[Emerging-Sigs] Emerging Threats Daily Signature Changes

emerging@emergingthreats.net emerging at emergingthreats.net
Wed Jan 7 16:00:09 EST 2009


[***] Results from Oinkmaster started Wed Jan  7 16:00:09 2009 [***]

[+++]          Added rules:          [+++]

 2008983 - ET MALWARE Suspicious User Agent (BlackSun) (emerging-malware.rules)
 2008984 - ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report (emerging-virus.rules)
 2008985 - ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection (emerging-policy.rules)
 2008986 - ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection (emerging-policy.rules)
 2008987 - ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection (emerging-policy.rules)
 2008988 - ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection (emerging-policy.rules)
 2008989 - ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection (emerging-policy.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-policy.rules (1):
        # these services aren't bad inherently, but are often used by trojans to get their external IP

     -> Added to emerging-sid-msg.map (12):
        2008976 || ET TROJAN Vundo Variant reporting to Controller via HTTP (1)
        2008983 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html
        2008984 || ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report
        2008985 || ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection
        2008986 || ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
        2008987 || ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection
        2008988 || ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection
        2008989 || ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection
        2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (12):
        2008976 || ET TROJAN Vundo Variant reporting to Controller via HTTP (1)
        2008983 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html
        2008984 || ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report
        2008985 || ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection
        2008986 || ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
        2008987 || ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection
        2008988 || ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection
        2008989 || ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection
        2500071 || ET COMPROMISED Known Compromised or Hostile Host Traffic (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510071 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (72) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510072 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (73) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (1):
        2008976 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html

     -> Removed from emerging-sid-msg.map.txt (1):
        2008976 || ET MALWARE Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html



More information about the Emerging-sigs mailing list