[Emerging-updates] Live Commit Output

emerging@emergingthreats.net emerging at emergingthreats.net
Mon Jul 26 11:54:03 EDT 2010


[***] Results from Oinkmaster started Mon Jul 26 11:54:03 2010 [***]

[+++]          Added rules:          [+++]

 2011240 - ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing Attempt (emerging-web_client.rules)
 2011241 - ET EXPLOIT M3U File Request Flowbit Set (emerging-exploit.rules)
 2011242 - ET EXPLOIT Possible VLC Medial Player M3U File FTP URL Processing Stack Buffer Overflow Attempt (emerging-exploit.rules)
 2011243 - ET USER_AGENTS Bot Search RFI Scan (ByroeNet/Casper-Like, planetwork) (emerging-user_agents.rules)
 2011244 - ET USER_AGENTS Bot Search RFI Scan (ByroeNet/Casper-Like, sun4u) (emerging-user_agents.rules)


[///]     Modified active rules:     [///]

 2009076 - ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) (emerging-current_events.rules)
 2010881 - ET POLICY .pdf File Download With Unescape Method Defined - Possible Hostile Obfuscation Attempt (emerging-policy.rules)
 2011175 - ET USER_AGENTS Casper Bot Search RFI Scan (emerging-user_agents.rules)
 2011176 - ET USER_AGENTS MaMa CaSpEr RFI Scan (emerging-user_agents.rules)
 2011230 - ET CURRENT_EVENTS MALVERTISING client requesting drive by - /x/?src= (emerging-current_events.rules)
 2011231 - ET CURRENT_EVENTS MALVERTISING client requesting redirect to drive by - .php?n=cust (emerging-current_events.rules)
 2011232 - ET P2P Related User Agent (eChanblard) (emerging-policy.rules)
 2011233 - ET TROJAN Troxen GetSpeed Request (emerging-virus.rules)
 2011234 - ET TROJAN Cosmu Process Dump Report (emerging-virus.rules)
 2011235 - ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt (emerging-exploit.rules)
 2011236 - ET TROJAN Trojan-Downloader Win32.Genome.avan (emerging-virus.rules)
 2011237 - ET TROJAN General Proxy.Agent (emerging-virus.rules)
 2011238 - ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (SP3 WINLD)) (emerging-user_agents.rules)


[---]         Removed rules:         [---]

 2001409 - ET MALWARE Mastermind Related Reporting (emerging-malware.rules)
 2001410 - ET MALWARE Mastermind Related Reporting 8081 (emerging-malware.rules)
 2001411 - ET MALWARE Mastermind Related Downloading mm20.ocx (emerging-malware.rules)
 2001413 - ET MALWARE Medis-Motor Related Downloading ast_4_mm.exe (emerging-malware.rules)
 2001414 - ET MALWARE Media-Motor Related Downloading MediaMotor25.exe (emerging-malware.rules)
 2001419 - ET MALWARE Avres.net Downloading cpr_mm2.exe (emerging-malware.rules)
 2001420 - ET MALWARE Avres.net Downloading ab1.exe (emerging-malware.rules)
 2001421 - ET MALWARE Avres.net Downloading tvm_bundle.exe (emerging-malware.rules)
 2001422 - ET MALWARE Avres.net Reporting Data (emerging-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (17):
        2010881 || ET POLICY .pdf File Download With Unescape Method Defined - Possible Hostile Obfuscation Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF || url,doc.emergingthreats.net/2010881 || url,isc.sans.org/diary.html?storyid=7906 || url,isc.sans.org/diary.html?storyid=7903
        2011175 || ET USER_AGENTS Casper Bot Search RFI Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper || url,doc.emergingthreats.net/2011175
        2011176 || ET USER_AGENTS MaMa CaSpEr RFI Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper || url,doc.emergingthreats.net/2011176
        2011230 || ET CURRENT_EVENTS MALVERTISING client requesting drive by - /x/?src= || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising || url,doc.emergingthreats.net/2011230
        2011231 || ET CURRENT_EVENTS MALVERTISING client requesting redirect to drive by - .php?n=cust || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising || url,doc.emergingthreats.net/2011231
        2011232 || ET P2P Related User Agent (eChanblard) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_echanblard || url,doc.emergingthreats.net/2011232
        2011233 || ET TROJAN Troxen GetSpeed Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Troxen || url,doc.emergingthreats.net/2011233 || url,www.threatexpert.com/report.aspx?md5=af89d15930fe59dcb621069abc83cc66
        2011234 || ET TROJAN Cosmu Process Dump Report || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cosmu || url,doc.emergingthreats.net/2011234
        2011235 || ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Novell || url,doc.emergingthreats.net/2011235 || url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598 || url,www.zerodayinitiative.com/advisories/ZDI-10-129/ || url,www.exploit-db.com/exploits/14379/
        2011236 || ET TROJAN Trojan-Downloader Win32.Genome.avan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Genome || url,doc.emergingthreats.net/2011236
        2011237 || ET TROJAN General Proxy.Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ProxyAgent_General || url,doc.emergingthreats.net/2011237
        2011238 || ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (SP3 WINLD)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2011238
        2011240 || ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Firefox || url,doc.emergingthreats.net/2011240 || cve,2010-1206 || url,bugzilla.mozilla.org/show_bug.cgi?id=556957 || url,www.mozilla.org/security/announce/2010/mfsa2010-45.html
        2011241 || ET EXPLOIT M3U File Request Flowbit Set || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_VLC || url,doc.emergingthreats.net/2011241
        2011242 || ET EXPLOIT Possible VLC Medial Player M3U File FTP URL Processing Stack Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_VLC || url,doc.emergingthreats.net/2011242 || url,securitytracker.com/alerts/2010/Jul/1024172.html
        2011243 || ET USER_AGENTS Bot Search RFI Scan (ByroeNet/Casper-Like, planetwork) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper || url,doc.emergingthreats.net/2011243 || url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/
        2011244 || ET USER_AGENTS Bot Search RFI Scan (ByroeNet/Casper-Like, sun4u) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper || url,doc.emergingthreats.net/2011244 || url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/

     -> Added to emerging-sid-msg.map.txt (17):
        2010881 || ET POLICY .pdf File Download With Unescape Method Defined - Possible Hostile Obfuscation Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF || url,doc.emergingthreats.net/2010881 || url,isc.sans.org/diary.html?storyid=7906 || url,isc.sans.org/diary.html?storyid=7903
        2011175 || ET USER_AGENTS Casper Bot Search RFI Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper || url,doc.emergingthreats.net/2011175
        2011176 || ET USER_AGENTS MaMa CaSpEr RFI Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper || url,doc.emergingthreats.net/2011176
        2011230 || ET CURRENT_EVENTS MALVERTISING client requesting drive by - /x/?src= || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising || url,doc.emergingthreats.net/2011230
        2011231 || ET CURRENT_EVENTS MALVERTISING client requesting redirect to drive by - .php?n=cust || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising || url,doc.emergingthreats.net/2011231
        2011232 || ET P2P Related User Agent (eChanblard) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_echanblard || url,doc.emergingthreats.net/2011232
        2011233 || ET TROJAN Troxen GetSpeed Request || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Troxen || url,doc.emergingthreats.net/2011233 || url,www.threatexpert.com/report.aspx?md5=af89d15930fe59dcb621069abc83cc66
        2011234 || ET TROJAN Cosmu Process Dump Report || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cosmu || url,doc.emergingthreats.net/2011234
        2011235 || ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Novell || url,doc.emergingthreats.net/2011235 || url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598 || url,www.zerodayinitiative.com/advisories/ZDI-10-129/ || url,www.exploit-db.com/exploits/14379/
        2011236 || ET TROJAN Trojan-Downloader Win32.Genome.avan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Genome || url,doc.emergingthreats.net/2011236
        2011237 || ET TROJAN General Proxy.Agent || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ProxyAgent_General || url,doc.emergingthreats.net/2011237
        2011238 || ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (SP3 WINLD)) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious || url,doc.emergingthreats.net/2011238
        2011240 || ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_Firefox || url,doc.emergingthreats.net/2011240 || cve,2010-1206 || url,bugzilla.mozilla.org/show_bug.cgi?id=556957 || url,www.mozilla.org/security/announce/2010/mfsa2010-45.html
        2011241 || ET EXPLOIT M3U File Request Flowbit Set || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_VLC || url,doc.emergingthreats.net/2011241
        2011242 || ET EXPLOIT Possible VLC Medial Player M3U File FTP URL Processing Stack Buffer Overflow Attempt || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_VLC || url,doc.emergingthreats.net/2011242 || url,securitytracker.com/alerts/2010/Jul/1024172.html
        2011243 || ET USER_AGENTS Bot Search RFI Scan (ByroeNet/Casper-Like, planetwork) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper || url,doc.emergingthreats.net/2011243 || url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/
        2011244 || ET USER_AGENTS Bot Search RFI Scan (ByroeNet/Casper-Like, sun4u) || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper || url,doc.emergingthreats.net/2011244 || url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-malware.rules (1):
        #Sigs by Matt Jonkman from the excellent analysis by Tom Liston at http://isc.sans.org/diary.php?date=2004-11-04

     -> Removed from emerging-sid-msg.map (21):
        2001409 || ET MALWARE Mastermind Related Reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001409
        2001410 || ET MALWARE Mastermind Related Reporting 8081 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001410
        2001411 || ET MALWARE Mastermind Related Downloading mm20.ocx || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001411
        2001413 || ET MALWARE Medis-Motor Related Downloading ast_4_mm.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001413
        2001414 || ET MALWARE Media-Motor Related Downloading MediaMotor25.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001414
        2001419 || ET MALWARE Avres.net Downloading cpr_mm2.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001419
        2001420 || ET MALWARE Avres.net Downloading ab1.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001420
        2001421 || ET MALWARE Avres.net Downloading tvm_bundle.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001421
        2001422 || ET MALWARE Avres.net Reporting Data || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001422
        2010881 || ET POLICY .pdf File Download With Unescape Method Defined - Possibly Hostile || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF || url,doc.emergingthreats.net/2010881 || url,isc.sans.org/diary.html?storyid=7906 || url,isc.sans.org/diary.html?storyid=7903
        2011175 || ET USER_AGENTS Casper Bot Search RFI Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot || url,doc.emergingthreats.net/2011175
        2011176 || ET USER_AGENTS MaMa CaSpEr RFI Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot || url,doc.emergingthreats.net/2011176
        2011230 || ET CURRENT_EVENTS MALVERTISING client requesting drive by - /x/?src=
        2011231 || ET CURRENT_EVENTS MALVERTISING client requesting redirect to drive by - .php?n=cust
        2011232 || ET P2P Related User Agent (eChanblard)
        2011233 || ET TROJAN Troxen GetSpeed Request || url,www.threatexpert.com/report.aspx?md5=af89d15930fe59dcb621069abc83cc66
        2011234 || ET TROJAN Cosmu Process Dump Report
        2011235 || ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt || url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598 || url,www.zerodayinitiative.com/advisories/ZDI-10-129/ || url,www.exploit-db.com/exploits/14379/
        2011236 || ET TROJAN Trojan-Downloader Win32.Genome.avan
        2011237 || ET TROJAN General Proxy.Agent
        2011238 || ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (SP3 WINLD))

     -> Removed from emerging-sid-msg.map.txt (21):
        2001409 || ET MALWARE Mastermind Related Reporting || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001409
        2001410 || ET MALWARE Mastermind Related Reporting 8081 || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001410
        2001411 || ET MALWARE Mastermind Related Downloading mm20.ocx || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001411
        2001413 || ET MALWARE Medis-Motor Related Downloading ast_4_mm.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001413
        2001414 || ET MALWARE Media-Motor Related Downloading MediaMotor25.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001414
        2001419 || ET MALWARE Avres.net Downloading cpr_mm2.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001419
        2001420 || ET MALWARE Avres.net Downloading ab1.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001420
        2001421 || ET MALWARE Avres.net Downloading tvm_bundle.exe || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001421
        2001422 || ET MALWARE Avres.net Reporting Data || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com || url,doc.emergingthreats.net/bin/view/Main/2001422
        2010881 || ET POLICY .pdf File Download With Unescape Method Defined - Possibly Hostile || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF || url,doc.emergingthreats.net/2010881 || url,isc.sans.org/diary.html?storyid=7906 || url,isc.sans.org/diary.html?storyid=7903
        2011175 || ET USER_AGENTS Casper Bot Search RFI Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot || url,doc.emergingthreats.net/2011175
        2011176 || ET USER_AGENTS MaMa CaSpEr RFI Scan || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot || url,doc.emergingthreats.net/2011176
        2011230 || ET CURRENT_EVENTS MALVERTISING client requesting drive by - /x/?src=
        2011231 || ET CURRENT_EVENTS MALVERTISING client requesting redirect to drive by - .php?n=cust
        2011232 || ET P2P Related User Agent (eChanblard)
        2011233 || ET TROJAN Troxen GetSpeed Request || url,www.threatexpert.com/report.aspx?md5=af89d15930fe59dcb621069abc83cc66
        2011234 || ET TROJAN Cosmu Process Dump Report
        2011235 || ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt || url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598 || url,www.zerodayinitiative.com/advisories/ZDI-10-129/ || url,www.exploit-db.com/exploits/14379/
        2011236 || ET TROJAN Trojan-Downloader Win32.Genome.avan
        2011237 || ET TROJAN General Proxy.Agent
        2011238 || ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (SP3 WINLD))



More information about the Emerging-updates mailing list