabled these for exactly this reason. jp Quoting Matt Jonkman : > You're absolutely right! These are some ancient sigs, and I've not been > convinced of their effectiveness really. I personally don't run them on > the nets I protect. > > If we were to keep them we could split them out into several rules each > to allow a content anchor. > > I'd rather disable them and put them in for deletion in a few weeks. But > they may be of use to some folks, so I'll let people weigh in. > > So put in your vote: we either drop these, or split them into 4 or so > sigs each and get an anchor. > > Matt > > Nathaniel Richmond wrote: >> A few rules that have poor performance because of complex pcre. The >> Avg/Check on these seems quite high compared to most rules. >> >> Anyone have suggestions for improvement on these or a content anchor >> that can be run to eliminate more traffic prior to the pcre? >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB-MISC cross site scripting stealth attempt to execute Javascript >> code"; flow: to_server,established; >> pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; >> content:"="; content:!"javascript\:"; nocase; classtype: >> web-application-attack; >> reference:url,doc.emergingthreats.net/2001090; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; >> sid: 2001090; rev:7;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB-MISC cross site scripting stealth attempt to execute VBScript >> code"; flow: to_server,established; >> pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; >> content:"="; content:!"vbscript\:"; nocase; classtype: >> web-application-attack; >> reference:url,doc.emergingthreats.net/2001091; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; >> sid: 2001091; rev:7;) >> >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET >> WEB-MISC cross site scripting stealth attempt to access SHELL\:"; >> flow: to_server,established; >> pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i";content:"="; >> content:!"shell\:"; nocase; classtype: web-application-attack; >> reference:url,doc.emergingthreats.net/2001092; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS; >> sid: 2001092; rev:8;) >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From frank at knobbe.us Fri Apr 10 10:32:30 2009 From: frank at knobbe.us (Frank Knobbe) Date: Fri, 10 Apr 2009 09:32:30 -0500 Subject: [Emerging-Sigs] Poor performance rules In-Reply-To: <49DF426A.3@jonkmans.com> References: <20090410133917.15A859C088@medusa.richmond-family.org> <49DF426A.3@jonkmans.com> Message-ID: <1239373950.33202.9.camel@localhost> On Fri, 2009-04-10 at 08:58 -0400, Matt Jonkman wrote: > You're absolutely right! These are some ancient sigs, and I've not been > convinced of their effectiveness really. I personally don't run them on > the nets I protect. Those three were a bit lame. However, there are other Javascript sigs which do fire frequently. But even with those I'm not convinced of their effectiveness. Given todays obfuscation techniques, I think we can probably disable a lot if not all of the other Javascript sigs. Perhaps we need to review these one-by-one? (Maybe announce the Emerging Threats Month of Javascript Sig Scrutiny? ...lol) Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090410/73eb178a/attachment.bin From pepperjack at afferentsecurity.com Fri Apr 10 10:50:39 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Fri, 10 Apr 2009 09:50:39 -0500 Subject: [Emerging-Sigs] Suggestion for Manolito Message-ID: <20090410095039.5ygta60xs0kgs4w4@mail.afferentsecurity.com> When this p2p goes live the backend is flooded with redundant messages. I would like to suggest a threshold: alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 41170 (msg:"ET P2P Manolito Ping"; dsize:<24; content:"|3d|"; depth:1; content:"|d9|"; distance:1; content:"|ed bb|"; distance:13; threshold: type limit, track by_src, seconds 300, count 1; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009098; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Manolito; sid:2009098; rev:2;) This seems to bring it down to a reasonable level. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From jonkman at jonkmans.com Fri Apr 10 10:05:28 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 10 Apr 2009 10:05:28 -0400 Subject: [Emerging-Sigs] Suggestion for Manolito In-Reply-To: <20090410095039.5ygta60xs0kgs4w4@mail.afferentsecurity.com> References: <20090410095039.5ygta60xs0kgs4w4@mail.afferentsecurity.com> Message-ID: <49DF5228.9060305@jonkmans.com> Excellent idea. Posting now Jack Pepper wrote: > When this p2p goes live the backend is flooded with redundant > messages. I would like to suggest a threshold: > > alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 41170 (msg:"ET P2P > Manolito Ping"; > dsize:<24; content:"|3d|"; depth:1; content:"|d9|"; distance:1; > content:"|ed bb|"; distance:13; > threshold: type limit, track by_src, seconds 300, count 1; > classtype:policy-violation; > reference:url,doc.emergingthreats.net/2009098; > > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_Manolito; > sid:2009098; rev:2;) > > This seems to bring it down to a reasonable level. > > jp > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From daniel.clemens at packetninjas.net Fri Apr 10 15:21:54 2009 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Fri, 10 Apr 2009 14:21:54 -0500 Subject: [Emerging-Sigs] Another Bancos Trojan Sig + Rule Modification of ASPack rule Message-ID: <7C5EBAC1-6D0D-4FD5-BDEA-2496FBC977AF@packetninjas.net> Earlier today I saw a bancos (what looked to be a banker trojan) trojan performing a GET request to a few sites. Looks like the symantec guys have seen the same thing in a lab so I thought I'd drop a quick sig. # GET /keylogf.jpg # Md5 Hash: 0826780f6373018bde5df960326bffbc (original binary) # Context: # GET http://hostingdll.vila.bol.com.br/keylogf.jpg # GET http://hostingdll.vilabol.uol.com.br/keylogf.jpg alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET PWSteal.Bancos Generic Banker Trojan SCR Download"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/keylogf.jpg"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 ; reference:url,www.packetninjas.net; sid:xxx; rev:1;) In the course of all of this I noticed the bancos trojan was packed with aspack. Out of curiosity I wondered why a rule I previously wrote didn't trigger. Seems I had a false neg in the older rule. Here is a modified rule: Rule cleanup/revision alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E 72 73 72 63|"; content:"|61 73 70 61 63 6B|"; within: 50; reference:url,www.aspack.com/downloads.aspx; reference:url,www.packetninjas.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprotect_Packed ; sid:2008575; rev:3;) | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 | | o. 866.267.8851 "The secret to creativity is knowing how to hide your sources" Einstein From emerging at emergingthreats.net Fri Apr 10 16:00:10 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Fri, 10 Apr 2009 16:00:10 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090410200010.CB0BB4504A@goliath.jonkmans.com> [***] Results from Oinkmaster started Fri Apr 10 16:00:10 2009 [***] [+++] Added rules: [+++] 2009224 - ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion (emerging-web_sql_injection.rules) 2009225 - ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion (emerging-web_sql_injection.rules) 2009226 - ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution (emerging-web.rules) 2009227 - ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection (emerging-web_sql_injection.rules) 2009228 - ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection (emerging-web_sql_injection.rules) 2009229 - ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion (emerging-web_sql_injection.rules) 2009230 - ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion (emerging-web_sql_injection.rules) 2009231 - ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion (emerging-web_sql_injection.rules) 2009232 - ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion (emerging-web_sql_injection.rules) 2009233 - ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion (emerging-web_sql_injection.rules) [///] Modified active rules: [///] 2009098 - ET P2P Manolito Ping (emerging-p2p.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (10): 2009224 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009225 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009226 || ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || bugtraq,33920 2009227 || ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection || url,milw0rm.com/exploits/5785 || url,secunia.com/advisories/30606/ 2009228 || ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || url,secunia.com/advisories/31134/ || url,www.milw0rm.com/exploits/6092 || cve,CVE-2008-3386 2009229 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009230 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009231 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009232 || ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/8028 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009233 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 -> Added to emerging-sid-msg.map.txt (10): 2009224 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009225 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009226 || ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || bugtraq,33920 2009227 || ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection || url,milw0rm.com/exploits/5785 || url,secunia.com/advisories/30606/ 2009228 || ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || url,secunia.com/advisories/31134/ || url,www.milw0rm.com/exploits/6092 || cve,CVE-2008-3386 2009229 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009230 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009231 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009232 || ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/8028 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009233 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 -> Added to emerging-web_sql_injection.rules (1): #stillsecure [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (16): 2500164 || ET COMPROMISED Known Compromised or Hostile Host Traffic (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500165 || ET COMPROMISED Known Compromised or Hostile Host Traffic (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500166 || ET COMPROMISED Known Compromised or Hostile Host Traffic (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500167 || ET COMPROMISED Known Compromised or Hostile Host Traffic (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500168 || ET COMPROMISED Known Compromised or Hostile Host Traffic (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500169 || ET COMPROMISED Known Compromised or Hostile Host Traffic (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500170 || ET COMPROMISED Known Compromised or Hostile Host Traffic (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500171 || ET COMPROMISED Known Compromised or Hostile Host Traffic (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510164 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510165 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510166 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510167 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510168 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510169 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510170 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510171 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (16): 2500164 || ET COMPROMISED Known Compromised or Hostile Host Traffic (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500165 || ET COMPROMISED Known Compromised or Hostile Host Traffic (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500166 || ET COMPROMISED Known Compromised or Hostile Host Traffic (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500167 || ET COMPROMISED Known Compromised or Hostile Host Traffic (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500168 || ET COMPROMISED Known Compromised or Hostile Host Traffic (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500169 || ET COMPROMISED Known Compromised or Hostile Host Traffic (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500170 || ET COMPROMISED Known Compromised or Hostile Host Traffic (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500171 || ET COMPROMISED Known Compromised or Hostile Host Traffic (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510164 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (165) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510165 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (166) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510166 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (167) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510167 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (168) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510168 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (169) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510169 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (170) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510170 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (171) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510171 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (172) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From inittab at jtan.com Fri Apr 10 17:03:55 2009 From: inittab at jtan.com (RPG) Date: Fri, 10 Apr 2009 17:03:55 -0400 Subject: [Emerging-Sigs] Another Bancos Trojan Sig + Rule Modification of ASPack rule In-Reply-To: <7C5EBAC1-6D0D-4FD5-BDEA-2496FBC977AF@packetninjas.net> References: <7C5EBAC1-6D0D-4FD5-BDEA-2496FBC977AF@packetninjas.net> Message-ID: <49DFB43B.1030206@jtan.com> I have found that rule "2001683", aka "ET MALWARE Windows executable sent when remote host claims to send an image" does a decent job of rooting this sort of stuff out. Daniel Clemens wrote: > Earlier today I saw a bancos (what looked to be a banker trojan) > trojan performing a GET request to a few sites. > Looks like the symantec guys have seen the same thing in a lab so I > thought I'd drop a quick sig. > > # GET /keylogf.jpg > # Md5 Hash: 0826780f6373018bde5df960326bffbc (original binary) > # Context: > # GET http://hostingdll.vila.bol.com.br/keylogf.jpg > # GET http://hostingdll.vilabol.uol.com.br/keylogf.jpg > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET PWSteal.Bancos Generic Banker Trojan SCR Download"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/keylogf.jpg"; nocase; > classtype:trojan-activity; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 > ; > reference:url,www.packetninjas.net; > sid:xxx; rev:1;) > > In the course of all of this I noticed the bancos trojan was packed > with aspack. Out of curiosity I wondered why a rule I previously wrote > didn't trigger. Seems I had a false neg in the older rule. > Here is a modified rule: > > Rule cleanup/revision > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any > (msg:"ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile"; > flow:from_server,established; > content:"|2E 72 73 72 63|"; > content:"|61 73 70 61 63 6B|"; within: 50; > reference:url,www.aspack.com/downloads.aspx; > reference:url,www.packetninjas.net; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2008575; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprotect_Packed > ; sid:2008575; rev:3;) > > | Daniel Uriah Clemens > | Packetninjas L.L.C | | http://www.packetninjas.net > | c. 205.567.6850 | | o. 866.267.8851 > "The secret to creativity is knowing how to hide your sources" Einstein > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > From daniel.clemens at packetninjas.net Fri Apr 10 18:32:14 2009 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Fri, 10 Apr 2009 17:32:14 -0500 Subject: [Emerging-Sigs] Another Bancos Trojan Sig + Rule Modification of ASPack rule In-Reply-To: <49DFB43B.1030206@jtan.com> References: <7C5EBAC1-6D0D-4FD5-BDEA-2496FBC977AF@packetninjas.net> <49DFB43B.1030206@jtan.com> Message-ID: <9AE250B9-63D8-4B3C-AECB-0ECE53217337@packetninjas.net> On Apr 10, 2009, at 4:03 PM, RPG wrote: > I have found that rule "2001683", aka "ET MALWARE Windows executable > sent when remote host claims to send an image" does a decent job of > rooting this sort of stuff out. > The rule your referencing has been good no doubt. The GET /keylogf.jpg downloads an scr file not a portable executable. The sig is to catch the get request for actions taken by hosts compromised with the bancos Trojan. The secondary rule mentioned (aspack) rule modification probably should have been a seperate thread. Daniel Clemens > Daniel Clemens wrote: >> Earlier today I saw a bancos (what looked to be a banker trojan) >> trojan performing a GET request to a few sites. >> Looks like the symantec guys have seen the same thing in a lab so >> I thought I'd drop a quick sig. >> >> # GET /keylogf.jpg >> # Md5 Hash: 0826780f6373018bde5df960326bffbc (original binary) >> # Context: >> # GET http://hostingdll.vila.bol.com.br/keylogf.jpg >> # GET http://hostingdll.vilabol.uol.com.br/keylogf.jpg >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS >> (msg:"ET PWSteal.Bancos Generic Banker Trojan SCR Download"; >> flow:to_server,established; content:"GET "; depth:4; >> uricontent:"/keylogf.jpg"; nocase; >> classtype:trojan-activity; >> reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 >> ; >> reference:url,www.packetninjas.net; >> sid:xxx; rev:1;) >> >> In the course of all of this I noticed the bancos trojan was >> packed with aspack. Out of curiosity I wondered why a rule I >> previously wrote didn't trigger. Seems I had a false neg in the >> older rule. >> Here is a modified rule: >> >> Rule cleanup/revision >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any >> (msg:"ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile"; >> flow:from_server,established; >> content:"|2E 72 73 72 63|"; >> content:"|61 73 70 61 63 6B|"; within: 50; >> reference:url,www.aspack.com/downloads.aspx; >> reference:url,www.packetninjas.net; >> classtype:trojan-activity; >> reference:url,doc.emergingthreats.net/2008575; >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprotect_Packed >> ; sid:2008575; rev:3;) >> >> | Daniel Uriah Clemens >> | Packetninjas L.L.C | | http://www.packetninjas.net >> | c. 205.567.6850 | | o. 866.267.8851 >> "The secret to creativity is knowing how to hide your sources" >> Einstein >> >> _______________________________________________ >> Emerging-sigs mailing list >> Emerging-sigs at emergingthreats.net >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> > > From emerging at emergingthreats.net Sat Apr 11 16:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 11 Apr 2009 16:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090411200011.1E7074501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Apr 11 16:00:11 2009 [***] [*] Rules modifications: [*] None. [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (18): 2500155 || ET COMPROMISED Known Compromised or Hostile Host Traffic (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500159 || ET COMPROMISED Known Compromised or Hostile Host Traffic (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500160 || ET COMPROMISED Known Compromised or Hostile Host Traffic (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500161 || ET COMPROMISED Known Compromised or Hostile Host Traffic (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500162 || ET COMPROMISED Known Compromised or Hostile Host Traffic (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500163 || ET COMPROMISED Known Compromised or Hostile Host Traffic (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510155 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510159 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510160 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510161 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510162 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510163 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (18): 2500155 || ET COMPROMISED Known Compromised or Hostile Host Traffic (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500159 || ET COMPROMISED Known Compromised or Hostile Host Traffic (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500160 || ET COMPROMISED Known Compromised or Hostile Host Traffic (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500161 || ET COMPROMISED Known Compromised or Hostile Host Traffic (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500162 || ET COMPROMISED Known Compromised or Hostile Host Traffic (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500163 || ET COMPROMISED Known Compromised or Hostile Host Traffic (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510155 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510159 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510160 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510161 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510162 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510163 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (164) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From dokas at oitsec.umn.edu Sat Apr 11 16:32:06 2009 From: dokas at oitsec.umn.edu (Paul Dokas) Date: Sat, 11 Apr 2009 15:32:06 -0500 Subject: [Emerging-Sigs] Win32.BHO.lng Checkin on Firefox/OS X In-Reply-To: <49DE979A.5040302@jonkmans.com> References: <49DE759D.6020003@ligo-la.caltech.edu> <49DE979A.5040302@jonkmans.com> Message-ID: <49E0FE46.7080507@oitsec.umn.edu> Matt Jonkman wrote: > We killed this sig this morning, it's hitting on too many ads. I'd drop > it from your ruleset :) I'd suggest examining those hits very closely before turning that sig off. We have seen a large amount of malware being pushed through ads served up by yieldmanager and zedo. The usual process seems to be: "legit" ad -> javascript -> another adsite -> javascript/iframe -> bad pdf/swf files -> exploits This might represent a change in how they're slinging malware. Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." From emerging at emergingthreats.net Sat Apr 11 18:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Sat, 11 Apr 2009 18:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Weekly Signature Changes Message-ID: <20090411220011.1A6024501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Sat Apr 11 18:00:10 2009 [***] [+++] Added rules: [+++] 2009209 - ET TROJAN Rogue A/V Win32/FakeXPA GET Request (emerging-virus.rules) 2009210 - ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) (emerging-attack_response.rules) 2009211 - ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) (emerging-attack_response.rules) 2009212 - ET TROJAN Zbot/Zeus Dropper Infection - /check (emerging-virus.rules) 2009213 - ET TROJAN Zbot/Zeus Dropper Infection - /loads.php (emerging-virus.rules) 2009215 - ET TROJAN Farfli HTTP Checkin Activity (emerging-virus.rules) 2009216 - ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit (emerging-exploit.rules) 2009217 - ET SCAN Tomcat admin-admin login credentials (emerging-scan.rules) 2009218 - ET SCAN Tomcat admin-blank login credentials (emerging-scan.rules) 2009219 - ET SCAN Tomcat Successful default credential login from external source (emerging-scan.rules) 2009220 - ET SCAN Tomcat upload from external source (emerging-scan.rules) 2009222 - ET MALWARE NewWeb User Agent (Lobo Lunar) (emerging-malware.rules) 2009223 - ET MALWARE Fake AV User Agent av1-site.info Related (AV1) (emerging-malware.rules) 2009224 - ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion (emerging-web_sql_injection.rules) 2009225 - ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion (emerging-web_sql_injection.rules) 2009226 - ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution (emerging-web.rules) 2009227 - ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection (emerging-web_sql_injection.rules) 2009228 - ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection (emerging-web_sql_injection.rules) 2009229 - ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion (emerging-web_sql_injection.rules) 2009230 - ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion (emerging-web_sql_injection.rules) 2009231 - ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion (emerging-web_sql_injection.rules) 2009232 - ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion (emerging-web_sql_injection.rules) 2009233 - ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion (emerging-web_sql_injection.rules) 2406304 - ET RBN Known Russian Business Network Monitored Domains (305) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network Monitored Domains (306) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network Monitored Domains (307) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network Monitored Domains (308) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network Monitored Domains (309) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network Monitored Domains (310) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network Monitored Domains (311) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network Monitored Domains (312) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network Monitored Domains (313) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network Monitored Domains (314) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network Monitored Domains (315) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network Monitored Domains (316) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network Monitored Domains (317) (emerging-rbn.rules) 2407304 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) (emerging-rbn-BLOCK.rules) 2407305 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) (emerging-rbn-BLOCK.rules) 2407306 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) (emerging-rbn-BLOCK.rules) 2407307 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) (emerging-rbn-BLOCK.rules) 2407308 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) (emerging-rbn-BLOCK.rules) 2407309 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) (emerging-rbn-BLOCK.rules) 2407310 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) (emerging-rbn-BLOCK.rules) 2407311 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) (emerging-rbn-BLOCK.rules) 2407312 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) (emerging-rbn-BLOCK.rules) 2407313 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) (emerging-rbn-BLOCK.rules) 2407314 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) (emerging-rbn-BLOCK.rules) 2407315 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) (emerging-rbn-BLOCK.rules) 2407316 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) (emerging-rbn-BLOCK.rules) [///] Modified active rules: [///] 2009098 - ET P2P Manolito Ping (emerging-p2p.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules) 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules) 2404000 - ET DROP Known Bot C&C Server Traffic (group 1) (emerging-botcc.rules) 2404001 - ET DROP Known Bot C&C Server Traffic (group 2) (emerging-botcc.rules) 2404002 - ET DROP Known Bot C&C Server Traffic (group 3) (emerging-botcc.rules) 2404003 - ET DROP Known Bot C&C Server Traffic (group 4) (emerging-botcc.rules) 2404004 - ET DROP Known Bot C&C Server Traffic (group 5) (emerging-botcc.rules) 2404005 - ET DROP Known Bot C&C Server Traffic (group 6) (emerging-botcc.rules) 2404006 - ET DROP Known Bot C&C Server Traffic (group 7) (emerging-botcc.rules) 2404007 - ET DROP Known Bot C&C Server Traffic (group 8) (emerging-botcc.rules) 2404008 - ET DROP Known Bot C&C Server Traffic (group 9) (emerging-botcc.rules) 2404009 - ET DROP Known Bot C&C Server Traffic (group 10) (emerging-botcc.rules) 2404010 - ET DROP Known Bot C&C Server Traffic (group 11) (emerging-botcc.rules) 2404011 - ET DROP Known Bot C&C Server Traffic (group 12) (emerging-botcc.rules) 2404012 - ET DROP Known Bot C&C Server Traffic (group 13) (emerging-botcc.rules) 2404013 - ET DROP Known Bot C&C Server Traffic (group 14) (emerging-botcc.rules) 2404014 - ET DROP Known Bot C&C Server Traffic (group 15) (emerging-botcc.rules) 2404015 - ET DROP Known Bot C&C Server Traffic (group 16) (emerging-botcc.rules) 2404016 - ET DROP Known Bot C&C Server Traffic (group 17) (emerging-botcc.rules) 2404017 - ET DROP Known Bot C&C Server Traffic (group 18) (emerging-botcc.rules) 2404018 - ET DROP Known Bot C&C Server Traffic (group 19) (emerging-botcc.rules) 2404019 - ET DROP Known Bot C&C Server Traffic (group 20) (emerging-botcc.rules) 2404020 - ET DROP Known Bot C&C Server Traffic (group 21) (emerging-botcc.rules) 2404021 - ET DROP Known Bot C&C Server Traffic (group 22) (emerging-botcc.rules) 2404022 - ET DROP Known Bot C&C Server Traffic (group 23) (emerging-botcc.rules) 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405021 - ET DROP Known Bot C&C Traffic (group 22) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2405022 - ET DROP Known Bot C&C Traffic (group 23) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules) 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network Monitored Domains (229) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network Monitored Domains (230) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network Monitored Domains (231) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network Monitored Domains (232) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network Monitored Domains (233) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network Monitored Domains (234) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network Monitored Domains (235) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network Monitored Domains (236) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network Monitored Domains (237) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network Monitored Domains (238) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network Monitored Domains (239) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network Monitored Domains (240) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network Monitored Domains (241) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network Monitored Domains (242) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network Monitored Domains (243) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network Monitored Domains (244) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network Monitored Domains (245) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network Monitored Domains (246) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network Monitored Domains (247) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network Monitored Domains (248) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network Monitored Domains (249) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network Monitored Domains (250) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network Monitored Domains (251) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network Monitored Domains (252) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network Monitored Domains (253) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network Monitored Domains (254) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network Monitored Domains (255) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network Monitored Domains (256) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network Monitored Domains (257) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network Monitored Domains (258) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network Monitored Domains (259) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network Monitored Domains (260) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network Monitored Domains (261) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network Monitored Domains (262) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network Monitored Domains (263) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network Monitored Domains (264) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network Monitored Domains (265) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network Monitored Domains (266) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network Monitored Domains (267) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network Monitored Domains (268) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network Monitored Domains (269) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network Monitored Domains (270) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network Monitored Domains (271) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network Monitored Domains (272) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network Monitored Domains (273) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network Monitored Domains (274) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network Monitored Domains (275) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network Monitored Domains (276) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network Monitored Domains (277) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network Monitored Domains (278) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network Monitored Domains (279) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network Monitored Domains (280) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network Monitored Domains (281) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network Monitored Domains (282) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network Monitored Domains (283) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network Monitored Domains (284) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network Monitored Domains (285) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network Monitored Domains (286) (emerging-rbn.rules) 2406286 - ET RBN Known Russian Business Network Monitored Domains (287) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network Monitored Domains (288) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network Monitored Domains (289) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network Monitored Domains (290) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network Monitored Domains (291) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network Monitored Domains (292) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network Monitored Domains (293) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network Monitored Domains (294) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network Monitored Domains (295) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network Monitored Domains (296) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network Monitored Domains (297) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network Monitored Domains (298) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network Monitored Domains (299) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network Monitored Domains (300) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network Monitored Domains (301) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network Monitored Domains (302) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network Monitored Domains (303) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network Monitored Domains (304) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (286) (emerging-rbn-BLOCK.rules) 2407286 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407294 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) (emerging-rbn-BLOCK.rules) [---] Disabled rules: [---] 2009205 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) (emerging.rules) 2009206 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) (emerging.rules) 2009207 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) (emerging.rules) 2009208 - ET CURRENT_EVENTS Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) (emerging.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-attack_response.rules (1): #by Jaime Blasco -> Added to emerging-drop-BLOCK.rules (2): # VERSION 1506 # Generated 2009-04-11 00:03:02 EDT -> Added to emerging-drop.rules (2): # VERSION 1506 # Generated 2009-04-11 00:03:02 EDT -> Added to emerging-exploit.rules (1): #by Greg Martin -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 123 # Updated 2009-04-09 14:47:09 -> Added to emerging-rbn.rules (2): # VERSION 123 # Updated 2009-04-09 14:47:09 -> Added to emerging-sid-msg.map (53): 2009209 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_FakeXPA || url,doc.emergingthreats.net/2009209 2009210 || ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/2009210 2009211 || ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/2009211 2009212 || ET TROJAN Zbot/Zeus Dropper Infection - /check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009212 2009213 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009213 2009215 || ET TROJAN Farfli HTTP Checkin Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli || url,doc.emergingthreats.net/2009215 || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2009216 || url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html || cve,2008-5457 2009217 || ET SCAN Tomcat admin-admin login credentials || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009217 || url,tomcat.apache.org 2009218 || ET SCAN Tomcat admin-blank login credentials || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009218 || url,tomcat.apache.org 2009219 || ET SCAN Tomcat Successful default credential login from external source || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009219 || url,tomcat.apache.org 2009220 || ET SCAN Tomcat upload from external source || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009220 || url,tomcat.apache.org 2009222 || ET MALWARE NewWeb User Agent (Lobo Lunar) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009222 2009223 || ET MALWARE Fake AV User Agent av1-site.info Related (AV1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009223 2009224 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009225 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009226 || ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || bugtraq,33920 2009227 || ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection || url,milw0rm.com/exploits/5785 || url,secunia.com/advisories/30606/ 2009228 || ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || url,secunia.com/advisories/31134/ || url,www.milw0rm.com/exploits/6092 || cve,CVE-2008-3386 2009229 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009230 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009231 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009232 || ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/8028 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009233 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2406304 || ET RBN Known Russian Business Network Monitored Domains (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406305 || ET RBN Known Russian Business Network Monitored Domains (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406306 || ET RBN Known Russian Business Network Monitored Domains (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406307 || ET RBN Known Russian Business Network Monitored Domains (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406308 || ET RBN Known Russian Business Network Monitored Domains (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406309 || ET RBN Known Russian Business Network Monitored Domains (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406310 || ET RBN Known Russian Business Network Monitored Domains (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406311 || ET RBN Known Russian Business Network Monitored Domains (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406312 || ET RBN Known Russian Business Network Monitored Domains (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406313 || ET RBN Known Russian Business Network Monitored Domains (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406314 || ET RBN Known Russian Business Network Monitored Domains (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406315 || ET RBN Known Russian Business Network Monitored Domains (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406316 || ET RBN Known Russian Business Network Monitored Domains (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407304 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407305 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407306 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407307 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407308 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407309 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407310 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407311 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407312 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407313 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407314 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407315 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407316 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500153 || ET COMPROMISED Known Compromised or Hostile Host Traffic (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500154 || ET COMPROMISED Known Compromised or Hostile Host Traffic (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510153 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510154 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (53): 2009209 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_FakeXPA || url,doc.emergingthreats.net/2009209 2009210 || ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/2009210 2009211 || ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP || url,doc.emergingthreats.net/2009211 2009212 || ET TROJAN Zbot/Zeus Dropper Infection - /check || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009212 2009213 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zbot || url,doc.emergingthreats.net/2009213 2009215 || ET TROJAN Farfli HTTP Checkin Activity || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli || url,doc.emergingthreats.net/2009215 || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b 2009216 || ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle || url,doc.emergingthreats.net/2009216 || url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html || cve,2008-5457 2009217 || ET SCAN Tomcat admin-admin login credentials || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009217 || url,tomcat.apache.org 2009218 || ET SCAN Tomcat admin-blank login credentials || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009218 || url,tomcat.apache.org 2009219 || ET SCAN Tomcat Successful default credential login from external source || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009219 || url,tomcat.apache.org 2009220 || ET SCAN Tomcat upload from external source || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute || url,doc.emergingthreats.net/2009220 || url,tomcat.apache.org 2009222 || ET MALWARE NewWeb User Agent (Lobo Lunar) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009222 2009223 || ET MALWARE Fake AV User Agent av1-site.info Related (AV1) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009223 2009224 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009225 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009226 || ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || bugtraq,33920 2009227 || ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection || url,milw0rm.com/exploits/5785 || url,secunia.com/advisories/30606/ 2009228 || ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || url,secunia.com/advisories/31134/ || url,www.milw0rm.com/exploits/6092 || cve,CVE-2008-3386 2009229 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009230 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009231 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009232 || ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/8028 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009233 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2406304 || ET RBN Known Russian Business Network Monitored Domains (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406305 || ET RBN Known Russian Business Network Monitored Domains (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406306 || ET RBN Known Russian Business Network Monitored Domains (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406307 || ET RBN Known Russian Business Network Monitored Domains (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406308 || ET RBN Known Russian Business Network Monitored Domains (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406309 || ET RBN Known Russian Business Network Monitored Domains (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406310 || ET RBN Known Russian Business Network Monitored Domains (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406311 || ET RBN Known Russian Business Network Monitored Domains (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406312 || ET RBN Known Russian Business Network Monitored Domains (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406313 || ET RBN Known Russian Business Network Monitored Domains (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406314 || ET RBN Known Russian Business Network Monitored Domains (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406315 || ET RBN Known Russian Business Network Monitored Domains (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406316 || ET RBN Known Russian Business Network Monitored Domains (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407304 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407305 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407306 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407307 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407308 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407309 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407310 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407311 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407312 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407313 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407314 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407315 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407316 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2500153 || ET COMPROMISED Known Compromised or Hostile Host Traffic (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500154 || ET COMPROMISED Known Compromised or Hostile Host Traffic (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510153 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (154) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510154 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (155) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (1): # https://sandnet.emergingthreats.net/index.php?q=10493bc6d4d6f2f0d8fe61946315dcbd -> Added to emerging-web_sql_injection.rules (1): #stillsecure -> Added to emerging.rules (1): #Disabling in favor of the preproc and SO rules that are now available [---] Removed non-rule lines: [---] -> Removed from emerging-drop-BLOCK.rules (2): # VERSION 1499 # Generated 2009-04-04 00:03:02 EDT -> Removed from emerging-drop.rules (2): # VERSION 1499 # Generated 2009-04-04 00:03:02 EDT -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 121 # Updated 2009-03-29 13:37:05 -> Removed from emerging-rbn.rules (2): # VERSION 121 # Updated 2009-03-29 13:37:05 From scheidell at secnap.net Sun Apr 12 17:30:26 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Sun, 12 Apr 2009 17:30:26 -0400 Subject: [Emerging-Sigs] Win32.BHO.lng Checkin on Firefox/OS X In-Reply-To: <49E0FE46.7080507@oitsec.umn.edu> Message-ID: > Matt Jonkman wrote: >> We killed this sig this morning, it's hitting on too many ads. I'd drop >> it from your ruleset :) > > I'd suggest examining those hits very closely before turning that sig off. > We have seen a large amount of malware being pushed through ads served > up by yieldmanager and zedo. The usual process seems to be: > Every FP I traced down was a legit ad. If -> another adside-> javascript happens, other or bad pdf/swf happens, other sigs will catch it. > > This might represent a change in how they're slinging malware. (and on foxnews this am, I was redirected to a site.. No, I didn't click on it... And it told me my 'windows' system was infected and pretended to run a scan on it.. Trouble is, my windows system is a mac. Shame on you foxnews for taking money from scam artists like this. (but you should still kill the sig, too many FP's) -- Michael Scheidell, CTO >|SECNAP Network Security Finalist 2009 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From jules at visionintel.com Mon Apr 13 07:14:53 2009 From: jules at visionintel.com (Jules Pagna Disso) Date: Mon, 13 Apr 2009 12:14:53 +0100 Subject: [Emerging-Sigs] strange capture? Message-ID: <69544300904130414g27851459i4fdd021e8dd91645@mail.gmail.com> hi guys I have attacked a pcap for analysis. too many hits of the same thing. is that normal? Jules -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090413/43d6c8d7/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: jules.pcap Type: application/pcap Size: 624 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090413/43d6c8d7/jules.bin From signatures at stillsecure.com Mon Apr 13 08:32:08 2009 From: signatures at stillsecure.com (signatures) Date: Mon, 13 Apr 2009 06:32:08 -0600 Subject: [Emerging-Sigs] StillSecure: 10 New Signatures - April-13-2009 Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3054C292B@webmail.latis.com> Hi Matt, Please find 10 New Signatures below: 1. WEB-PHP Irokez Blog sitemap.scr.php Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Irokez Blog sitemap.scr.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/sitemap.scr.php?"; nocase; uricontent:"GLOBALS[PTH][classes]="; nocase; pcre:"/GLOBALS\[PTH\]\[classes\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,33931; reference:url,milw0rm.com/exploits/8123; sid:2009105; rev:1;) 2. WEB-PHP Irokez Blog thumbnail.php Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Irokez Blog thumbnail.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/thumbnail.php?"; nocase; uricontent:"GLOBALS[PTH][classes]="; nocase; pcre:"/GLOBALS\[PTH\]\[classes\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,33931; reference:url,milw0rm.com/exploits/8123; sid:2009106; rev:1;) 3. WEB-PHP Irokez Blog block.tag.php Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Irokez Blog block.tag.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/block.tag.php?"; nocase; uricontent:"GLOBALS[PTH][classes]="; nocase; pcre:"/GLOBALS\[PTH\]\[classes\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,33931; reference:url,milw0rm.com/exploits/8123; sid:2009107; rev:1;) 4. WEB-PHP Irokez Blog spaw_control.class.php Remote File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Irokez Blog spaw_control.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/spaw_control.class.php?"; nocase; uricontent:"GLOBALS[spaw_root]="; nocase; pcre:"/GLOBALS\[spaw_root\]=\s*(https?|ftps?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,33931; reference:url,milw0rm.com/exploits/8123; sid:2009108; rev:1;) 5. WEB-PHP Irokez Blog sitemap.scr.php Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Irokez Blog sitemap.scr.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/sitemap.scr.php?"; nocase; uricontent:"GLOBALS[PTH][classes]="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33931; reference:url,milw0rm.com/exploits/8123; sid:2009109; rev:1;) 6. WEB-PHP Irokez Blog thumbnail.php Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Irokez Blog thumbnail.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/thumbnail.php?"; nocase; uricontent:"GLOBALS[PTH][classes]="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33931; reference:url,milw0rm.com/exploits/8123; sid:2009110; rev:1;) 7. WEB-PHP Irokez Blog block.tag.php Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Irokez Blog block.tag.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/block.tag.php?"; nocase; uricontent:"GLOBALS[PTH][classes]="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33931; reference:url,milw0rm.com/exploits/8123; sid:2009111; rev:1;) 8. WEB-PHP Irokez Blog spaw_control.class.php Local File Inclusion alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Irokez Blog spaw_control.class.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/spaw_control.class.php?"; nocase; uricontent:"GLOBALS[spaw_root]="; nocase; content:"../"; classtype:web-application-attack; reference:bugtraq,33931; reference:url,milw0rm.com/exploits/8123; sid:2009112; rev:1;) 9. WEB-PHP tadbook2 Module for XOOPS open_book.php book_sn parameter SQL injection alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP tadbook2 Module for XOOPS open_book.php book_sn parameter SQL injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/open_book.php?"; nocase; uricontent:"book_sn="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,33196; reference:url,milw0rm.com/exploits/7725; sid:2009202; rev:1;) 10. WEB-ATTACKS Imera ImeraIEPlugin ActiveX Control Arbitrary Code Execution alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Imera ImeraIEPlugin ActiveX Control Arbitrary Code Execution"; flow:to_client,established; content:"clsid"; nocase; content:"75CC8584-86D4-4A50-B976-AA72618322C6"; nocase; distance:0; pcre:"/(DownloadProtocol|DownloadHost|DownloadPort|DownloadURI)/i"; classtype:web-application-attack; reference:milw0rm.com/exploits/8144; reference:url,xforce.iss.net/xforce/xfdb/49028; sid:2009040; rev:1;) Looking forward for your comments, if any... Thanks & Regards, StillSecure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090413/4740e70e/attachment-0001.html From pepperjack at afferentsecurity.com Mon Apr 13 08:42:52 2009 From: pepperjack at afferentsecurity.com (Jack Pepper) Date: Mon, 13 Apr 2009 07:42:52 -0500 Subject: [Emerging-Sigs] Discussion of 2008350 (AutoIT) Message-ID: <20090413074252.fe7cmg3rk8c080g8@mail.afferentsecurity.com> I am getting a bunch of these: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; content:"|0d 0a|User-Agent\: AutoIt v"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Autoit; sid:2008350; rev:2;) My question for the group is, "when is AutoIT considered to be hostile?" How is it used in practice? Do hosting providers have their client install it? jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com From alex.jablenski at philips.com Mon Apr 13 09:49:06 2009 From: alex.jablenski at philips.com (Jablenski, Alex) Date: Mon, 13 Apr 2009 15:49:06 +0200 Subject: [Emerging-Sigs] Win32.BHO.lng Checkin on Firefox/OS X In-Reply-To: References: <49E0FE46.7080507@oitsec.umn.edu> Message-ID: <5A40BC085A67DD488F01C89A8F5E48133897B42BFC@NLCLUEXM04.connect1.local> Newcomer here. Been lurking on the mailinglist for about two months, but never posted. Great job on writing those sigs. I too have seen the change of "slinging" malware and most recently/ notably the automatic redirect from foxnews.com I think that sigs like the Win32.BHO.lng definitely produce noise, but some very legit results too in light of ad vendors pushing their spyware through well-traveled and well-known sites. Alex J -----Original Message----- From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Michael Scheidell Sent: Sunday, April 12, 2009 5:30 PM To: dokas at oitsec.umn.edu; Matt Jonkman Cc: emerging-sigs at emergingthreats.net Subject: Re: [Emerging-Sigs] Win32.BHO.lng Checkin on Firefox/OS X > Matt Jonkman wrote: >> We killed this sig this morning, it's hitting on too many ads. I'd drop >> it from your ruleset :) > > I'd suggest examining those hits very closely before turning that sig off. > We have seen a large amount of malware being pushed through ads served > up by yieldmanager and zedo. The usual process seems to be: > Every FP I traced down was a legit ad. If -> another adside-> javascript happens, other or bad pdf/swf happens, other sigs will catch it. > > This might represent a change in how they're slinging malware. (and on foxnews this am, I was redirected to a site.. No, I didn't click on it... And it told me my 'windows' system was infected and pretended to run a scan on it.. Trouble is, my windows system is a mac. Shame on you foxnews for taking money from scam artists like this. (but you should still kill the sig, too many FP's) -- Michael Scheidell, CTO >|SECNAP Network Security Finalist 2009 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ _______________________________________________ Emerging-sigs mailing list Emerging-sigs at emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. From jonkman at jonkmans.com Mon Apr 13 10:46:59 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 13 Apr 2009 10:46:59 -0400 Subject: [Emerging-Sigs] Discussion of 2008350 (AutoIT) In-Reply-To: <20090413074252.fe7cmg3rk8c080g8@mail.afferentsecurity.com> References: <20090413074252.fe7cmg3rk8c080g8@mail.afferentsecurity.com> Message-ID: <49E35063.6060406@jonkmans.com> The tool itself of course isn't hostile. But we're seeing it used in crude malware. Really, unless you KNOW you will have a user using it (which if it's in use you probably will know) then it's probably hostile. Secondly, Autoit isn't generally used to retrieve remote content. It's a local user activity scripting tool. So if you see that UA going to russian or chinese IP space you can generally call it bad. :) I do want it to be clear though that the tool itself isn't bad, hostile, compromised, or otherwise something to say bad things about. It's a very effective scripting language, I use it frequently. It's unfortunately so good it's being used by bad folks. Matt Jack Pepper wrote: > I am getting a bunch of these: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY > Autoit Windows Automation tool User-Agent in HTTP Request - Possibly > Hostile"; flow:established,to_server; content:"|0d 0a|User-Agent\: > AutoIt v"; classtype:policy-violation; > reference:url,doc.emergingthreats.net/bin/view/Main/2008350; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Autoit; sid:2008350; > rev:2;) > > My question for the group is, "when is AutoIT considered to be hostile?" > > How is it used in practice? Do hosting providers have their client > install it? > > jp > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Apr 13 13:06:34 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 13 Apr 2009 13:06:34 -0400 Subject: [Emerging-Sigs] strange capture? In-Reply-To: <69544300904130414g27851459i4fdd021e8dd91645@mail.gmail.com> References: <69544300904130414g27851459i4fdd021e8dd91645@mail.gmail.com> Message-ID: <49E3711A.40906@jonkmans.com> Thats an unusual one. What are the systems involved? Both windows or something? Is one a backup server or something else that may be talking on a proprietary protocol? Matt Jules Pagna Disso wrote: > hi guys > > I have attacked a pcap for analysis. > > too many hits of the same thing. is that normal? > > Jules > > > ------------------------------------------------------------------------ > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jonkman at jonkmans.com Mon Apr 13 13:37:29 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 13 Apr 2009 13:37:29 -0400 Subject: [Emerging-Sigs] Another Bancos Trojan Sig + Rule Modification of ASPack rule In-Reply-To: <7C5EBAC1-6D0D-4FD5-BDEA-2496FBC977AF@packetninjas.net> References: <7C5EBAC1-6D0D-4FD5-BDEA-2496FBC977AF@packetninjas.net> Message-ID: <49E37859.5020208@jonkmans.com> Great sig Dan, getting it posted now. Confirmed in the sandnet we have other samples that fit the sig and are clearly hostile. Nice catch! Matt Daniel Clemens wrote: > Earlier today I saw a bancos (what looked to be a banker trojan) > trojan performing a GET request to a few sites. > Looks like the symantec guys have seen the same thing in a lab so I > thought I'd drop a quick sig. > > # GET /keylogf.jpg > # Md5 Hash: 0826780f6373018bde5df960326bffbc (original binary) > # Context: > # GET http://hostingdll.vila.bol.com.br/keylogf.jpg > # GET http://hostingdll.vilabol.uol.com.br/keylogf.jpg > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS > (msg:"ET PWSteal.Bancos Generic Banker Trojan SCR Download"; > flow:to_server,established; content:"GET "; depth:4; > uricontent:"/keylogf.jpg"; nocase; > classtype:trojan-activity; > reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 > ; > reference:url,www.packetninjas.net; > sid:xxx; rev:1;) > > In the course of all of this I noticed the bancos trojan was packed > with aspack. Out of curiosity I wondered why a rule I previously wrote > didn't trigger. Seems I had a false neg in the older rule. > Here is a modified rule: > > Rule cleanup/revision > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any > (msg:"ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile"; > flow:from_server,established; > content:"|2E 72 73 72 63|"; > content:"|61 73 70 61 63 6B|"; within: 50; > reference:url,www.aspack.com/downloads.aspx; > reference:url,www.packetninjas.net; > classtype:trojan-activity; > reference:url,doc.emergingthreats.net/2008575; > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprotect_Packed > ; sid:2008575; rev:3;) > > | Daniel Uriah Clemens > | Packetninjas L.L.C | | http://www.packetninjas.net > | c. 205.567.6850 | | o. 866.267.8851 > "The secret to creativity is knowing how to hide your sources" Einstein > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jules at visionintel.com Mon Apr 13 15:16:40 2009 From: jules at visionintel.com (Jules Pagna Disso) Date: Mon, 13 Apr 2009 20:16:40 +0100 Subject: [Emerging-Sigs] strange capture? In-Reply-To: <49E3711A.40906@jonkmans.com> References: <69544300904130414g27851459i4fdd021e8dd91645@mail.gmail.com> <49E3711A.40906@jonkmans.com> Message-ID: <69544300904131216w4e37fc31ib7f3af699807bbd5@mail.gmail.com> I will post a bigger file somewhere and give you guys the link for analysis. there is no backup server involved. the 192.x.x.x is on my system. but there is no 10.156.x.x on any of my system. However network drive that I use but that's on another network. the IP of the drive is 10.203.5.103 and there is no reason why that drive will attempt any connection apart from the initial connection when starting the computer. and again, they are two different IPs any way. >From my analysis, there are other evidences of DDOS attack again. more to come soon ... I will take time to filer the pcap and post it. I will post the file and give the link here. thanks Jules 2009/4/13 Matt Jonkman > Thats an unusual one. What are the systems involved? Both windows or > something? Is one a backup server or something else that may be talking > on a proprietary protocol? > > Matt > > Jules Pagna Disso wrote: > > hi guys > > > > I have attacked a pcap for analysis. > > > > too many hits of the same thing. is that normal? > > > > Jules > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090413/66d1445d/attachment.html From emerging at emergingthreats.net Mon Apr 13 16:00:11 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Mon, 13 Apr 2009 16:00:11 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090413200011.0D9C04501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Mon Apr 13 16:00:10 2009 [***] [+++] Added rules: [+++] 2009234 - ET MALWARE Adware-Mirar Reporting (BAR) (emerging-malware.rules) 2009235 - ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download (emerging-virus.rules) [///] Modified active rules: [///] 2406000 - ET RBN Known Russian Business Network Monitored Domains (1) (emerging-rbn.rules) 2406001 - ET RBN Known Russian Business Network Monitored Domains (2) (emerging-rbn.rules) 2406002 - ET RBN Known Russian Business Network Monitored Domains (3) (emerging-rbn.rules) 2406003 - ET RBN Known Russian Business Network Monitored Domains (4) (emerging-rbn.rules) 2406004 - ET RBN Known Russian Business Network Monitored Domains (5) (emerging-rbn.rules) 2406005 - ET RBN Known Russian Business Network Monitored Domains (6) (emerging-rbn.rules) 2406006 - ET RBN Known Russian Business Network Monitored Domains (7) (emerging-rbn.rules) 2406007 - ET RBN Known Russian Business Network Monitored Domains (8) (emerging-rbn.rules) 2406008 - ET RBN Known Russian Business Network Monitored Domains (9) (emerging-rbn.rules) 2406009 - ET RBN Known Russian Business Network Monitored Domains (10) (emerging-rbn.rules) 2406010 - ET RBN Known Russian Business Network Monitored Domains (11) (emerging-rbn.rules) 2406011 - ET RBN Known Russian Business Network Monitored Domains (12) (emerging-rbn.rules) 2406012 - ET RBN Known Russian Business Network Monitored Domains (13) (emerging-rbn.rules) 2406013 - ET RBN Known Russian Business Network Monitored Domains (14) (emerging-rbn.rules) 2406014 - ET RBN Known Russian Business Network Monitored Domains (15) (emerging-rbn.rules) 2406015 - ET RBN Known Russian Business Network Monitored Domains (16) (emerging-rbn.rules) 2406016 - ET RBN Known Russian Business Network Monitored Domains (17) (emerging-rbn.rules) 2406017 - ET RBN Known Russian Business Network Monitored Domains (18) (emerging-rbn.rules) 2406018 - ET RBN Known Russian Business Network Monitored Domains (19) (emerging-rbn.rules) 2406019 - ET RBN Known Russian Business Network Monitored Domains (20) (emerging-rbn.rules) 2406020 - ET RBN Known Russian Business Network Monitored Domains (21) (emerging-rbn.rules) 2406021 - ET RBN Known Russian Business Network Monitored Domains (22) (emerging-rbn.rules) 2406022 - ET RBN Known Russian Business Network Monitored Domains (23) (emerging-rbn.rules) 2406023 - ET RBN Known Russian Business Network Monitored Domains (24) (emerging-rbn.rules) 2406024 - ET RBN Known Russian Business Network Monitored Domains (25) (emerging-rbn.rules) 2406025 - ET RBN Known Russian Business Network Monitored Domains (26) (emerging-rbn.rules) 2406026 - ET RBN Known Russian Business Network Monitored Domains (27) (emerging-rbn.rules) 2406027 - ET RBN Known Russian Business Network Monitored Domains (28) (emerging-rbn.rules) 2406028 - ET RBN Known Russian Business Network Monitored Domains (29) (emerging-rbn.rules) 2406029 - ET RBN Known Russian Business Network Monitored Domains (30) (emerging-rbn.rules) 2406030 - ET RBN Known Russian Business Network Monitored Domains (31) (emerging-rbn.rules) 2406031 - ET RBN Known Russian Business Network Monitored Domains (32) (emerging-rbn.rules) 2406032 - ET RBN Known Russian Business Network Monitored Domains (33) (emerging-rbn.rules) 2406033 - ET RBN Known Russian Business Network Monitored Domains (34) (emerging-rbn.rules) 2406034 - ET RBN Known Russian Business Network Monitored Domains (35) (emerging-rbn.rules) 2406035 - ET RBN Known Russian Business Network Monitored Domains (36) (emerging-rbn.rules) 2406036 - ET RBN Known Russian Business Network Monitored Domains (37) (emerging-rbn.rules) 2406037 - ET RBN Known Russian Business Network Monitored Domains (38) (emerging-rbn.rules) 2406038 - ET RBN Known Russian Business Network Monitored Domains (39) (emerging-rbn.rules) 2406039 - ET RBN Known Russian Business Network Monitored Domains (40) (emerging-rbn.rules) 2406040 - ET RBN Known Russian Business Network Monitored Domains (41) (emerging-rbn.rules) 2406041 - ET RBN Known Russian Business Network Monitored Domains (42) (emerging-rbn.rules) 2406042 - ET RBN Known Russian Business Network Monitored Domains (43) (emerging-rbn.rules) 2406043 - ET RBN Known Russian Business Network Monitored Domains (44) (emerging-rbn.rules) 2406044 - ET RBN Known Russian Business Network Monitored Domains (45) (emerging-rbn.rules) 2406045 - ET RBN Known Russian Business Network Monitored Domains (46) (emerging-rbn.rules) 2406046 - ET RBN Known Russian Business Network Monitored Domains (47) (emerging-rbn.rules) 2406047 - ET RBN Known Russian Business Network Monitored Domains (48) (emerging-rbn.rules) 2406048 - ET RBN Known Russian Business Network Monitored Domains (49) (emerging-rbn.rules) 2406049 - ET RBN Known Russian Business Network Monitored Domains (50) (emerging-rbn.rules) 2406050 - ET RBN Known Russian Business Network Monitored Domains (51) (emerging-rbn.rules) 2406051 - ET RBN Known Russian Business Network Monitored Domains (52) (emerging-rbn.rules) 2406052 - ET RBN Known Russian Business Network Monitored Domains (53) (emerging-rbn.rules) 2406053 - ET RBN Known Russian Business Network Monitored Domains (54) (emerging-rbn.rules) 2406054 - ET RBN Known Russian Business Network Monitored Domains (55) (emerging-rbn.rules) 2406055 - ET RBN Known Russian Business Network Monitored Domains (56) (emerging-rbn.rules) 2406056 - ET RBN Known Russian Business Network Monitored Domains (57) (emerging-rbn.rules) 2406057 - ET RBN Known Russian Business Network Monitored Domains (58) (emerging-rbn.rules) 2406058 - ET RBN Known Russian Business Network Monitored Domains (59) (emerging-rbn.rules) 2406059 - ET RBN Known Russian Business Network Monitored Domains (60) (emerging-rbn.rules) 2406060 - ET RBN Known Russian Business Network Monitored Domains (61) (emerging-rbn.rules) 2406061 - ET RBN Known Russian Business Network Monitored Domains (62) (emerging-rbn.rules) 2406062 - ET RBN Known Russian Business Network Monitored Domains (63) (emerging-rbn.rules) 2406063 - ET RBN Known Russian Business Network Monitored Domains (64) (emerging-rbn.rules) 2406064 - ET RBN Known Russian Business Network Monitored Domains (65) (emerging-rbn.rules) 2406065 - ET RBN Known Russian Business Network Monitored Domains (66) (emerging-rbn.rules) 2406066 - ET RBN Known Russian Business Network Monitored Domains (67) (emerging-rbn.rules) 2406067 - ET RBN Known Russian Business Network Monitored Domains (68) (emerging-rbn.rules) 2406068 - ET RBN Known Russian Business Network Monitored Domains (69) (emerging-rbn.rules) 2406069 - ET RBN Known Russian Business Network Monitored Domains (70) (emerging-rbn.rules) 2406070 - ET RBN Known Russian Business Network Monitored Domains (71) (emerging-rbn.rules) 2406071 - ET RBN Known Russian Business Network Monitored Domains (72) (emerging-rbn.rules) 2406072 - ET RBN Known Russian Business Network Monitored Domains (73) (emerging-rbn.rules) 2406073 - ET RBN Known Russian Business Network Monitored Domains (74) (emerging-rbn.rules) 2406074 - ET RBN Known Russian Business Network Monitored Domains (75) (emerging-rbn.rules) 2406075 - ET RBN Known Russian Business Network Monitored Domains (76) (emerging-rbn.rules) 2406076 - ET RBN Known Russian Business Network Monitored Domains (77) (emerging-rbn.rules) 2406077 - ET RBN Known Russian Business Network Monitored Domains (78) (emerging-rbn.rules) 2406078 - ET RBN Known Russian Business Network Monitored Domains (79) (emerging-rbn.rules) 2406079 - ET RBN Known Russian Business Network Monitored Domains (80) (emerging-rbn.rules) 2406080 - ET RBN Known Russian Business Network Monitored Domains (81) (emerging-rbn.rules) 2406081 - ET RBN Known Russian Business Network Monitored Domains (82) (emerging-rbn.rules) 2406082 - ET RBN Known Russian Business Network Monitored Domains (83) (emerging-rbn.rules) 2406083 - ET RBN Known Russian Business Network Monitored Domains (84) (emerging-rbn.rules) 2406084 - ET RBN Known Russian Business Network Monitored Domains (85) (emerging-rbn.rules) 2406085 - ET RBN Known Russian Business Network Monitored Domains (86) (emerging-rbn.rules) 2406086 - ET RBN Known Russian Business Network Monitored Domains (87) (emerging-rbn.rules) 2406087 - ET RBN Known Russian Business Network Monitored Domains (88) (emerging-rbn.rules) 2406088 - ET RBN Known Russian Business Network Monitored Domains (89) (emerging-rbn.rules) 2406089 - ET RBN Known Russian Business Network Monitored Domains (90) (emerging-rbn.rules) 2406090 - ET RBN Known Russian Business Network Monitored Domains (91) (emerging-rbn.rules) 2406091 - ET RBN Known Russian Business Network Monitored Domains (92) (emerging-rbn.rules) 2406092 - ET RBN Known Russian Business Network Monitored Domains (93) (emerging-rbn.rules) 2406093 - ET RBN Known Russian Business Network Monitored Domains (94) (emerging-rbn.rules) 2406094 - ET RBN Known Russian Business Network Monitored Domains (95) (emerging-rbn.rules) 2406095 - ET RBN Known Russian Business Network Monitored Domains (96) (emerging-rbn.rules) 2406096 - ET RBN Known Russian Business Network Monitored Domains (97) (emerging-rbn.rules) 2406097 - ET RBN Known Russian Business Network Monitored Domains (98) (emerging-rbn.rules) 2406098 - ET RBN Known Russian Business Network Monitored Domains (99) (emerging-rbn.rules) 2406099 - ET RBN Known Russian Business Network Monitored Domains (100) (emerging-rbn.rules) 2406100 - ET RBN Known Russian Business Network Monitored Domains (101) (emerging-rbn.rules) 2406101 - ET RBN Known Russian Business Network Monitored Domains (102) (emerging-rbn.rules) 2406102 - ET RBN Known Russian Business Network Monitored Domains (103) (emerging-rbn.rules) 2406103 - ET RBN Known Russian Business Network Monitored Domains (104) (emerging-rbn.rules) 2406104 - ET RBN Known Russian Business Network Monitored Domains (105) (emerging-rbn.rules) 2406105 - ET RBN Known Russian Business Network Monitored Domains (106) (emerging-rbn.rules) 2406106 - ET RBN Known Russian Business Network Monitored Domains (107) (emerging-rbn.rules) 2406107 - ET RBN Known Russian Business Network Monitored Domains (108) (emerging-rbn.rules) 2406108 - ET RBN Known Russian Business Network Monitored Domains (109) (emerging-rbn.rules) 2406109 - ET RBN Known Russian Business Network Monitored Domains (110) (emerging-rbn.rules) 2406110 - ET RBN Known Russian Business Network Monitored Domains (111) (emerging-rbn.rules) 2406111 - ET RBN Known Russian Business Network Monitored Domains (112) (emerging-rbn.rules) 2406112 - ET RBN Known Russian Business Network Monitored Domains (113) (emerging-rbn.rules) 2406113 - ET RBN Known Russian Business Network Monitored Domains (114) (emerging-rbn.rules) 2406114 - ET RBN Known Russian Business Network Monitored Domains (115) (emerging-rbn.rules) 2406115 - ET RBN Known Russian Business Network Monitored Domains (116) (emerging-rbn.rules) 2406116 - ET RBN Known Russian Business Network Monitored Domains (117) (emerging-rbn.rules) 2406117 - ET RBN Known Russian Business Network Monitored Domains (118) (emerging-rbn.rules) 2406118 - ET RBN Known Russian Business Network Monitored Domains (119) (emerging-rbn.rules) 2406119 - ET RBN Known Russian Business Network Monitored Domains (120) (emerging-rbn.rules) 2406120 - ET RBN Known Russian Business Network Monitored Domains (121) (emerging-rbn.rules) 2406121 - ET RBN Known Russian Business Network Monitored Domains (122) (emerging-rbn.rules) 2406122 - ET RBN Known Russian Business Network Monitored Domains (123) (emerging-rbn.rules) 2406123 - ET RBN Known Russian Business Network Monitored Domains (124) (emerging-rbn.rules) 2406124 - ET RBN Known Russian Business Network Monitored Domains (125) (emerging-rbn.rules) 2406125 - ET RBN Known Russian Business Network Monitored Domains (126) (emerging-rbn.rules) 2406126 - ET RBN Known Russian Business Network Monitored Domains (127) (emerging-rbn.rules) 2406127 - ET RBN Known Russian Business Network Monitored Domains (128) (emerging-rbn.rules) 2406128 - ET RBN Known Russian Business Network Monitored Domains (129) (emerging-rbn.rules) 2406129 - ET RBN Known Russian Business Network Monitored Domains (130) (emerging-rbn.rules) 2406130 - ET RBN Known Russian Business Network Monitored Domains (131) (emerging-rbn.rules) 2406131 - ET RBN Known Russian Business Network Monitored Domains (132) (emerging-rbn.rules) 2406132 - ET RBN Known Russian Business Network Monitored Domains (133) (emerging-rbn.rules) 2406133 - ET RBN Known Russian Business Network Monitored Domains (134) (emerging-rbn.rules) 2406134 - ET RBN Known Russian Business Network Monitored Domains (135) (emerging-rbn.rules) 2406135 - ET RBN Known Russian Business Network Monitored Domains (136) (emerging-rbn.rules) 2406136 - ET RBN Known Russian Business Network Monitored Domains (137) (emerging-rbn.rules) 2406137 - ET RBN Known Russian Business Network Monitored Domains (138) (emerging-rbn.rules) 2406138 - ET RBN Known Russian Business Network Monitored Domains (139) (emerging-rbn.rules) 2406139 - ET RBN Known Russian Business Network Monitored Domains (140) (emerging-rbn.rules) 2406140 - ET RBN Known Russian Business Network Monitored Domains (141) (emerging-rbn.rules) 2406141 - ET RBN Known Russian Business Network Monitored Domains (142) (emerging-rbn.rules) 2406142 - ET RBN Known Russian Business Network Monitored Domains (143) (emerging-rbn.rules) 2406143 - ET RBN Known Russian Business Network Monitored Domains (144) (emerging-rbn.rules) 2406144 - ET RBN Known Russian Business Network Monitored Domains (145) (emerging-rbn.rules) 2406145 - ET RBN Known Russian Business Network Monitored Domains (146) (emerging-rbn.rules) 2406146 - ET RBN Known Russian Business Network Monitored Domains (147) (emerging-rbn.rules) 2406147 - ET RBN Known Russian Business Network Monitored Domains (148) (emerging-rbn.rules) 2406148 - ET RBN Known Russian Business Network Monitored Domains (149) (emerging-rbn.rules) 2406149 - ET RBN Known Russian Business Network Monitored Domains (150) (emerging-rbn.rules) 2406150 - ET RBN Known Russian Business Network Monitored Domains (151) (emerging-rbn.rules) 2406151 - ET RBN Known Russian Business Network Monitored Domains (152) (emerging-rbn.rules) 2406152 - ET RBN Known Russian Business Network Monitored Domains (153) (emerging-rbn.rules) 2406153 - ET RBN Known Russian Business Network Monitored Domains (154) (emerging-rbn.rules) 2406154 - ET RBN Known Russian Business Network Monitored Domains (155) (emerging-rbn.rules) 2406155 - ET RBN Known Russian Business Network Monitored Domains (156) (emerging-rbn.rules) 2406156 - ET RBN Known Russian Business Network Monitored Domains (157) (emerging-rbn.rules) 2406157 - ET RBN Known Russian Business Network Monitored Domains (158) (emerging-rbn.rules) 2406158 - ET RBN Known Russian Business Network Monitored Domains (159) (emerging-rbn.rules) 2406159 - ET RBN Known Russian Business Network Monitored Domains (160) (emerging-rbn.rules) 2406160 - ET RBN Known Russian Business Network Monitored Domains (161) (emerging-rbn.rules) 2406161 - ET RBN Known Russian Business Network Monitored Domains (162) (emerging-rbn.rules) 2406162 - ET RBN Known Russian Business Network Monitored Domains (163) (emerging-rbn.rules) 2406163 - ET RBN Known Russian Business Network Monitored Domains (164) (emerging-rbn.rules) 2406164 - ET RBN Known Russian Business Network Monitored Domains (165) (emerging-rbn.rules) 2406165 - ET RBN Known Russian Business Network Monitored Domains (166) (emerging-rbn.rules) 2406166 - ET RBN Known Russian Business Network Monitored Domains (167) (emerging-rbn.rules) 2406167 - ET RBN Known Russian Business Network Monitored Domains (168) (emerging-rbn.rules) 2406168 - ET RBN Known Russian Business Network Monitored Domains (169) (emerging-rbn.rules) 2406169 - ET RBN Known Russian Business Network Monitored Domains (170) (emerging-rbn.rules) 2406170 - ET RBN Known Russian Business Network Monitored Domains (171) (emerging-rbn.rules) 2406171 - ET RBN Known Russian Business Network Monitored Domains (172) (emerging-rbn.rules) 2406172 - ET RBN Known Russian Business Network Monitored Domains (173) (emerging-rbn.rules) 2406173 - ET RBN Known Russian Business Network Monitored Domains (174) (emerging-rbn.rules) 2406174 - ET RBN Known Russian Business Network Monitored Domains (175) (emerging-rbn.rules) 2406175 - ET RBN Known Russian Business Network Monitored Domains (176) (emerging-rbn.rules) 2406176 - ET RBN Known Russian Business Network Monitored Domains (177) (emerging-rbn.rules) 2406177 - ET RBN Known Russian Business Network Monitored Domains (178) (emerging-rbn.rules) 2406178 - ET RBN Known Russian Business Network Monitored Domains (179) (emerging-rbn.rules) 2406179 - ET RBN Known Russian Business Network Monitored Domains (180) (emerging-rbn.rules) 2406180 - ET RBN Known Russian Business Network Monitored Domains (181) (emerging-rbn.rules) 2406181 - ET RBN Known Russian Business Network Monitored Domains (182) (emerging-rbn.rules) 2406182 - ET RBN Known Russian Business Network Monitored Domains (183) (emerging-rbn.rules) 2406183 - ET RBN Known Russian Business Network Monitored Domains (184) (emerging-rbn.rules) 2406184 - ET RBN Known Russian Business Network Monitored Domains (185) (emerging-rbn.rules) 2406185 - ET RBN Known Russian Business Network Monitored Domains (186) (emerging-rbn.rules) 2406186 - ET RBN Known Russian Business Network Monitored Domains (187) (emerging-rbn.rules) 2406187 - ET RBN Known Russian Business Network Monitored Domains (188) (emerging-rbn.rules) 2406188 - ET RBN Known Russian Business Network Monitored Domains (189) (emerging-rbn.rules) 2406189 - ET RBN Known Russian Business Network Monitored Domains (190) (emerging-rbn.rules) 2406190 - ET RBN Known Russian Business Network Monitored Domains (191) (emerging-rbn.rules) 2406191 - ET RBN Known Russian Business Network Monitored Domains (192) (emerging-rbn.rules) 2406192 - ET RBN Known Russian Business Network Monitored Domains (193) (emerging-rbn.rules) 2406193 - ET RBN Known Russian Business Network Monitored Domains (194) (emerging-rbn.rules) 2406194 - ET RBN Known Russian Business Network Monitored Domains (195) (emerging-rbn.rules) 2406195 - ET RBN Known Russian Business Network Monitored Domains (196) (emerging-rbn.rules) 2406196 - ET RBN Known Russian Business Network Monitored Domains (197) (emerging-rbn.rules) 2406197 - ET RBN Known Russian Business Network Monitored Domains (198) (emerging-rbn.rules) 2406198 - ET RBN Known Russian Business Network Monitored Domains (199) (emerging-rbn.rules) 2406199 - ET RBN Known Russian Business Network Monitored Domains (200) (emerging-rbn.rules) 2406200 - ET RBN Known Russian Business Network Monitored Domains (201) (emerging-rbn.rules) 2406201 - ET RBN Known Russian Business Network Monitored Domains (202) (emerging-rbn.rules) 2406202 - ET RBN Known Russian Business Network Monitored Domains (203) (emerging-rbn.rules) 2406203 - ET RBN Known Russian Business Network Monitored Domains (204) (emerging-rbn.rules) 2406204 - ET RBN Known Russian Business Network Monitored Domains (205) (emerging-rbn.rules) 2406205 - ET RBN Known Russian Business Network Monitored Domains (206) (emerging-rbn.rules) 2406206 - ET RBN Known Russian Business Network Monitored Domains (207) (emerging-rbn.rules) 2406207 - ET RBN Known Russian Business Network Monitored Domains (208) (emerging-rbn.rules) 2406208 - ET RBN Known Russian Business Network Monitored Domains (209) (emerging-rbn.rules) 2406209 - ET RBN Known Russian Business Network Monitored Domains (210) (emerging-rbn.rules) 2406210 - ET RBN Known Russian Business Network Monitored Domains (211) (emerging-rbn.rules) 2406211 - ET RBN Known Russian Business Network Monitored Domains (212) (emerging-rbn.rules) 2406212 - ET RBN Known Russian Business Network Monitored Domains (213) (emerging-rbn.rules) 2406213 - ET RBN Known Russian Business Network Monitored Domains (214) (emerging-rbn.rules) 2406214 - ET RBN Known Russian Business Network Monitored Domains (215) (emerging-rbn.rules) 2406215 - ET RBN Known Russian Business Network Monitored Domains (216) (emerging-rbn.rules) 2406216 - ET RBN Known Russian Business Network Monitored Domains (217) (emerging-rbn.rules) 2406217 - ET RBN Known Russian Business Network Monitored Domains (218) (emerging-rbn.rules) 2406218 - ET RBN Known Russian Business Network Monitored Domains (219) (emerging-rbn.rules) 2406219 - ET RBN Known Russian Business Network Monitored Domains (220) (emerging-rbn.rules) 2406220 - ET RBN Known Russian Business Network Monitored Domains (221) (emerging-rbn.rules) 2406221 - ET RBN Known Russian Business Network Monitored Domains (222) (emerging-rbn.rules) 2406222 - ET RBN Known Russian Business Network Monitored Domains (223) (emerging-rbn.rules) 2406223 - ET RBN Known Russian Business Network Monitored Domains (224) (emerging-rbn.rules) 2406224 - ET RBN Known Russian Business Network Monitored Domains (225) (emerging-rbn.rules) 2406225 - ET RBN Known Russian Business Network Monitored Domains (226) (emerging-rbn.rules) 2406226 - ET RBN Known Russian Business Network Monitored Domains (227) (emerging-rbn.rules) 2406227 - ET RBN Known Russian Business Network Monitored Domains (228) (emerging-rbn.rules) 2406228 - ET RBN Known Russian Business Network Monitored Domains (229) (emerging-rbn.rules) 2406229 - ET RBN Known Russian Business Network Monitored Domains (230) (emerging-rbn.rules) 2406230 - ET RBN Known Russian Business Network Monitored Domains (231) (emerging-rbn.rules) 2406231 - ET RBN Known Russian Business Network Monitored Domains (232) (emerging-rbn.rules) 2406232 - ET RBN Known Russian Business Network Monitored Domains (233) (emerging-rbn.rules) 2406233 - ET RBN Known Russian Business Network Monitored Domains (234) (emerging-rbn.rules) 2406234 - ET RBN Known Russian Business Network Monitored Domains (235) (emerging-rbn.rules) 2406235 - ET RBN Known Russian Business Network Monitored Domains (236) (emerging-rbn.rules) 2406236 - ET RBN Known Russian Business Network Monitored Domains (237) (emerging-rbn.rules) 2406237 - ET RBN Known Russian Business Network Monitored Domains (238) (emerging-rbn.rules) 2406238 - ET RBN Known Russian Business Network Monitored Domains (239) (emerging-rbn.rules) 2406239 - ET RBN Known Russian Business Network Monitored Domains (240) (emerging-rbn.rules) 2406240 - ET RBN Known Russian Business Network Monitored Domains (241) (emerging-rbn.rules) 2406241 - ET RBN Known Russian Business Network Monitored Domains (242) (emerging-rbn.rules) 2406242 - ET RBN Known Russian Business Network Monitored Domains (243) (emerging-rbn.rules) 2406243 - ET RBN Known Russian Business Network Monitored Domains (244) (emerging-rbn.rules) 2406244 - ET RBN Known Russian Business Network Monitored Domains (245) (emerging-rbn.rules) 2406245 - ET RBN Known Russian Business Network Monitored Domains (246) (emerging-rbn.rules) 2406246 - ET RBN Known Russian Business Network Monitored Domains (247) (emerging-rbn.rules) 2406247 - ET RBN Known Russian Business Network Monitored Domains (248) (emerging-rbn.rules) 2406248 - ET RBN Known Russian Business Network Monitored Domains (249) (emerging-rbn.rules) 2406249 - ET RBN Known Russian Business Network Monitored Domains (250) (emerging-rbn.rules) 2406250 - ET RBN Known Russian Business Network Monitored Domains (251) (emerging-rbn.rules) 2406251 - ET RBN Known Russian Business Network Monitored Domains (252) (emerging-rbn.rules) 2406252 - ET RBN Known Russian Business Network Monitored Domains (253) (emerging-rbn.rules) 2406253 - ET RBN Known Russian Business Network Monitored Domains (254) (emerging-rbn.rules) 2406254 - ET RBN Known Russian Business Network Monitored Domains (255) (emerging-rbn.rules) 2406255 - ET RBN Known Russian Business Network Monitored Domains (256) (emerging-rbn.rules) 2406256 - ET RBN Known Russian Business Network Monitored Domains (257) (emerging-rbn.rules) 2406257 - ET RBN Known Russian Business Network Monitored Domains (258) (emerging-rbn.rules) 2406258 - ET RBN Known Russian Business Network Monitored Domains (259) (emerging-rbn.rules) 2406259 - ET RBN Known Russian Business Network Monitored Domains (260) (emerging-rbn.rules) 2406260 - ET RBN Known Russian Business Network Monitored Domains (261) (emerging-rbn.rules) 2406261 - ET RBN Known Russian Business Network Monitored Domains (262) (emerging-rbn.rules) 2406262 - ET RBN Known Russian Business Network Monitored Domains (263) (emerging-rbn.rules) 2406263 - ET RBN Known Russian Business Network Monitored Domains (264) (emerging-rbn.rules) 2406264 - ET RBN Known Russian Business Network Monitored Domains (265) (emerging-rbn.rules) 2406265 - ET RBN Known Russian Business Network Monitored Domains (266) (emerging-rbn.rules) 2406266 - ET RBN Known Russian Business Network Monitored Domains (267) (emerging-rbn.rules) 2406267 - ET RBN Known Russian Business Network Monitored Domains (268) (emerging-rbn.rules) 2406268 - ET RBN Known Russian Business Network Monitored Domains (269) (emerging-rbn.rules) 2406269 - ET RBN Known Russian Business Network Monitored Domains (270) (emerging-rbn.rules) 2406270 - ET RBN Known Russian Business Network Monitored Domains (271) (emerging-rbn.rules) 2406271 - ET RBN Known Russian Business Network Monitored Domains (272) (emerging-rbn.rules) 2406272 - ET RBN Known Russian Business Network Monitored Domains (273) (emerging-rbn.rules) 2406273 - ET RBN Known Russian Business Network Monitored Domains (274) (emerging-rbn.rules) 2406274 - ET RBN Known Russian Business Network Monitored Domains (275) (emerging-rbn.rules) 2406275 - ET RBN Known Russian Business Network Monitored Domains (276) (emerging-rbn.rules) 2406276 - ET RBN Known Russian Business Network Monitored Domains (277) (emerging-rbn.rules) 2406277 - ET RBN Known Russian Business Network Monitored Domains (278) (emerging-rbn.rules) 2406278 - ET RBN Known Russian Business Network Monitored Domains (279) (emerging-rbn.rules) 2406279 - ET RBN Known Russian Business Network Monitored Domains (280) (emerging-rbn.rules) 2406280 - ET RBN Known Russian Business Network Monitored Domains (281) (emerging-rbn.rules) 2406281 - ET RBN Known Russian Business Network Monitored Domains (282) (emerging-rbn.rules) 2406282 - ET RBN Known Russian Business Network Monitored Domains (283) (emerging-rbn.rules) 2406283 - ET RBN Known Russian Business Network Monitored Domains (284) (emerging-rbn.rules) 2406284 - ET RBN Known Russian Business Network Monitored Domains (285) (emerging-rbn.rules) 2406285 - ET RBN Known Russian Business Network Monitored Domains (286) (emerging-rbn.rules) 2407000 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (1) (emerging-rbn-BLOCK.rules) 2407001 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (2) (emerging-rbn-BLOCK.rules) 2407002 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (3) (emerging-rbn-BLOCK.rules) 2407003 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (4) (emerging-rbn-BLOCK.rules) 2407004 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (5) (emerging-rbn-BLOCK.rules) 2407005 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (6) (emerging-rbn-BLOCK.rules) 2407006 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (7) (emerging-rbn-BLOCK.rules) 2407007 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (8) (emerging-rbn-BLOCK.rules) 2407008 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (9) (emerging-rbn-BLOCK.rules) 2407009 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (10) (emerging-rbn-BLOCK.rules) 2407010 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (11) (emerging-rbn-BLOCK.rules) 2407011 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (12) (emerging-rbn-BLOCK.rules) 2407012 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (13) (emerging-rbn-BLOCK.rules) 2407013 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (14) (emerging-rbn-BLOCK.rules) 2407014 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (15) (emerging-rbn-BLOCK.rules) 2407015 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (16) (emerging-rbn-BLOCK.rules) 2407016 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (17) (emerging-rbn-BLOCK.rules) 2407017 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (18) (emerging-rbn-BLOCK.rules) 2407018 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (19) (emerging-rbn-BLOCK.rules) 2407019 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (20) (emerging-rbn-BLOCK.rules) 2407020 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (21) (emerging-rbn-BLOCK.rules) 2407021 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (22) (emerging-rbn-BLOCK.rules) 2407022 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (23) (emerging-rbn-BLOCK.rules) 2407023 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (24) (emerging-rbn-BLOCK.rules) 2407024 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (25) (emerging-rbn-BLOCK.rules) 2407025 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (26) (emerging-rbn-BLOCK.rules) 2407026 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (27) (emerging-rbn-BLOCK.rules) 2407027 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (28) (emerging-rbn-BLOCK.rules) 2407028 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (29) (emerging-rbn-BLOCK.rules) 2407029 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (30) (emerging-rbn-BLOCK.rules) 2407030 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (31) (emerging-rbn-BLOCK.rules) 2407031 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (32) (emerging-rbn-BLOCK.rules) 2407032 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (33) (emerging-rbn-BLOCK.rules) 2407033 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (34) (emerging-rbn-BLOCK.rules) 2407034 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (35) (emerging-rbn-BLOCK.rules) 2407035 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (36) (emerging-rbn-BLOCK.rules) 2407036 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (37) (emerging-rbn-BLOCK.rules) 2407037 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (38) (emerging-rbn-BLOCK.rules) 2407038 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (39) (emerging-rbn-BLOCK.rules) 2407039 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (40) (emerging-rbn-BLOCK.rules) 2407040 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (41) (emerging-rbn-BLOCK.rules) 2407041 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (42) (emerging-rbn-BLOCK.rules) 2407042 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (43) (emerging-rbn-BLOCK.rules) 2407043 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (44) (emerging-rbn-BLOCK.rules) 2407044 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (45) (emerging-rbn-BLOCK.rules) 2407045 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (46) (emerging-rbn-BLOCK.rules) 2407046 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (47) (emerging-rbn-BLOCK.rules) 2407047 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (48) (emerging-rbn-BLOCK.rules) 2407048 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (49) (emerging-rbn-BLOCK.rules) 2407049 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (50) (emerging-rbn-BLOCK.rules) 2407050 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (51) (emerging-rbn-BLOCK.rules) 2407051 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (52) (emerging-rbn-BLOCK.rules) 2407052 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (53) (emerging-rbn-BLOCK.rules) 2407053 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (54) (emerging-rbn-BLOCK.rules) 2407054 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (55) (emerging-rbn-BLOCK.rules) 2407055 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (56) (emerging-rbn-BLOCK.rules) 2407056 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (57) (emerging-rbn-BLOCK.rules) 2407057 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (58) (emerging-rbn-BLOCK.rules) 2407058 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (59) (emerging-rbn-BLOCK.rules) 2407059 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (60) (emerging-rbn-BLOCK.rules) 2407060 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (61) (emerging-rbn-BLOCK.rules) 2407061 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (62) (emerging-rbn-BLOCK.rules) 2407062 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (63) (emerging-rbn-BLOCK.rules) 2407063 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (64) (emerging-rbn-BLOCK.rules) 2407064 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (65) (emerging-rbn-BLOCK.rules) 2407065 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (66) (emerging-rbn-BLOCK.rules) 2407066 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (67) (emerging-rbn-BLOCK.rules) 2407067 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (68) (emerging-rbn-BLOCK.rules) 2407068 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (69) (emerging-rbn-BLOCK.rules) 2407069 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (70) (emerging-rbn-BLOCK.rules) 2407070 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (71) (emerging-rbn-BLOCK.rules) 2407071 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (72) (emerging-rbn-BLOCK.rules) 2407072 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (73) (emerging-rbn-BLOCK.rules) 2407073 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (74) (emerging-rbn-BLOCK.rules) 2407074 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (75) (emerging-rbn-BLOCK.rules) 2407075 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (76) (emerging-rbn-BLOCK.rules) 2407076 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (77) (emerging-rbn-BLOCK.rules) 2407077 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (78) (emerging-rbn-BLOCK.rules) 2407078 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (79) (emerging-rbn-BLOCK.rules) 2407079 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (80) (emerging-rbn-BLOCK.rules) 2407080 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (81) (emerging-rbn-BLOCK.rules) 2407081 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (82) (emerging-rbn-BLOCK.rules) 2407082 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (83) (emerging-rbn-BLOCK.rules) 2407083 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (84) (emerging-rbn-BLOCK.rules) 2407084 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (85) (emerging-rbn-BLOCK.rules) 2407085 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (86) (emerging-rbn-BLOCK.rules) 2407086 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (87) (emerging-rbn-BLOCK.rules) 2407087 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (88) (emerging-rbn-BLOCK.rules) 2407088 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (89) (emerging-rbn-BLOCK.rules) 2407089 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (90) (emerging-rbn-BLOCK.rules) 2407090 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (91) (emerging-rbn-BLOCK.rules) 2407091 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (92) (emerging-rbn-BLOCK.rules) 2407092 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (93) (emerging-rbn-BLOCK.rules) 2407093 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (94) (emerging-rbn-BLOCK.rules) 2407094 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (95) (emerging-rbn-BLOCK.rules) 2407095 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (96) (emerging-rbn-BLOCK.rules) 2407096 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (97) (emerging-rbn-BLOCK.rules) 2407097 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (98) (emerging-rbn-BLOCK.rules) 2407098 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (99) (emerging-rbn-BLOCK.rules) 2407099 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (100) (emerging-rbn-BLOCK.rules) 2407100 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (101) (emerging-rbn-BLOCK.rules) 2407101 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (102) (emerging-rbn-BLOCK.rules) 2407102 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (103) (emerging-rbn-BLOCK.rules) 2407103 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (104) (emerging-rbn-BLOCK.rules) 2407104 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (105) (emerging-rbn-BLOCK.rules) 2407105 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (106) (emerging-rbn-BLOCK.rules) 2407106 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (107) (emerging-rbn-BLOCK.rules) 2407107 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (108) (emerging-rbn-BLOCK.rules) 2407108 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (109) (emerging-rbn-BLOCK.rules) 2407109 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (110) (emerging-rbn-BLOCK.rules) 2407110 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (111) (emerging-rbn-BLOCK.rules) 2407111 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (112) (emerging-rbn-BLOCK.rules) 2407112 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (113) (emerging-rbn-BLOCK.rules) 2407113 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (114) (emerging-rbn-BLOCK.rules) 2407114 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (115) (emerging-rbn-BLOCK.rules) 2407115 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (116) (emerging-rbn-BLOCK.rules) 2407116 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (117) (emerging-rbn-BLOCK.rules) 2407117 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (118) (emerging-rbn-BLOCK.rules) 2407118 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (119) (emerging-rbn-BLOCK.rules) 2407119 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (120) (emerging-rbn-BLOCK.rules) 2407120 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (121) (emerging-rbn-BLOCK.rules) 2407121 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (122) (emerging-rbn-BLOCK.rules) 2407122 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (123) (emerging-rbn-BLOCK.rules) 2407123 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (124) (emerging-rbn-BLOCK.rules) 2407124 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (125) (emerging-rbn-BLOCK.rules) 2407125 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (126) (emerging-rbn-BLOCK.rules) 2407126 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (127) (emerging-rbn-BLOCK.rules) 2407127 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (128) (emerging-rbn-BLOCK.rules) 2407128 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (129) (emerging-rbn-BLOCK.rules) 2407129 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (130) (emerging-rbn-BLOCK.rules) 2407130 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (131) (emerging-rbn-BLOCK.rules) 2407131 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (132) (emerging-rbn-BLOCK.rules) 2407132 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (133) (emerging-rbn-BLOCK.rules) 2407133 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (134) (emerging-rbn-BLOCK.rules) 2407134 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (135) (emerging-rbn-BLOCK.rules) 2407135 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (136) (emerging-rbn-BLOCK.rules) 2407136 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (137) (emerging-rbn-BLOCK.rules) 2407137 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (138) (emerging-rbn-BLOCK.rules) 2407138 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (139) (emerging-rbn-BLOCK.rules) 2407139 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (140) (emerging-rbn-BLOCK.rules) 2407140 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (141) (emerging-rbn-BLOCK.rules) 2407141 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (142) (emerging-rbn-BLOCK.rules) 2407142 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (143) (emerging-rbn-BLOCK.rules) 2407143 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (144) (emerging-rbn-BLOCK.rules) 2407144 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (145) (emerging-rbn-BLOCK.rules) 2407145 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (146) (emerging-rbn-BLOCK.rules) 2407146 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (147) (emerging-rbn-BLOCK.rules) 2407147 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (148) (emerging-rbn-BLOCK.rules) 2407148 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (149) (emerging-rbn-BLOCK.rules) 2407149 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (150) (emerging-rbn-BLOCK.rules) 2407150 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (151) (emerging-rbn-BLOCK.rules) 2407151 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (152) (emerging-rbn-BLOCK.rules) 2407152 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (153) (emerging-rbn-BLOCK.rules) 2407153 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (154) (emerging-rbn-BLOCK.rules) 2407154 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (155) (emerging-rbn-BLOCK.rules) 2407155 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (156) (emerging-rbn-BLOCK.rules) 2407156 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (157) (emerging-rbn-BLOCK.rules) 2407157 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (158) (emerging-rbn-BLOCK.rules) 2407158 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (159) (emerging-rbn-BLOCK.rules) 2407159 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (160) (emerging-rbn-BLOCK.rules) 2407160 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (161) (emerging-rbn-BLOCK.rules) 2407161 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (162) (emerging-rbn-BLOCK.rules) 2407162 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (163) (emerging-rbn-BLOCK.rules) 2407163 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (164) (emerging-rbn-BLOCK.rules) 2407164 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (165) (emerging-rbn-BLOCK.rules) 2407165 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (166) (emerging-rbn-BLOCK.rules) 2407166 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (167) (emerging-rbn-BLOCK.rules) 2407167 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (168) (emerging-rbn-BLOCK.rules) 2407168 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (169) (emerging-rbn-BLOCK.rules) 2407169 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (170) (emerging-rbn-BLOCK.rules) 2407170 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (171) (emerging-rbn-BLOCK.rules) 2407171 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (172) (emerging-rbn-BLOCK.rules) 2407172 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (173) (emerging-rbn-BLOCK.rules) 2407173 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (174) (emerging-rbn-BLOCK.rules) 2407174 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (175) (emerging-rbn-BLOCK.rules) 2407175 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (176) (emerging-rbn-BLOCK.rules) 2407176 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (177) (emerging-rbn-BLOCK.rules) 2407177 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (178) (emerging-rbn-BLOCK.rules) 2407178 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (179) (emerging-rbn-BLOCK.rules) 2407179 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (180) (emerging-rbn-BLOCK.rules) 2407180 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (181) (emerging-rbn-BLOCK.rules) 2407181 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (182) (emerging-rbn-BLOCK.rules) 2407182 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (183) (emerging-rbn-BLOCK.rules) 2407183 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (184) (emerging-rbn-BLOCK.rules) 2407184 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (185) (emerging-rbn-BLOCK.rules) 2407185 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (186) (emerging-rbn-BLOCK.rules) 2407186 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (187) (emerging-rbn-BLOCK.rules) 2407187 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (188) (emerging-rbn-BLOCK.rules) 2407188 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (189) (emerging-rbn-BLOCK.rules) 2407189 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (190) (emerging-rbn-BLOCK.rules) 2407190 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (191) (emerging-rbn-BLOCK.rules) 2407191 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (192) (emerging-rbn-BLOCK.rules) 2407192 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (193) (emerging-rbn-BLOCK.rules) 2407193 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (194) (emerging-rbn-BLOCK.rules) 2407194 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (195) (emerging-rbn-BLOCK.rules) 2407195 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (196) (emerging-rbn-BLOCK.rules) 2407196 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (197) (emerging-rbn-BLOCK.rules) 2407197 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (198) (emerging-rbn-BLOCK.rules) 2407198 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (199) (emerging-rbn-BLOCK.rules) 2407199 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (200) (emerging-rbn-BLOCK.rules) 2407200 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (201) (emerging-rbn-BLOCK.rules) 2407201 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (202) (emerging-rbn-BLOCK.rules) 2407202 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (203) (emerging-rbn-BLOCK.rules) 2407203 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (204) (emerging-rbn-BLOCK.rules) 2407204 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (205) (emerging-rbn-BLOCK.rules) 2407205 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (206) (emerging-rbn-BLOCK.rules) 2407206 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (207) (emerging-rbn-BLOCK.rules) 2407207 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (208) (emerging-rbn-BLOCK.rules) 2407208 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (209) (emerging-rbn-BLOCK.rules) 2407209 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (210) (emerging-rbn-BLOCK.rules) 2407210 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (211) (emerging-rbn-BLOCK.rules) 2407211 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (212) (emerging-rbn-BLOCK.rules) 2407212 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (213) (emerging-rbn-BLOCK.rules) 2407213 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (214) (emerging-rbn-BLOCK.rules) 2407214 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (215) (emerging-rbn-BLOCK.rules) 2407215 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (216) (emerging-rbn-BLOCK.rules) 2407216 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (217) (emerging-rbn-BLOCK.rules) 2407217 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (218) (emerging-rbn-BLOCK.rules) 2407218 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (219) (emerging-rbn-BLOCK.rules) 2407219 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (220) (emerging-rbn-BLOCK.rules) 2407220 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (221) (emerging-rbn-BLOCK.rules) 2407221 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (222) (emerging-rbn-BLOCK.rules) 2407222 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (223) (emerging-rbn-BLOCK.rules) 2407223 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (224) (emerging-rbn-BLOCK.rules) 2407224 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (225) (emerging-rbn-BLOCK.rules) 2407225 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (226) (emerging-rbn-BLOCK.rules) 2407226 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (227) (emerging-rbn-BLOCK.rules) 2407227 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (228) (emerging-rbn-BLOCK.rules) 2407228 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (229) (emerging-rbn-BLOCK.rules) 2407229 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (230) (emerging-rbn-BLOCK.rules) 2407230 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (231) (emerging-rbn-BLOCK.rules) 2407231 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (232) (emerging-rbn-BLOCK.rules) 2407232 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (233) (emerging-rbn-BLOCK.rules) 2407233 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (234) (emerging-rbn-BLOCK.rules) 2407234 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (235) (emerging-rbn-BLOCK.rules) 2407235 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (236) (emerging-rbn-BLOCK.rules) 2407236 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (237) (emerging-rbn-BLOCK.rules) 2407237 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (238) (emerging-rbn-BLOCK.rules) 2407238 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (239) (emerging-rbn-BLOCK.rules) 2407239 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (240) (emerging-rbn-BLOCK.rules) 2407240 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (241) (emerging-rbn-BLOCK.rules) 2407241 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (242) (emerging-rbn-BLOCK.rules) 2407242 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (243) (emerging-rbn-BLOCK.rules) 2407243 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (244) (emerging-rbn-BLOCK.rules) 2407244 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (245) (emerging-rbn-BLOCK.rules) 2407245 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (246) (emerging-rbn-BLOCK.rules) 2407246 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (247) (emerging-rbn-BLOCK.rules) 2407247 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (248) (emerging-rbn-BLOCK.rules) 2407248 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (249) (emerging-rbn-BLOCK.rules) 2407249 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (250) (emerging-rbn-BLOCK.rules) 2407250 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (251) (emerging-rbn-BLOCK.rules) 2407251 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (252) (emerging-rbn-BLOCK.rules) 2407252 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (253) (emerging-rbn-BLOCK.rules) 2407253 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (254) (emerging-rbn-BLOCK.rules) 2407254 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (255) (emerging-rbn-BLOCK.rules) 2407255 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (256) (emerging-rbn-BLOCK.rules) 2407256 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (257) (emerging-rbn-BLOCK.rules) 2407257 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (258) (emerging-rbn-BLOCK.rules) 2407258 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (259) (emerging-rbn-BLOCK.rules) 2407259 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (260) (emerging-rbn-BLOCK.rules) 2407260 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (261) (emerging-rbn-BLOCK.rules) 2407261 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (262) (emerging-rbn-BLOCK.rules) 2407262 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (263) (emerging-rbn-BLOCK.rules) 2407263 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (264) (emerging-rbn-BLOCK.rules) 2407264 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (265) (emerging-rbn-BLOCK.rules) 2407265 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (266) (emerging-rbn-BLOCK.rules) 2407266 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (267) (emerging-rbn-BLOCK.rules) 2407267 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (268) (emerging-rbn-BLOCK.rules) 2407268 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (269) (emerging-rbn-BLOCK.rules) 2407269 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (270) (emerging-rbn-BLOCK.rules) 2407270 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (271) (emerging-rbn-BLOCK.rules) 2407271 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (272) (emerging-rbn-BLOCK.rules) 2407272 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (273) (emerging-rbn-BLOCK.rules) 2407273 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (274) (emerging-rbn-BLOCK.rules) 2407274 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (275) (emerging-rbn-BLOCK.rules) 2407275 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (276) (emerging-rbn-BLOCK.rules) 2407276 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (277) (emerging-rbn-BLOCK.rules) 2407277 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (278) (emerging-rbn-BLOCK.rules) 2407278 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (279) (emerging-rbn-BLOCK.rules) 2407279 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (280) (emerging-rbn-BLOCK.rules) 2407280 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (281) (emerging-rbn-BLOCK.rules) 2407281 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (282) (emerging-rbn-BLOCK.rules) 2407282 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (283) (emerging-rbn-BLOCK.rules) 2407283 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (284) (emerging-rbn-BLOCK.rules) 2407284 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (285) (emerging-rbn-BLOCK.rules) 2407285 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (286) (emerging-rbn-BLOCK.rules) [---] Removed rules: [---] 2406286 - ET RBN Known Russian Business Network Monitored Domains (287) (emerging-rbn.rules) 2406287 - ET RBN Known Russian Business Network Monitored Domains (288) (emerging-rbn.rules) 2406288 - ET RBN Known Russian Business Network Monitored Domains (289) (emerging-rbn.rules) 2406289 - ET RBN Known Russian Business Network Monitored Domains (290) (emerging-rbn.rules) 2406290 - ET RBN Known Russian Business Network Monitored Domains (291) (emerging-rbn.rules) 2406291 - ET RBN Known Russian Business Network Monitored Domains (292) (emerging-rbn.rules) 2406292 - ET RBN Known Russian Business Network Monitored Domains (293) (emerging-rbn.rules) 2406293 - ET RBN Known Russian Business Network Monitored Domains (294) (emerging-rbn.rules) 2406294 - ET RBN Known Russian Business Network Monitored Domains (295) (emerging-rbn.rules) 2406295 - ET RBN Known Russian Business Network Monitored Domains (296) (emerging-rbn.rules) 2406296 - ET RBN Known Russian Business Network Monitored Domains (297) (emerging-rbn.rules) 2406297 - ET RBN Known Russian Business Network Monitored Domains (298) (emerging-rbn.rules) 2406298 - ET RBN Known Russian Business Network Monitored Domains (299) (emerging-rbn.rules) 2406299 - ET RBN Known Russian Business Network Monitored Domains (300) (emerging-rbn.rules) 2406300 - ET RBN Known Russian Business Network Monitored Domains (301) (emerging-rbn.rules) 2406301 - ET RBN Known Russian Business Network Monitored Domains (302) (emerging-rbn.rules) 2406302 - ET RBN Known Russian Business Network Monitored Domains (303) (emerging-rbn.rules) 2406303 - ET RBN Known Russian Business Network Monitored Domains (304) (emerging-rbn.rules) 2406304 - ET RBN Known Russian Business Network Monitored Domains (305) (emerging-rbn.rules) 2406305 - ET RBN Known Russian Business Network Monitored Domains (306) (emerging-rbn.rules) 2406306 - ET RBN Known Russian Business Network Monitored Domains (307) (emerging-rbn.rules) 2406307 - ET RBN Known Russian Business Network Monitored Domains (308) (emerging-rbn.rules) 2406308 - ET RBN Known Russian Business Network Monitored Domains (309) (emerging-rbn.rules) 2406309 - ET RBN Known Russian Business Network Monitored Domains (310) (emerging-rbn.rules) 2406310 - ET RBN Known Russian Business Network Monitored Domains (311) (emerging-rbn.rules) 2406311 - ET RBN Known Russian Business Network Monitored Domains (312) (emerging-rbn.rules) 2406312 - ET RBN Known Russian Business Network Monitored Domains (313) (emerging-rbn.rules) 2406313 - ET RBN Known Russian Business Network Monitored Domains (314) (emerging-rbn.rules) 2406314 - ET RBN Known Russian Business Network Monitored Domains (315) (emerging-rbn.rules) 2406315 - ET RBN Known Russian Business Network Monitored Domains (316) (emerging-rbn.rules) 2406316 - ET RBN Known Russian Business Network Monitored Domains (317) (emerging-rbn.rules) 2407286 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (287) (emerging-rbn-BLOCK.rules) 2407287 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (288) (emerging-rbn-BLOCK.rules) 2407288 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (289) (emerging-rbn-BLOCK.rules) 2407289 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (290) (emerging-rbn-BLOCK.rules) 2407290 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (291) (emerging-rbn-BLOCK.rules) 2407291 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (292) (emerging-rbn-BLOCK.rules) 2407292 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (293) (emerging-rbn-BLOCK.rules) 2407293 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (294) (emerging-rbn-BLOCK.rules) 2407294 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) (emerging-rbn-BLOCK.rules) 2407295 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) (emerging-rbn-BLOCK.rules) 2407296 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) (emerging-rbn-BLOCK.rules) 2407297 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) (emerging-rbn-BLOCK.rules) 2407298 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) (emerging-rbn-BLOCK.rules) 2407299 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) (emerging-rbn-BLOCK.rules) 2407300 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) (emerging-rbn-BLOCK.rules) 2407301 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) (emerging-rbn-BLOCK.rules) 2407302 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) (emerging-rbn-BLOCK.rules) 2407303 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) (emerging-rbn-BLOCK.rules) 2407304 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) (emerging-rbn-BLOCK.rules) 2407305 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) (emerging-rbn-BLOCK.rules) 2407306 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) (emerging-rbn-BLOCK.rules) 2407307 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) (emerging-rbn-BLOCK.rules) 2407308 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) (emerging-rbn-BLOCK.rules) 2407309 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) (emerging-rbn-BLOCK.rules) 2407310 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) (emerging-rbn-BLOCK.rules) 2407311 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) (emerging-rbn-BLOCK.rules) 2407312 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) (emerging-rbn-BLOCK.rules) 2407313 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) (emerging-rbn-BLOCK.rules) 2407314 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) (emerging-rbn-BLOCK.rules) 2407315 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) (emerging-rbn-BLOCK.rules) 2407316 - ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) (emerging-rbn-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-rbn-BLOCK.rules (2): # VERSION 124 # Updated 2009-04-12 16:31:45 -> Added to emerging-rbn.rules (2): # VERSION 124 # Updated 2009-04-12 16:31:45 -> Added to emerging-sid-msg.map (10): 2009234 || ET MALWARE Adware-Mirar Reporting (BAR) 2009235 || ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download || url,www.packetninjas.net || url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 2500155 || ET COMPROMISED Known Compromised or Hostile Host Traffic (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510155 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (10): 2009234 || ET MALWARE Adware-Mirar Reporting (BAR) 2009235 || ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download || url,www.packetninjas.net || url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 2500155 || ET COMPROMISED Known Compromised or Hostile Host Traffic (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510155 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (156) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from emerging-rbn-BLOCK.rules (2): # VERSION 123 # Updated 2009-04-09 14:47:09 -> Removed from emerging-rbn.rules (2): # VERSION 123 # Updated 2009-04-09 14:47:09 -> Removed from emerging-sid-msg.map (62): 2406286 || ET RBN Known Russian Business Network Monitored Domains (287) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406287 || ET RBN Known Russian Business Network Monitored Domains (288) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406288 || ET RBN Known Russian Business Network Monitored Domains (289) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406289 || ET RBN Known Russian Business Network Monitored Domains (290) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406290 || ET RBN Known Russian Business Network Monitored Domains (291) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406291 || ET RBN Known Russian Business Network Monitored Domains (292) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406292 || ET RBN Known Russian Business Network Monitored Domains (293) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406293 || ET RBN Known Russian Business Network Monitored Domains (294) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406294 || ET RBN Known Russian Business Network Monitored Domains (295) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406295 || ET RBN Known Russian Business Network Monitored Domains (296) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406296 || ET RBN Known Russian Business Network Monitored Domains (297) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406297 || ET RBN Known Russian Business Network Monitored Domains (298) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406298 || ET RBN Known Russian Business Network Monitored Domains (299) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406299 || ET RBN Known Russian Business Network Monitored Domains (300) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406300 || ET RBN Known Russian Business Network Monitored Domains (301) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406301 || ET RBN Known Russian Business Network Monitored Domains (302) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406302 || ET RBN Known Russian Business Network Monitored Domains (303) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406303 || ET RBN Known Russian Business Network Monitored Domains (304) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406304 || ET RBN Known Russian Business Network Monitored Domains (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406305 || ET RBN Known Russian Business Network Monitored Domains (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406306 || ET RBN Known Russian Business Network Monitored Domains (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406307 || ET RBN Known Russian Business Network Monitored Domains (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406308 || ET RBN Known Russian Business Network Monitored Domains (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406309 || ET RBN Known Russian Business Network Monitored Domains (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406310 || ET RBN Known Russian Business Network Monitored Domains (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406311 || ET RBN Known Russian Business Network Monitored Domains (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406312 || ET RBN Known Russian Business Network Monitored Domains (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406313 || ET RBN Known Russian Business Network Monitored Domains (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406314 || ET RBN Known Russian Business Network Monitored Domains (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406315 || ET RBN Known Russian Business Network Monitored Domains (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406316 || ET RBN Known Russian Business Network Monitored Domains (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407286 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407287 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407288 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407289 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (290) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407290 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (291) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407291 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (292) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407292 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (293) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407293 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (294) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407294 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407295 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407296 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407297 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407298 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407299 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407300 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407301 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407302 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407303 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407304 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407305 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407306 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407307 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407308 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407309 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407310 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407311 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407312 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407313 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407314 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407315 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407316 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork -> Removed from emerging-sid-msg.map.txt (62): 2406286 || ET RBN Known Russian Business Network Monitored Domains (287) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406287 || ET RBN Known Russian Business Network Monitored Domains (288) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406288 || ET RBN Known Russian Business Network Monitored Domains (289) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406289 || ET RBN Known Russian Business Network Monitored Domains (290) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406290 || ET RBN Known Russian Business Network Monitored Domains (291) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406291 || ET RBN Known Russian Business Network Monitored Domains (292) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406292 || ET RBN Known Russian Business Network Monitored Domains (293) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406293 || ET RBN Known Russian Business Network Monitored Domains (294) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406294 || ET RBN Known Russian Business Network Monitored Domains (295) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406295 || ET RBN Known Russian Business Network Monitored Domains (296) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406296 || ET RBN Known Russian Business Network Monitored Domains (297) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406297 || ET RBN Known Russian Business Network Monitored Domains (298) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406298 || ET RBN Known Russian Business Network Monitored Domains (299) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406299 || ET RBN Known Russian Business Network Monitored Domains (300) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406300 || ET RBN Known Russian Business Network Monitored Domains (301) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406301 || ET RBN Known Russian Business Network Monitored Domains (302) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406302 || ET RBN Known Russian Business Network Monitored Domains (303) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406303 || ET RBN Known Russian Business Network Monitored Domains (304) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406304 || ET RBN Known Russian Business Network Monitored Domains (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406305 || ET RBN Known Russian Business Network Monitored Domains (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406306 || ET RBN Known Russian Business Network Monitored Domains (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406307 || ET RBN Known Russian Business Network Monitored Domains (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406308 || ET RBN Known Russian Business Network Monitored Domains (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406309 || ET RBN Known Russian Business Network Monitored Domains (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406310 || ET RBN Known Russian Business Network Monitored Domains (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406311 || ET RBN Known Russian Business Network Monitored Domains (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406312 || ET RBN Known Russian Business Network Monitored Domains (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406313 || ET RBN Known Russian Business Network Monitored Domains (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406314 || ET RBN Known Russian Business Network Monitored Domains (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406315 || ET RBN Known Russian Business Network Monitored Domains (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2406316 || ET RBN Known Russian Business Network Monitored Domains (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407286 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (287) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407287 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (288) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407288 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (289) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407289 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (290) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407290 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (291) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407291 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (292) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407292 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (293) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407293 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (294) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407294 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (295) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407295 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (296) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407296 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (297) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407297 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (298) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407298 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (299) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407299 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (300) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407300 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (301) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407301 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (302) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407302 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (303) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407303 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (304) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407304 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (305) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407305 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (306) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407306 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (307) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407307 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (308) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407308 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (309) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407309 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (310) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407310 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (311) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407311 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (312) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407312 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (313) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407313 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (314) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407314 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (315) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407315 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (316) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork 2407316 || ET RBN Known Russian Business Network Monitored Domains - BLOCKING (317) || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork From r.fulton at auckland.ac.nz Mon Apr 13 19:14:46 2009 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Tue, 14 Apr 2009 11:14:46 +1200 Subject: [Emerging-Sigs] error in rule "ET TROJAN Prg Trojan HTTP POST version 2" ?? Message-ID: <1ACEA47D-AC75-4CE9-8113-3406C70AD741@auckland.ac.nz> Just looking at the wiki docs for this rule and comparing the sample posted by Jack (Thanks Jack!) with what I have when I noticed that the rule, as written, would not trigger on this sample. The problem is that the rule looks for uricontent:".php?1=" but in the sample we have "php?2=" ! Clearly we don't want a regular expression here for performance reasons unless there is no alternative. Russell From the wiki: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf ; classtype:trojan-activity; reference:url,doc.emergingthreats.net/ 2007724; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG ; sid:2007724; rev:7;) Added 2009-02-13 19:30:23 UTC 16:15:51.343785 IP 192.168.3.24.2135 > 64.86.133.58.80: P 1958733971:1958734218(247) ack 923439852 win 65535 0x0000: 4548 011f c591 4000 8006 aaae c0a8 0318 EH.... at ......... 0x0010: 4056 853a 0857 0050 74bf e893 370a 92ec @V.:.W.Pt... 7... 0x0020: 5018 ffff 2512 0000 504f 5354 202f 7a2f P... %...POST./z/ 0x0030: 7374 6174 312e 7068 703f 323d 6530 3032 stat1.php? 2=e002 0x0040: 306d 696b 656d 635f 3032 3039 6139 3838 0mikemc_0209a988 0x0050: 266e 3d31 2676 3d31 3637 3737 3939 3126 &n=1&v=16777991& 0x0060: 693d 2673 3d30 2673 703d 3026 6c63 703d i=&s=0&sp=0&lcp= From frank at knobbe.us Mon Apr 13 22:18:53 2009 From: frank at knobbe.us (Frank Knobbe) Date: Mon, 13 Apr 2009 21:18:53 -0500 Subject: [Emerging-Sigs] Win32.BHO.lng Checkin on Firefox/OS X In-Reply-To: <49E0FE46.7080507@oitsec.umn.edu> References: <49DE759D.6020003@ligo-la.caltech.edu> <49DE979A.5040302@jonkmans.com> <49E0FE46.7080507@oitsec.umn.edu> Message-ID: <1239675533.12771.105.camel@localhost> On Sat, 2009-04-11 at 15:32 -0500, Paul Dokas wrote: > Matt Jonkman wrote: > > We killed this sig this morning, it's hitting on too many ads. I'd drop > > it from your ruleset :) > > I'd suggest examining those hits very closely before turning that sig off. > We have seen a large amount of malware being pushed through ads served > up by yieldmanager and zedo. The usual process seems to be: > > "legit" ad -> javascript -> another adsite -> javascript/iframe -> bad pdf/swf files -> exploits But wouldn't we want a rule for the actual malware instead of the adsite? Alerting on adsites to hunt for malware files sounds a bit like accepting the haystack for the needle :) Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090413/4b544a1b/attachment.bin From jules at visionintel.com Tue Apr 14 10:25:37 2009 From: jules at visionintel.com (Jules Pagna Disso) Date: Tue, 14 Apr 2009 15:25:37 +0100 Subject: [Emerging-Sigs] strange capture? In-Reply-To: <49E3711A.40906@jonkmans.com> References: <69544300904130414g27851459i4fdd021e8dd91645@mail.gmail.com> <49E3711A.40906@jonkmans.com> Message-ID: <69544300904140725m76946874r99a877afa9aa58c7@mail.gmail.com> hi Matt, here is the link http://www.megaupload.com/?d=8OK2HXIE thanks, Jules 2009/4/13 Matt Jonkman > Thats an unusual one. What are the systems involved? Both windows or > something? Is one a backup server or something else that may be talking > on a proprietary protocol? > > Matt > > Jules Pagna Disso wrote: > > hi guys > > > > I have attacked a pcap for analysis. > > > > too many hits of the same thing. is that normal? > > > > Jules > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090414/23c07742/attachment.html From emerging at emergingthreats.net Tue Apr 14 16:00:10 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Tue, 14 Apr 2009 16:00:10 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090414200010.408C14501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Tue Apr 14 16:00:10 2009 [***] [+++] Added rules: [+++] 2009236 - ET MALWARE Pigeon.AYX/AVKill Related User-Agent (CTTBasic) (emerging-malware.rules) [///] Modified active rules: [///] 2009224 - ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion (emerging-web_sql_injection.rules) 2009225 - ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion (emerging-web_sql_injection.rules) 2009226 - ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution (emerging-web.rules) 2009227 - ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection (emerging-web_sql_injection.rules) 2009228 - ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection (emerging-web_sql_injection.rules) 2009229 - ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion (emerging-web_sql_injection.rules) 2009230 - ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion (emerging-web_sql_injection.rules) 2009231 - ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion (emerging-web_sql_injection.rules) 2009232 - ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion (emerging-web_sql_injection.rules) 2009233 - ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion (emerging-web_sql_injection.rules) 2009234 - ET MALWARE Adware-Mirar Reporting (BAR) (emerging-malware.rules) 2009235 - ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download (emerging-virus.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (13): 2009224 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_eaGBook || url,doc.emergingthreats.net/2009224 || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009225 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_eaGBook || url,doc.emergingthreats.net/2009225 || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009226 || ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SopCast || url,doc.emergingthreats.net/2009226 || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || bugtraq,33920 2009227 || ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_eFiction || url,doc.emergingthreats.net/2009227 || url,milw0rm.com/exploits/5785 || url,secunia.com/advisories/30606/ 2009228 || ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Alstrasoft || url,doc.emergingthreats.net/2009228 || url,secunia.com/advisories/31134/ || url,www.milw0rm.com/exploits/6092 || cve,CVE-2008-3386 2009229 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Technote || url,doc.emergingthreats.net/2009229 || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009230 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Technote || url,doc.emergingthreats.net/2009230 || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009231 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hedgehog || url,doc.emergingthreats.net/2009231 || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009232 || ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hedgehog || url,doc.emergingthreats.net/2009232 || url,milw0rm.com/exploits/8028 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009233 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hedgehog || url,doc.emergingthreats.net/2009233 || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009234 || ET MALWARE Adware-Mirar Reporting (BAR) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mirarsearch.com || url,doc.emergingthreats.net/2009234 2009235 || ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General || url,doc.emergingthreats.net/2009235 || url,www.packetninjas.net || url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 2009236 || ET MALWARE Pigeon.AYX/AVKill Related User-Agent (CTTBasic) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009236 -> Added to emerging-sid-msg.map.txt (13): 2009224 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_eaGBook || url,doc.emergingthreats.net/2009224 || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009225 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_eaGBook || url,doc.emergingthreats.net/2009225 || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009226 || ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SopCast || url,doc.emergingthreats.net/2009226 || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || bugtraq,33920 2009227 || ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_eFiction || url,doc.emergingthreats.net/2009227 || url,milw0rm.com/exploits/5785 || url,secunia.com/advisories/30606/ 2009228 || ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Alstrasoft || url,doc.emergingthreats.net/2009228 || url,secunia.com/advisories/31134/ || url,www.milw0rm.com/exploits/6092 || cve,CVE-2008-3386 2009229 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Technote || url,doc.emergingthreats.net/2009229 || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009230 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Technote || url,doc.emergingthreats.net/2009230 || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009231 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hedgehog || url,doc.emergingthreats.net/2009231 || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009232 || ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hedgehog || url,doc.emergingthreats.net/2009232 || url,milw0rm.com/exploits/8028 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009233 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hedgehog || url,doc.emergingthreats.net/2009233 || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009234 || ET MALWARE Adware-Mirar Reporting (BAR) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mirarsearch.com || url,doc.emergingthreats.net/2009234 2009235 || ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General || url,doc.emergingthreats.net/2009235 || url,www.packetninjas.net || url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 2009236 || ET MALWARE Pigeon.AYX/AVKill Related User-Agent (CTTBasic) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents || url,doc.emergingthreats.net/2009236 [---] Removed non-rule lines: [---] -> Removed from emerging-sid-msg.map (18): 2009224 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009225 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009226 || ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || bugtraq,33920 2009227 || ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection || url,milw0rm.com/exploits/5785 || url,secunia.com/advisories/30606/ 2009228 || ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || url,secunia.com/advisories/31134/ || url,www.milw0rm.com/exploits/6092 || cve,CVE-2008-3386 2009229 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009230 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009231 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009232 || ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/8028 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009233 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009234 || ET MALWARE Adware-Mirar Reporting (BAR) 2009235 || ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download || url,www.packetninjas.net || url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Removed from emerging-sid-msg.map.txt (18): 2009224 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009225 || ET WEB_SPECIFIC ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,milw0rm.com/exploits/8052 || bugtraq,33774 || url,secunia.com/advisories/33927/ 2009226 || ET WEB_ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || bugtraq,33920 2009227 || ET WEB_SPECIFIC eFiction toplists.php list Parameter SQL Injection || url,milw0rm.com/exploits/5785 || url,secunia.com/advisories/30606/ 2009228 || ET WEB_SPECIFIC AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || url,secunia.com/advisories/31134/ || url,www.milw0rm.com/exploits/6092 || cve,CVE-2008-3386 2009229 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009230 || ET WEB_SPECIFIC TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,milw0rm.com/exploits/7965 || cve,CVE-2009-0441 || url,secunia.com/advisories/33732/ 2009231 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Local File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009232 || ET WEB_SPECIFIC Hedgehog CMS footer.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/8028 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009233 || ET WEB_SPECIFIC Hedgehog CMS header.php c_temp_path Remote File Inclusion || url,milw0rm.com/exploits/5904 || url,secunia.com/advisories/30778/ || cve,CVE-2008-2898 2009234 || ET MALWARE Adware-Mirar Reporting (BAR) 2009235 || ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download || url,www.packetninjas.net || url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts From duckie37 at gmail.com Tue Apr 14 16:32:44 2009 From: duckie37 at gmail.com (Scott Melnick) Date: Tue, 14 Apr 2009 16:32:44 -0400 Subject: [Emerging-Sigs] strange capture? In-Reply-To: <69544300904140725m76946874r99a877afa9aa58c7@mail.gmail.com> References: <69544300904130414g27851459i4fdd021e8dd91645@mail.gmail.com> <49E3711A.40906@jonkmans.com> <69544300904140725m76946874r99a877afa9aa58c7@mail.gmail.com> Message-ID: <6d234b6a0904141332r65a9ac99jb0b26e86b6b97b87@mail.gmail.com> Since this is very persistent with a specific private IP address I would tend to think it is some stray application. Try listing the netstat ports to see if a program is associated with it. Windows: netstat -anb -p udp Linux: sudo netstat -ap | grep "18310" or sudo netstat -ap | grep "192.168.15.102:61352" Look for programs associated with those 2 ports.. Cheers, Scott Melnick On Tue, Apr 14, 2009 at 10:25 AM, Jules Pagna Disso wrote: > hi Matt, > > here is the link http://www.megaupload.com/?d=8OK2HXIE > > thanks, > Jules > > > 2009/4/13 Matt Jonkman >> >> Thats an unusual one. What are the systems involved? Both windows or >> something? Is one a backup server or something else that may be talking >> on a proprietary protocol? >> >> Matt >> >> Jules Pagna Disso wrote: >> > hi guys >> > >> > I have attacked a pcap for analysis. >> > >> > too many hits of the same thing. is that normal? >> > >> > Jules >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Emerging-sigs mailing list >> > Emerging-sigs at emergingthreats.net >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > From david.glosser at gmail.com Thu Apr 16 06:41:59 2009 From: david.glosser at gmail.com (David Glosser) Date: Thu, 16 Apr 2009 06:41:59 -0400 Subject: [Emerging-Sigs] Ghostnet Message-ID: http://xanalysis.blogspot.com/ Nice article on Ghostnet. Are there any sigs for this app? Thx From jonkman at jonkmans.com Thu Apr 16 11:00:45 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 16 Apr 2009 11:00:45 -0400 Subject: [Emerging-Sigs] Ghostnet In-Reply-To: References: Message-ID: <49E7481D.5070302@jonkmans.com> That is a good analysis. Only thing I see we could do is based on this: GET /ip.jpg HTTP/1.0 User-Agent: Mozilla/4.0 (compatible) Host: www.badsite.org Pragma: no-cache /ip.jpg and the user-agent together. But that appears to be easily changeable in the kit, so not sure of the value of it. Anyone see something else we could go after or have more info? Matt David Glosser wrote: > http://xanalysis.blogspot.com/ > Nice article on Ghostnet. Are there any sigs for this app? > Thx > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mcholste at gmail.com Thu Apr 16 11:08:49 2009 From: mcholste at gmail.com (Martin Holste) Date: Thu, 16 Apr 2009 10:08:49 -0500 Subject: [Emerging-Sigs] Ghostnet In-Reply-To: <49E7481D.5070302@jonkmans.com> References: <49E7481D.5070302@jonkmans.com> Message-ID: I wonder if the previous GhostNet (as opposed to the remote admin tool (RAT)) sigs will hit on a host infected with the RAT. Wouldn't RAT need the base level GhostNet to run as a foundation? I didn't see that explicitly called out in the article. --Martin On Thu, Apr 16, 2009 at 10:00 AM, Matt Jonkman wrote: > That is a good analysis. > > Only thing I see we could do is based on this: > > GET /ip.jpg HTTP/1.0 > User-Agent: Mozilla/4.0 (compatible) > Host: www.badsite.org > Pragma: no-cache > > > /ip.jpg and the user-agent together. But that appears to be easily > changeable in the kit, so not sure of the value of it. Anyone see > something else we could go after or have more info? > > Matt > > David Glosser wrote: > > http://xanalysis.blogspot.com/ > > Nice article on Ghostnet. Are there any sigs for this app? > > Thx > > _______________________________________________ > > Emerging-sigs mailing list > > Emerging-sigs at emergingthreats.net > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Emerging-sigs mailing list > Emerging-sigs at emergingthreats.net > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090416/67c3c1c4/attachment.html From daniel.clemens at packetninjas.net Thu Apr 16 12:19:00 2009 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Thu, 16 Apr 2009 11:19:00 -0500 Subject: [Emerging-Sigs] ET TROJAN Peed Report to Controller In-Reply-To: <49CA6F44.4010108@jonkmans.com> References: <53834cf20903250522m3594e257oa17ff222bad039be@mail.gmail.com> <20090325112305.jpprsggjs4ggk0g8@mail.afferentsecurity.com> <49CA6F44.4010108@jonkmans.com> Message-ID: On Mar 25, 2009, at 12:52 PM, Matt Jonkman wrote: > I'd like to see other packets if you have them, but it may be safe > enough to just drop the &rnd from the old sig. The rest is relatively > specific, and this is definitely an active bot. > > Anyone see an issue with doing so? Urk. Active..,,.. definitely active. I'm seeing it active at this moment along with a controller site being up. --snip-- GET /new/controller.php? action=bot&entity_list=&uid=1&first=1&guid=2820862648&rnd=981633 --snip-- Check out http://78.109.29.112/new/?action=login -------------- next part -------------- A non-text attachment was scrubbed... Name: pastedGraphic.jpg Type: image/jpeg Size: 14358 bytes Desc: not available Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090416/74aff71b/pastedGraphic.jpg -------------- next part -------------- If anyone has a default login for this it would be super cool. | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 | | o. 866.267.8851 "The secret to creativity is knowing how to hide your sources" Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 155 bytes Desc: This is a digitally signed message part Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090416/74aff71b/PGP.bin From jonkman at jonkmans.com Thu Apr 16 12:26:02 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 16 Apr 2009 12:26:02 -0400 Subject: [Emerging-Sigs] ET TROJAN Peed Report to Controller In-Reply-To: References: <53834cf20903250522m3594e257oa17ff222bad039be@mail.gmail.com> <20090325112305.jpprsggjs4ggk0g8@mail.afferentsecurity.com> <49CA6F44.4010108@jonkmans.com> Message-ID: <49E75C1A.5040909@jonkmans.com> Did you get good hits on the Peed signature for the requests there? matt Daniel Clemens wrote: > > On Mar 25, 2009, at 12:52 PM, Matt Jonkman wrote: > >> I'd like to see other packets if you have them, but it may be safe >> enough to just drop the &rnd from the old sig. The rest is relatively >> specific, and this is definitely an active bot. >> >> Anyone see an issue with doing so? > > Urk. > Active..,,.. definitely active. > I'm seeing it active at this moment along with a controller site being up. > --snip-- > GET > /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=2820862648&rnd=981633 > > --snip-- > Check out http://78.109.29.112/new/?action=login > > ------------------------------------------------------------------------ > > > If anyone has a default login for this it would be super cool. > > | Daniel Uriah Clemens > | Packetninjas L.L.C | | http://www.packetninjas.net > | c. 205.567.6850 | | o. 866.267.8851 > "The secret to creativity is knowing how to hide your sources" Einstein > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From daniel.clemens at packetninjas.net Thu Apr 16 12:45:46 2009 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Thu, 16 Apr 2009 11:45:46 -0500 Subject: [Emerging-Sigs] ET TROJAN Peed Report to Controller In-Reply-To: <49E75C1A.5040909@jonkmans.com> References: <53834cf20903250522m3594e257oa17ff222bad039be@mail.gmail.com> <20090325112305.jpprsggjs4ggk0g8@mail.afferentsecurity.com> <49CA6F44.4010108@jonkmans.com> <49E75C1A.5040909@jonkmans.com> Message-ID: <8D1F86D9-25DA-4FCB-A25B-E51E85563ECD@packetninjas.net> On Apr 16, 2009, at 11:26 AM, Matt Jonkman wrote: > Did you get good hits on the Peed signature for the requests there? > Yeah , the sigs hit...botnet bad. > matt > > Daniel Clemens wrote: >> >> On Mar 25, 2009, at 12:52 PM, Matt Jonkman wrote: >> >>> I'd like to see other packets if you have them, but it may be safe >>> enough to just drop the &rnd from the old sig. The rest is >>> relatively >>> specific, and this is definitely an active bot. >>> >>> Anyone see an issue with doing so? >> >> Urk. >> Active..,,.. definitely active. >> I'm seeing it active at this moment along with a controller site >> being up. >> --snip-- >> GET >> /new/controller.php? >> action=bot&entity_list=&uid=1&first=1&guid=2820862648&rnd=981633 >> >> --snip-- >> Check out http://78.109.29.112/new/?action=login >> >> --- >> --------------------------------------------------------------------- >> >> >> If anyone has a default login for this it would be super cool. >> >> | Daniel Uriah Clemens >> | Packetninjas L.L.C | | http://www.packetninjas.net >> | c. 205.567.6850 | | o. 866.267.8851 >> "The secret to creativity is knowing how to hide your sources" >> Einstein >> > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > From jim.mcquaid at gmail.com Thu Apr 16 13:32:11 2009 From: jim.mcquaid at gmail.com (James McQuaid) Date: Thu, 16 Apr 2009 13:32:11 -0400 Subject: [Emerging-Sigs] ET TROJAN Peed Report to Controller Message-ID: Courtesy of Anatoliy Vasnetsoff. He has 78.109.29.112 - 78.109.29.119. Note: inetnum: 78.109.29.112 - 78.109.29.119 netname: fpsx8 descr: fpsx8 - Anatoliy Vasnetsoff country: UA admin-c: AV1497-RIPE tech-c: AV1497-RIPE status: ASSIGNED PA mnt-by: MNT-HOSTINGUA source: RIPE # Filtered person: Anatoliy Vasnetsoff address: RU, Medniy all. 23, Izhevsk phone: +74452277199 nic-hdl: AV1497-RIPE abuse-mailbox: themyacc at yandex.ru source: RIPE # Filtered > Today's Topics: > > ? 1. Re: ET TROJAN Peed Report to Controller (Daniel Clemens) > ? 2. Re: ET TROJAN Peed Report to Controller (Matt Jonkman) > ? 3. Re: ET TROJAN Peed Report to Controller (Daniel Clemens) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 16 Apr 2009 11:19:00 -0500 > From: Daniel Clemens > Subject: Re: [Emerging-Sigs] ET TROJAN Peed Report to Controller > To: Matt Jonkman > Cc: Emerging Threats Signatures > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > > On Mar 25, 2009, at 12:52 PM, Matt Jonkman wrote: > >> I'd like to see other packets if you have them, but it may be safe >> enough to just drop the &rnd from the old sig. The rest is relatively >> specific, and this is definitely an active bot. >> >> Anyone see an issue with doing so? > > Urk. > Active..,,.. definitely active. > I'm seeing it active at this moment along with a controller site being > up. > --snip-- > GET /new/controller.php? > action=bot&entity_list=&uid=1&first=1&guid=2820862648&rnd=981633 > --snip-- > Check out ?http://78.109.29.112/new/?action=login > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: pastedGraphic.jpg > Type: image/jpeg > Size: 14358 bytes > Desc: not available > Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090416/74aff71b/pastedGraphic-0001.jpg > -------------- next part -------------- > > If anyone has a default login for this it would be super cool. > > | Daniel Uriah Clemens > | Packetninjas L.L.C | | http://www.packetninjas.net > | c. 205.567.6850 ? ? ?| | o. 866.267.8851 > "The secret to creativity is knowing how to hide your sources" Einstein > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: PGP.sig > Type: application/pgp-signature > Size: 155 bytes > Desc: This is a digitally signed message part > Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090416/74aff71b/PGP-0001.bin > > ------------------------------ > > Message: 2 > Date: Thu, 16 Apr 2009 12:26:02 -0400 > From: Matt Jonkman > Subject: Re: [Emerging-Sigs] ET TROJAN Peed Report to Controller > To: Daniel Clemens > Cc: Emerging Threats Signatures > Message-ID: <49E75C1A.5040909 at jonkmans.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Did you get good hits on the Peed signature for the requests there? > > matt > > Daniel Clemens wrote: >> >> On Mar 25, 2009, at 12:52 PM, Matt Jonkman wrote: >> >>> I'd like to see other packets if you have them, but it may be safe >>> enough to just drop the &rnd from the old sig. The rest is relatively >>> specific, and this is definitely an active bot. >>> >>> Anyone see an issue with doing so? >> >> Urk. >> Active..,,.. definitely active. >> I'm seeing it active at this moment along with a controller site being up. >> --snip-- >> GET >> /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=2820862648&rnd=981633 >> >> --snip-- >> Check out ?http://78.109.29.112/new/?action=login >> >> ------------------------------------------------------------------------ >> >> >> If anyone has a default login for this it would be super cool. >> >> | Daniel Uriah Clemens >> | Packetninjas L.L.C | | http://www.packetninjas.net >> | c. 205.567.6850 ? ? ?| | o. 866.267.8851 >> "The secret to creativity is knowing how to hide your sources" Einstein >> > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > ------------------------------ > > Message: 3 > Date: Thu, 16 Apr 2009 11:45:46 -0500 > From: Daniel Clemens > Subject: Re: [Emerging-Sigs] ET TROJAN Peed Report to Controller > To: Matt Jonkman > Cc: Emerging Threats Signatures > Message-ID: <8D1F86D9-25DA-4FCB-A25B-E51E85563ECD at packetninjas.net> > Content-Type: text/plain; ? ? ? charset=us-ascii; ? ? ? format=flowed; ?delsp=yes > > > > > > On Apr 16, 2009, at 11:26 AM, Matt Jonkman wrote: > >> Did you get good hits on the Peed signature for the requests there? >> > > > Yeah , the sigs hit...botnet bad. > >> matt >> > End of Emerging-sigs Digest, Vol 17, Issue 40 > ********************************************* > -- James McQuaid http://www.jamesmcquaid.com From emerging at emergingthreats.net Thu Apr 16 16:00:10 2009 From: emerging at emergingthreats.net (emerging@emergingthreats.net) Date: Thu, 16 Apr 2009 16:00:10 -0400 (EDT) Subject: [Emerging-Sigs] Emerging Threats Daily Signature Changes Message-ID: <20090416200010.939DA4501B@goliath.jonkmans.com> [***] Results from Oinkmaster started Thu Apr 16 16:00:10 2009 [***] [+++] Added rules: [+++] 2009237 - ET TROJAN Muldrop or Related Reporting to Controller (emerging-virus.rules) 2009238 - ET TROJAN PcClient Backdoor Checkin Packet 1 (emerging-virus.rules) 2009239 - ET TROJAN PcClient Backdoor Checkin (emerging-virus.rules) [///] Modified active rules: [///] 2008627 - ET SCAN Httprecon Web Server Fingerprint Scan (emerging-scan.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-sid-msg.map (17): 2009237 || ET TROJAN Muldrop or Related Reporting to Controller 2009238 || ET TROJAN PcClient Backdoor Checkin Packet 1 2009239 || ET TROJAN PcClient Backdoor Checkin 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500159 || ET COMPROMISED Known Compromised or Hostile Host Traffic (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500160 || ET COMPROMISED Known Compromised or Hostile Host Traffic (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500161 || ET COMPROMISED Known Compromised or Hostile Host Traffic (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500162 || ET COMPROMISED Known Compromised or Hostile Host Traffic (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510159 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510160 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510161 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510162 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-sid-msg.map.txt (17): 2009237 || ET TROJAN Muldrop or Related Reporting to Controller 2009238 || ET TROJAN PcClient Backdoor Checkin Packet 1 2009239 || ET TROJAN PcClient Backdoor Checkin 2500156 || ET COMPROMISED Known Compromised or Hostile Host Traffic (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500157 || ET COMPROMISED Known Compromised or Hostile Host Traffic (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500158 || ET COMPROMISED Known Compromised or Hostile Host Traffic (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500159 || ET COMPROMISED Known Compromised or Hostile Host Traffic (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500160 || ET COMPROMISED Known Compromised or Hostile Host Traffic (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500161 || ET COMPROMISED Known Compromised or Hostile Host Traffic (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500162 || ET COMPROMISED Known Compromised or Hostile Host Traffic (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510156 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (157) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510157 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (158) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510158 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (159) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510159 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (160) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510160 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (161) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510161 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (162) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2510162 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (163) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts -> Added to emerging-virus.rules (2): #matt jonkman, re 2cdd4db326505a3aa55a99647a6113b4 #Matt Jonkman, re 0c7918e9c9f3bae79bb8ff1b4b3f9b42 From info at prowling.nu Fri Apr 17 10:21:41 2009 From: info at prowling.nu (Mikael) Date: Fri, 17 Apr 2009 16:21:41 +0200 Subject: [Emerging-Sigs] Rule to detect the usage of Spotify Message-ID: <49E89075.8030208@prowling.nu> Hi, Here is a sig that will alert on the usage of the Spotify client, a streaming music service with some p2p capabilities. alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"Spotify usage detected"; flow:from_server; content:"|5F 73 70 6F 74 69 66 79 2D|"; classtype:policy-violation; reference:url,http://www.spotify.com/en/about/what/;sid:XXXXXXXXX;rev:1;) /Mikael From jonkman at jonkmans.com Fri Apr 17 11:39:14 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 17 Apr 2009 11:39:14 -0400 Subject: [Emerging-Sigs] Rule to detect the usage of Spotify In-Reply-To: <49E89075.8030208@prowling.nu> References: <49E89075.8030208@prowling.nu> Message-ID: <49E8A2A2.7050401@jonkmans.com> Hi Mikael. Appreciate the sig, will be useful. This will alert on the dns server though, is there something in the p2p the app uses? Or a url pattern? That'll get us the client rather than the dns server making the lookup for the client... Matt Mikael wrote: > Hi, > > Here is a sig that will alert on the usage of the Spotify client, a > streaming music service with some p2p capabilities. > > alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"Spotify usage > detected"; flow:from_server; content:"|5F 73 70 6F 74 69 66 79 2D|"; > classtype:policy-violation; > reference:url,http://www.spotify.com/en/about/what/;sid:XXXXXXXXX;rev:1;) > > /Mikael > _______________________________________________ > Emerging-sigs mailing list >