From jonkman at bleedingthreats.net Fri Dec 1 15:42:21 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Dec 1 15:43:14 2006 Subject: [Bleeding-sigs] New Suspicious User Agent Message-ID: <45704D5D.3030309@bleedingthreats.net> #Matt Jonkman. Found being used by a goldun variant alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious User Agent (MSIE XPSP2)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+MSIE XPSP2/i"; classtype:trojan-activity; sid:2003200; rev:1;) Interesting one, should be unique. Please report any false positives on it. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Fri Dec 1 17:58:28 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Dec 1 18:00:11 2006 Subject: [Bleeding-sigs] bad bleeding-drop rule In-Reply-To: <456EF388.8010300@nrl.navy.mil> References: <456EF388.8010300@nrl.navy.mil> Message-ID: <45706D44.4080307@bleedingthreats.net> Yes, this was because of a bad update. The shadowserver guys were adding some protections. It's resolved and that ruleset was manually updated. Should be good from here out. Thanks Matt Will Cladek wrote: > An update received last night of the bleeding-drop and > bleeding-drop-BLOCK rulesets contained a couple of changed rules with > apparent errors in them. The Spamhaus IP ranges have changed to > something invalid. A copy of the pertinent lines from the Oinkmaster > output: > > -> Modified active in bleeding-drop-BLOCK.rules (1): > > old: alert tcp > [132.232.0.0/16,134.33.0.0/16,138.252.0.0/16,143.49.0.0/16,147.111.0.0/16,148.3.0.0/16,152.147.0.0/16,159.2.0.0/16,167.175.0.0/16,167.97.0.0/16,170.67.0.0/16,192.160.44.0/24,192.67.16.0/24,193.110.136.0/24,193.19.120.0/23,193.238.120.0/22,193.238.36.0/22,195.206.120.0/22,195.214.236.0/22,195.95.161.0/24,196.4.167.0/24,198.151.152.0/22,198.186.16.0/20,198.204.0.0/21,199.120.163.0/24,199.166.200.0/22,199.201.151.0/24,199.201.152.0/24,199.245.138.0/24,199.248.213.0/24] > any -> $HOME_NET any (msg:"BLEEDING-EDGE DROP Spamhaus DROP Listed > Traffic Inbound - BLOCKING SOURCE"; flow:established; > reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, > track by_src, seconds 3600, count 1; sid:2401000; rev:6; fwsam: src, 30 > days;) > new: alert tcp [,,,,,,,,,,,,,,,,,,,,,,,,,,, any -> $HOME_NET any (msg:"BLEEDING-EDGE DROP Spamhaus DROP Listed > Traffic Inbound - BLOCKING SOURCE"; flow:established; > reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, > track by_src, seconds 3600, count 1; sid:2401000; rev:8; fwsam: src, 30 > days;) > > -> Modified active in bleeding-drop.rules (1): > > old: alert tcp > [132.232.0.0/16,134.33.0.0/16,138.252.0.0/16,143.49.0.0/16,147.111.0.0/16,148.3.0.0/16,152.147.0.0/16,159.2.0.0/16,167.175.0.0/16,167.97.0.0/16,170.67.0.0/16,192.160.44.0/24,192.67.16.0/24,193.110.136.0/24,193.19.120.0/23,193.238.120.0/22,193.238.36.0/22,195.206.120.0/22,195.214.236.0/22,195.95.161.0/24,196.4.167.0/24,198.151.152.0/22,198.186.16.0/20,198.204.0.0/21,199.120.163.0/24,199.166.200.0/22,199.201.151.0/24,199.201.152.0/24,199.245.138.0/24,199.248.213.0/24] > any -> $HOME_NET any (msg:"BLEEDING-EDGE DROP Spamhaus DROP Listed > Traffic Inbound"; flow:established; > reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, > track by_src, seconds 3600, count 1; sid:2400000; rev:6;) > new: alert tcp [,,,,,,,,,,,,,,,,,,,,,,,,,,, any -> $HOME_NET any (msg:"BLEEDING-EDGE DROP Spamhaus DROP Listed > Traffic Inbound"; flow:established; > reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, > track by_src, seconds 3600, count 1; sid:2400000; rev:8;) > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Fri Dec 1 20:00:04 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Dec 1 20:00:04 2006 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20061201200004.4086922C0B2@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Dec 1 20:00:04 2006 [***] [+++] Added rules: [+++] 2003200 - BLEEDING-EDGE MALWARE Suspicious User Agent (MSIE XPSP2) (bleeding-malware.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 10 -> Added to bleeding-drop.rules (1): # VERSION 10 -> Added to bleeding-malware.rules (1): #Matt Jonkman. Found being used by a goldun variant -> Added to bleeding-sid-msg.map (1): 2003200 || BLEEDING-EDGE MALWARE Suspicious User Agent (MSIE XPSP2) [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 9 -> Removed from bleeding-drop.rules (1): # VERSION 9 From scheidell at secnap.net Sat Dec 2 15:16:59 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Sat Dec 2 15:18:08 2006 Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 Message-ID: new netblock: as of Nov 17th, 2006, no longer bogon: 77.0.0.0/8 no longer bogon. ramdom sampling of ip's shows new, live , legit routing. % Information related to '77.178.0.0/15AS6805' route: 77.178.0.0/15 descr: 1&1 Internet AG remarks: netname: DE-1AND1-20061117 origin: AS6805 mnt-by: MDA-Z source: RIPE # Filtered --- bleeding-policy.rules.org Mon Nov 27 18:01:12 2006 +++ bleeding-policy.rules Sat Dec 2 10:16:17 2006 @@ -60,7 +60,7 @@ #Idea by David Glosser, sig by Matt Jonkman alert ip [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/ 8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;) -alert ip [50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140 .249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0 /6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:5;) +alert ip [50.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16 ,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:6;) alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 3"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) # #This is for reserved internal space. Do NOT run this sig on your internal net, commented out by default. 12/02-08:01:05 TCP 77.179.50.35:48455 --> 192.168.168.132:80 [1:2002750:5] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 [Classification: Potentially Bad Traffic] [Priority: 2] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20061202/0c97784d/attachment.htm From scheidell at secnap.net Sat Dec 2 15:24:02 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Sat Dec 2 15:26:19 2006 Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICYReserved IP Space Traffic - Bogon Nets 2 Message-ID: in fact... http://www.cymru.com/Documents/secure-ios-template.html Changes in version 4.4: * 96/8, 97/8, 98/8 and 99/8 allocated to ARIN (OCT 2006). Removed from the bogon filters. Changes in version 4.3: * 77/8, 78/8 and 79/8 allocated to RIPE (AUG 2006). Removed from the bogon filters. Changes in version 4.2: * 121/8, 122/8 and 123/8 allocated to APNIC (JAN 2006). Removed from the bogon filters. Changes in version 4.1: * 89/8, 90/8 and 91/8 allocated to RIPE (JUN 2005). Removed from the bogon filters. -----Original Message----- From: bleeding-sigs-bounces@bleedingthreats.net [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf Of Michael Scheidell Sent: Saturday, December 02, 2006 10:17 AM To: bleeding-sigs@bleedingsnort.com Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICYReserved IP Space Traffic - Bogon Nets 2 new netblock: as of Nov 17th, 2006, no longer bogon: 77.0.0.0/8 no longer bogon. ramdom sampling of ip's shows new, live , legit routing. % Information related to '77.178.0.0/15AS6805' route: 77.178.0.0/15 descr: 1&1 Internet AG remarks: netname: DE-1AND1-20061117 origin: AS6805 mnt-by: MDA-Z source: RIPE # Filtered --- bleeding-policy.rules.org Mon Nov 27 18:01:12 2006 +++ bleeding-policy.rules Sat Dec 2 10:16:17 2006 @@ -60,7 +60,7 @@ #Idea by David Glosser, sig by Matt Jonkman alert ip [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/ 8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;) -alert ip [50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140 .249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0 /6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:5;) +alert ip [50.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16 ,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:6;) alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 3"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) # #This is for reserved internal space. Do NOT run this sig on your internal net, commented out by default. 12/02-08:01:05 TCP 77.179.50.35:48455 --> 192.168.168.132:80 [1:2002750:5] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 [Classification: Potentially Bad Traffic] [Priority: 2] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20061202/c1d25832/attachment.html From scheidell at secnap.net Sat Dec 2 15:24:02 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Sat Dec 2 15:26:49 2006 Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICYReserved IP Space Traffic - Bogon Nets 2 Message-ID: in fact... http://www.cymru.com/Documents/secure-ios-template.html Changes in version 4.4: * 96/8, 97/8, 98/8 and 99/8 allocated to ARIN (OCT 2006). Removed from the bogon filters. Changes in version 4.3: * 77/8, 78/8 and 79/8 allocated to RIPE (AUG 2006). Removed from the bogon filters. Changes in version 4.2: * 121/8, 122/8 and 123/8 allocated to APNIC (JAN 2006). Removed from the bogon filters. Changes in version 4.1: * 89/8, 90/8 and 91/8 allocated to RIPE (JUN 2005). Removed from the bogon filters. -----Original Message----- From: bleeding-sigs-bounces@bleedingthreats.net [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf Of Michael Scheidell Sent: Saturday, December 02, 2006 10:17 AM To: bleeding-sigs@bleedingsnort.com Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICYReserved IP Space Traffic - Bogon Nets 2 new netblock: as of Nov 17th, 2006, no longer bogon: 77.0.0.0/8 no longer bogon. ramdom sampling of ip's shows new, live , legit routing. % Information related to '77.178.0.0/15AS6805' route: 77.178.0.0/15 descr: 1&1 Internet AG remarks: netname: DE-1AND1-20061117 origin: AS6805 mnt-by: MDA-Z source: RIPE # Filtered --- bleeding-policy.rules.org Mon Nov 27 18:01:12 2006 +++ bleeding-policy.rules Sat Dec 2 10:16:17 2006 @@ -60,7 +60,7 @@ #Idea by David Glosser, sig by Matt Jonkman alert ip [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/ 8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;) -alert ip [50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140 .249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0 /6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:5;) +alert ip [50.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16 ,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:6;) alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 3"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) # #This is for reserved internal space. Do NOT run this sig on your internal net, commented out by default. 12/02-08:01:05 TCP 77.179.50.35:48455 --> 192.168.168.132:80 [1:2002750:5] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 [Classification: Potentially Bad Traffic] [Priority: 2] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20061202/c1d25832/attachment-0001.htm From jonkman at bleedingthreats.net Sat Dec 2 15:56:01 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Sat Dec 2 15:58:09 2006 Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 In-Reply-To: References: Message-ID: <4571A211.3050806@bleedingthreats.net> You are correct. I missed the allocation announcement somewhere. Thanks for pointing it out. Corrected sig is posted now. Thanks! Matt Michael Scheidell wrote: > new netblock: as of Nov 17th, 2006, no longer bogon: 77.0.0.0/8 no > longer bogon. > ramdom sampling of ip's shows new, live , legit routing. > > > > % Information related to '77.178.0.0/15AS6805' > > route: 77.178.0.0/15 > descr: 1&1 Internet AG > remarks: netname: DE-1AND1-20061117 > origin: AS6805 > mnt-by: MDA-Z > source: RIPE # Filtered > > --- bleeding-policy.rules.org Mon Nov 27 18:01:12 2006 > +++ bleeding-policy.rules Sat Dec 2 10:16:17 2006 > @@ -60,7 +60,7 @@ > > #Idea by David Glosser, sig by Matt Jonkman > alert ip > [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 1"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type > limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;) > -alert ip > [50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 2"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type > limit, track by_src, count 1, seconds 360; sid:2002750; rev:5;) > +alert ip > [50.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 2"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type > limit, track by_src, count 1, seconds 360; sid:2002750; rev:6;) > alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> > $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - > Bogon Nets 3"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type > limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) > # > #This is for reserved internal space. Do NOT run this sig on your > internal net, commented out by default. > 12/02-08:01:05 TCP 77.179.50.35:48455 > > --> 192.168.168.132:80 > > [1:2002750:5] > BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 > [Classification: Potentially Bad Traffic] [Priority: 2] > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Sat Dec 2 15:56:01 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Sat Dec 2 15:58:37 2006 Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 In-Reply-To: References: Message-ID: <4571A211.3050806@bleedingthreats.net> You are correct. I missed the allocation announcement somewhere. Thanks for pointing it out. Corrected sig is posted now. Thanks! Matt Michael Scheidell wrote: > new netblock: as of Nov 17th, 2006, no longer bogon: 77.0.0.0/8 no > longer bogon. > ramdom sampling of ip's shows new, live , legit routing. > > > > % Information related to '77.178.0.0/15AS6805' > > route: 77.178.0.0/15 > descr: 1&1 Internet AG > remarks: netname: DE-1AND1-20061117 > origin: AS6805 > mnt-by: MDA-Z > source: RIPE # Filtered > > --- bleeding-policy.rules.org Mon Nov 27 18:01:12 2006 > +++ bleeding-policy.rules Sat Dec 2 10:16:17 2006 > @@ -60,7 +60,7 @@ > > #Idea by David Glosser, sig by Matt Jonkman > alert ip > [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 1"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type > limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;) > -alert ip > [50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 2"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type > limit, track by_src, count 1, seconds 360; sid:2002750; rev:5;) > +alert ip > [50.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 2"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type > limit, track by_src, count 1, seconds 360; sid:2002750; rev:6;) > alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> > $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - > Bogon Nets 3"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type > limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) > # > #This is for reserved internal space. Do NOT run this sig on your > internal net, commented out by default. > 12/02-08:01:05 TCP 77.179.50.35:48455 > > --> 192.168.168.132:80 > > [1:2002750:5] > BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 > [Classification: Potentially Bad Traffic] [Priority: 2] > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Sat Dec 2 20:00:04 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Sat Dec 2 20:00:05 2006 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20061202200004.4C01822C0BD@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Sat Dec 2 20:00:04 2006 [***] [///] Modified active rules: [///] 2002750 - BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 (bleeding-policy.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 11 -> Added to bleeding-drop.rules (1): # VERSION 11 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 10 -> Removed from bleeding-drop.rules (1): # VERSION 10 From scheidell at secnap.net Sun Dec 3 02:08:02 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Sun Dec 3 02:09:07 2006 Subject: [Bleeding-sigs] FW: alert: New event: Unknown alert typeBLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) {UDP} 172.22.1.60:1094 -> 83.2.83.1:53 Message-ID: and this one... role: TP S.A. Hostmaster address: TP S.A. address: ul. Nowogrodzka 47A address: 00-695 Warszawa address: Poland phone: +48 22 6225182 fax-no: +48 22 6225182 remarks: Network problems -> hostmaster@telekomunikacja.pl remarks: Abuse and spam notification -> abuse@telekomunikacja.pl remarks: DNS problems -> dns@telekomunikacja.pl remarks: Routing problems -> registry@tpnet.pl admin-c: TK569-RIPE tech-c: TK569-RIPE tech-c: JS1838-RIPE nic-hdl: TPHT remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! remarks: Please send spam and abuse notification only remarks: to abuse@telekomunikacja.pl remarks: phone: +48 22 8871788 remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! mnt-by: TPNET abuse-mailbox: abuse@telekomunikacja.pl source: RIPE # Filtered person: Marek Markowicz address: Prestiz address: ul. K.B. Kominka 20c address: 59-101 Polkowice address: POLAND phone: +48 76 8453686 phone: +48 691 930818 nic-hdl: MM14665-RIPE mnt-by: TPNET source: RIPE # Filtered % Information related to '83.0.0.0/11AS5617' route: 83.0.0.0/11 descr: TPNET descr: for abuse: abuse@tpnet.pl origin: AS5617 mnt-by: AS5617-MNT source: RIPE # Filtered 12/02-16:32:39 GEN 0.0.0.0:0 --> 0.0.0.0:0 [[0:0:0]] Unknown alert typeBLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) {UDP} 172.22.1.60:1094 -> 83.2.83.1:53 [Classification: smtpalert] [Priority: 2] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20061202/48e17be2/attachment.html From scheidell at secnap.net Sun Dec 3 02:09:41 2006 From: scheidell at secnap.net (Michael Scheidell) Date: Sun Dec 3 02:10:41 2006 Subject: [Bleeding-sigs] FW: alert: New event: Unknown alerttypeBLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) {UDP} 172.22.1.60:1094 -> 83.2.83.1:53 Message-ID: nevermind.. -----Original Message----- From: bleeding-sigs-bounces@bleedingthreats.net [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf Of Michael Scheidell Sent: Saturday, December 02, 2006 9:08 PM To: Bleeding Sigs Subject: [Bleeding-sigs] FW: alert: New event: Unknown alerttypeBLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) {UDP} 172.22.1.60:1094 -> 83.2.83.1:53 and this one... role: TP S.A. Hostmaster address: TP S.A. address: ul. Nowogrodzka 47A address: 00-695 Warszawa address: Poland phone: +48 22 6225182 fax-no: +48 22 6225182 remarks: Network problems -> hostmaster@telekomunikacja.pl remarks: Abuse and spam notification -> abuse@telekomunikacja.pl remarks: DNS problems -> dns@telekomunikacja.pl remarks: Routing problems -> registry@tpnet.pl admin-c: TK569-RIPE tech-c: TK569-RIPE tech-c: JS1838-RIPE nic-hdl: TPHT remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! remarks: Please send spam and abuse notification only remarks: to abuse@telekomunikacja.pl remarks: phone: +48 22 8871788 remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! mnt-by: TPNET abuse-mailbox: abuse@telekomunikacja.pl source: RIPE # Filtered person: Marek Markowicz address: Prestiz address: ul. K.B. Kominka 20c address: 59-101 Polkowice address: POLAND phone: +48 76 8453686 phone: +48 691 930818 nic-hdl: MM14665-RIPE mnt-by: TPNET source: RIPE # Filtered % Information related to '83.0.0.0/11AS5617' route: 83.0.0.0/11 descr: TPNET descr: for abuse: abuse@tpnet.pl origin: AS5617 mnt-by: AS5617-MNT source: RIPE # Filtered 12/02-16:32:39 GEN 0.0.0.0:0 --> 0.0.0.0:0 [[0:0:0]] Unknown alert typeBLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) {UDP} 172.22.1.60:1094 -> 83.2.83.1:53 [Classification: smtpalert] [Priority: 2] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20061202/193ca35d/attachment-0001.htm From jonkman at bleedingthreats.net Mon Dec 4 14:25:46 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Dec 4 14:27:45 2006 Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICYReserved IP Space Traffic - Bogon Nets 2 In-Reply-To: References: Message-ID: <45742FEA.2010702@bleedingthreats.net> Thanks for the reminder. I ran through the entire list. Had several adds and removes. We're synced back up with cymru. Thanks Michael! Matt Michael Scheidell wrote: > in fact... > > http://www.cymru.com/Documents/secure-ios-template.html > > > Changes in version 4.4: > > * 96/8, 97/8, 98/8 and 99/8 allocated to ARIN (OCT 2006). Removed > from the bogon filters. > > Changes in version 4.3: > > * 77/8, 78/8 and 79/8 allocated to RIPE (AUG 2006). Removed from the > bogon filters. > > Changes in version 4.2: > > * 121/8, 122/8 and 123/8 allocated to APNIC (JAN 2006). Removed from > the bogon filters. > > Changes in version 4.1: > > * 89/8, 90/8 and 91/8 allocated to RIPE (JUN 2005). Removed from the > bogon filters. > > -----Original Message----- > *From:* bleeding-sigs-bounces@bleedingthreats.net > [mailto:bleeding-sigs-bounces@bleedingthreats.net] *On Behalf Of > *Michael Scheidell > *Sent:* Saturday, December 02, 2006 10:17 AM > *To:* bleeding-sigs@bleedingsnort.com > *Subject:* [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE > POLICYReserved IP Space Traffic - Bogon Nets 2 > > new netblock: as of Nov 17th, 2006, no longer bogon: 77.0.0.0/8 no > longer bogon. > ramdom sampling of ip's shows new, live , legit routing. > > > > % Information related to '77.178.0.0/15AS6805' > > route: 77.178.0.0/15 > descr: 1&1 Internet AG > remarks: netname: DE-1AND1-20061117 > origin: AS6805 > mnt-by: MDA-Z > source: RIPE # Filtered > > --- bleeding-policy.rules.org Mon Nov 27 18:01:12 2006 > +++ bleeding-policy.rules Sat Dec 2 10:16:17 2006 > @@ -60,7 +60,7 @@ > > #Idea by David Glosser, sig by Matt Jonkman > alert ip > [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 1"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: > type limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;) > -alert ip > [50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 2"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: > type limit, track by_src, count 1, seconds 360; sid:2002750; rev:5;) > +alert ip > [50.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 2"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: > type limit, track by_src, count 1, seconds 360; sid:2002750; rev:6;) > alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any > -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 3"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: > type limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) > # > #This is for reserved internal space. Do NOT run this sig on your > internal net, commented out by default. > 12/02-08:01:05 TCP 77.179.50.35:48455 > > --> 192.168.168.132:80 > > [1:2002750:5] > BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 > [Classification: Potentially Bad Traffic] [Priority: 2] > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Mon Dec 4 14:25:46 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Dec 4 14:28:02 2006 Subject: [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE POLICYReserved IP Space Traffic - Bogon Nets 2 In-Reply-To: References: Message-ID: <45742FEA.2010702@bleedingthreats.net> Thanks for the reminder. I ran through the entire list. Had several adds and removes. We're synced back up with cymru. Thanks Michael! Matt Michael Scheidell wrote: > in fact... > > http://www.cymru.com/Documents/secure-ios-template.html > > > Changes in version 4.4: > > * 96/8, 97/8, 98/8 and 99/8 allocated to ARIN (OCT 2006). Removed > from the bogon filters. > > Changes in version 4.3: > > * 77/8, 78/8 and 79/8 allocated to RIPE (AUG 2006). Removed from the > bogon filters. > > Changes in version 4.2: > > * 121/8, 122/8 and 123/8 allocated to APNIC (JAN 2006). Removed from > the bogon filters. > > Changes in version 4.1: > > * 89/8, 90/8 and 91/8 allocated to RIPE (JUN 2005). Removed from the > bogon filters. > > -----Original Message----- > *From:* bleeding-sigs-bounces@bleedingthreats.net > [mailto:bleeding-sigs-bounces@bleedingthreats.net] *On Behalf Of > *Michael Scheidell > *Sent:* Saturday, December 02, 2006 10:17 AM > *To:* bleeding-sigs@bleedingsnort.com > *Subject:* [Bleeding-sigs] FP: FW: alert: New event: BLEEDING-EDGE > POLICYReserved IP Space Traffic - Bogon Nets 2 > > new netblock: as of Nov 17th, 2006, no longer bogon: 77.0.0.0/8 no > longer bogon. > ramdom sampling of ip's shows new, live , legit routing. > > > > % Information related to '77.178.0.0/15AS6805' > > route: 77.178.0.0/15 > descr: 1&1 Internet AG > remarks: netname: DE-1AND1-20061117 > origin: AS6805 > mnt-by: MDA-Z > source: RIPE # Filtered > > --- bleeding-policy.rules.org Mon Nov 27 18:01:12 2006 > +++ bleeding-policy.rules Sat Dec 2 10:16:17 2006 > @@ -60,7 +60,7 @@ > > #Idea by David Glosser, sig by Matt Jonkman > alert ip > [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 1"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: > type limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;) > -alert ip > [50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 2"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: > type limit, track by_src, count 1, seconds 360; sid:2002750; rev:5;) > +alert ip > [50.0.0.0/8,78.0.0.0/7,92.0.0.0/6,112.0.0.0/5,120.0.0.0/8,140.249.0.0/16,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] > any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 2"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: > type limit, track by_src, count 1, seconds 360; sid:2002750; rev:6;) > alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any > -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space > Traffic - Bogon Nets 3"; classtype:bad-unknown; > reference:url,www.cymru.com/Documents/bogon-list.html; threshold: > type limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) > # > #This is for reserved internal space. Do NOT run this sig on your > internal net, commented out by default. > 12/02-08:01:05 TCP 77.179.50.35:48455 > > --> 192.168.168.132:80 > > [1:2002750:5] > BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 > [Classification: Potentially Bad Traffic] [Priority: 2] > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Mon Dec 4 20:00:04 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Mon Dec 4 20:00:04 2006 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20061204200004.156D722C0BE@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Mon Dec 4 20:00:03 2006 [***] [+++] Added rules: [+++] 2003201 - BLEEDING-EDGE MALWARE Thespyguard.com Spyware Install (bleeding-malware.rules) 2003202 - BLEEDING-EDGE MALWARE Thespyguard.com Spyware Update Check (bleeding-malware.rules) 2003203 - BLEEDING-EDGE MALWARE Hitvirus Fake AV Install (bleeding-malware.rules) 2003204 - BLEEDING-EDGE MALWARE Thespyguard.com Spyware Updating (bleeding-malware.rules) 2003205 - BLEEDING-EDGE MALWARE Suspicious User Agent (Informer from RBC) (bleeding-malware.rules) [///] Modified active rules: [///] 2002750 - BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 (bleeding-policy.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 13 -> Added to bleeding-drop.rules (1): # VERSION 13 -> Added to bleeding-malware.rules (2): # all sorts of junk at www.thespyguard.com, fake antispyware trojan #Matt Jonkman. Kliksoftware.com products seen using this for updates -> Added to bleeding-sid-msg.map (5): 2003201 || BLEEDING-EDGE MALWARE Thespyguard.com Spyware Install || url,www.kliksoftware.com || url,www.thespyguard.com 2003202 || BLEEDING-EDGE MALWARE Thespyguard.com Spyware Update Check || url,www.thespyguard.com || url,www.kliksoftware.com 2003203 || BLEEDING-EDGE MALWARE Hitvirus Fake AV Install || url,www.kliksoftware.com 2003204 || BLEEDING-EDGE MALWARE Thespyguard.com Spyware Updating || url,www.thespyguard.com || url,www.kliksoftware.com 2003205 || BLEEDING-EDGE MALWARE Suspicious User Agent (Informer from RBC) || url,www.kliksoftware.com [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 11 -> Removed from bleeding-drop.rules (1): # VERSION 11 From mrowley at esoft.com Mon Dec 4 21:15:08 2006 From: mrowley at esoft.com (mat) Date: Mon Dec 4 21:18:27 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <20061204200004.156D722C0BE@sb03.us.bleedingsnort.com> References: <20061204200004.156D722C0BE@sb03.us.bleedingsnort.com> Message-ID: <45748FDC.5080405@esoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Over the weekend, there was a XSS worm which is being used in myspace. It uses the embedded javascript functionality of the quicktime .mov file. I wrote this little rule to see if there was any javascript in a quicktime file. Since quicktime is a proprietary technology, I hve no header information / RFC. If anyone has any info that will help me speed up this rule, it would be very appreciated. mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFdI/b47s/xIwy7o0RAmxdAJ9CW+Sb/ISgbpEmgHfvhXGNDPosGwCfSCrY RXpePrlC9vWffz+XGi8natk= =So/9 -----END PGP SIGNATURE----- From mrowley at esoft.com Mon Dec 4 21:17:33 2006 From: mrowley at esoft.com (mat) Date: Mon Dec 4 21:20:17 2006 Subject: [Bleeding-sigs] myspace .mov worm Message-ID: <4574906D.7050100@esoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forgot to add the rule... alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File with embedded Javascript"; uricontent: ".mov"; pcre:"/[AT]<[^>]*javascript\:.*>/i") - -- \\ Mathew Rowley \\ eSoft Inc. \\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFdJBt47s/xIwy7o0RAnMcAJ0flOMFxSHPSDdFKaaOGHXKVixy4QCbB9dS TC+w2Kb50rZh6R+izwscNHw= =fKzI -----END PGP SIGNATURE----- From mrowley at esoft.com Mon Dec 4 21:22:35 2006 From: mrowley at esoft.com (mat) Date: Mon Dec 4 21:27:12 2006 Subject: [Bleeding-sigs] .mov rule update Message-ID: <4574919B.6010608@esoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 unfortunatly when writing the previous rule, i did not get correct information, here is how the info will look in the .mov file http://www.apple.com/quicktime/tutorials/hreftracks.html and the rule should look like this alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File with embedded Javascript"; uricontent: ".mov"; pcre:"/A<[^>]*javascript\:.*>T<.*>/i") - -- \\ Mathew Rowley \\ eSoft Inc. \\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFdJGU47s/xIwy7o0RAmqDAKCGdmlBmgNxDqwwgL75WP0NcY2+/gCfayMz SJJziIM7Qq2AkXBKeILZaGE= =SJWL -----END PGP SIGNATURE----- From jonkman at bleedingthreats.net Mon Dec 4 21:25:21 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Dec 4 21:29:03 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <4574906D.7050100@esoft.com> References: <4574906D.7050100@esoft.com> Message-ID: <45749241.3090303@bleedingthreats.net> That seems like a reasonable rule. The load should be minimal unless you've got a very high volume of .mov's on your net. If no one has any suggestions to add, I'll get it posted in a few minutes. Thanks Mat! Matt mat wrote: > Forgot to add the rule... > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File > with embedded Javascript"; uricontent: ".mov"; > pcre:"/[AT]<[^>]*javascript\:.*>/i") > > > _______________________________________________ Bleeding-sigs mailing list Bleeding-sigs@bleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Mon Dec 4 21:46:25 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Dec 4 21:49:38 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <45749241.3090303@bleedingthreats.net> References: <4574906D.7050100@esoft.com> <45749241.3090303@bleedingthreats.net> Message-ID: <45749731.4040002@bleedingthreats.net> Wait a sec... The mov wil lbe putbound to the server, and the javascript inbound from the hostile server. So we'd need to set a flowbit, and check it on the way back. no? How about this then: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT Quicktime .mov File Requested"; flow:established,to_server; uricontent: ".mov"; flowbits:set,BE.movuri; flowbits:noalert; classtype:not-suspicious; sid:2003206; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Quicktime .mov File with embedded Javascript"; flow:established,from_server; flowbits:isset,BE.movuri; pcre:"/[AT]<[^>]*javascript\:.*>/im"; classtype:attempted-admin; sid:2003207; rev:1;) Thatll set the bit when requested, and watch for the javascript tag on the return traffic. Look good? Matt Matt Jonkman wrote: > That seems like a reasonable rule. The load should be minimal unless > you've got a very high volume of .mov's on your net. > > If no one has any suggestions to add, I'll get it posted in a few minutes. > > Thanks Mat! > > Matt > > mat wrote: >> Forgot to add the rule... >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File >> with embedded Javascript"; uricontent: ".mov"; >> pcre:"/[AT]<[^>]*javascript\:.*>/i") >> >> >> > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue Dec 5 01:09:36 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Dec 5 01:11:48 2006 Subject: [Bleeding-sigs] .mov rule update In-Reply-To: <4574919B.6010608@esoft.com> References: <4574919B.6010608@esoft.com> Message-ID: <4574C6D0.1020304@bleedingthreats.net> Updating the sig I put up, thanks for the update. Matt mat wrote: > unfortunatly when writing the previous rule, i did not get correct > information, here is how the info will look in the .mov file > > http://www.apple.com/quicktime/tutorials/hreftracks.html > > and the rule should look like this > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File > with embedded Javascript"; uricontent: ".mov"; > pcre:"/A<[^>]*javascript\:.*>T<.*>/i") > > > _______________________________________________ Bleeding-sigs mailing list Bleeding-sigs@bleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From mrowley at esoft.com Tue Dec 5 15:17:21 2006 From: mrowley at esoft.com (mat) Date: Tue Dec 5 15:20:29 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <45749731.4040002@bleedingthreats.net> References: <4574906D.7050100@esoft.com> <45749241.3090303@bleedingthreats.net> <45749731.4040002@bleedingthreats.net> Message-ID: <45758D81.7090400@esoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The javascript is actually in the .mov file... There is a malicious sample here (which just does an alert): http://www.gnucitizen.org/blog/backdooring-quicktime-movies/sample_backdoored.mov Viewing it in a hex editor, you can see the javascript tags in plain text. So, you can set it up the way I initially had it. Matt Jonkman wrote: > Wait a sec... The mov wil lbe putbound to the server, and the javascript > inbound from the hostile server. So we'd need to set a flowbit, and > check it on the way back. no? > > How about this then: > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE > EXPLOIT Quicktime .mov File Requested"; flow:established,to_server; > uricontent: ".mov"; flowbits:set,BE.movuri; flowbits:noalert; > classtype:not-suspicious; sid:2003206; rev:1;) > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > EXPLOIT Quicktime .mov File with embedded Javascript"; > flow:established,from_server; flowbits:isset,BE.movuri; > pcre:"/[AT]<[^>]*javascript\:.*>/im"; classtype:attempted-admin; > sid:2003207; rev:1;) > > > Thatll set the bit when requested, and watch for the javascript tag on > the return traffic. Look good? > > Matt > > > Matt Jonkman wrote: >> That seems like a reasonable rule. The load should be minimal unless >> you've got a very high volume of .mov's on your net. >> >> If no one has any suggestions to add, I'll get it posted in a few minutes. >> >> Thanks Mat! >> >> Matt >> >> mat wrote: >>> Forgot to add the rule... >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File >>> with embedded Javascript"; uricontent: ".mov"; >>> pcre:"/[AT]<[^>]*javascript\:.*>/i") >>> >>> >>> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >> > - -- \\ Mathew Rowley \\ eSoft Inc. \\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFdY2B47s/xIwy7o0RAhNNAKCDhwbeR7RpLKoEy+GQ1r/FjPc0wgCeOjjQ TygNC+0bL1GpO9ycURqnqz8= =Fgcx -----END PGP SIGNATURE----- From jonkman at bleedingthreats.net Tue Dec 5 15:24:00 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Dec 5 15:27:10 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <45758D81.7090400@esoft.com> References: <4574906D.7050100@esoft.com> <45749241.3090303@bleedingthreats.net> <45749731.4040002@bleedingthreats.net> <45758D81.7090400@esoft.com> Message-ID: <45758F10.9030408@bleedingthreats.net> So what's up now is accurate then: http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_MOV_Javascript?view=markup Matt (Matt's with 2 t's are cooler than mat's with one t.) mat wrote: > The javascript is actually in the .mov file... There is a malicious > sample here (which just does an alert): > http://www.gnucitizen.org/blog/backdooring-quicktime-movies/sample_backdoored.mov > > Viewing it in a hex editor, you can see the javascript tags in plain > text. So, you can set it up the way I initially had it. > > > Matt Jonkman wrote: >> Wait a sec... The mov wil lbe putbound to the server, and the javascript >> inbound from the hostile server. So we'd need to set a flowbit, and >> check it on the way back. no? > >> How about this then: > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE >> EXPLOIT Quicktime .mov File Requested"; flow:established,to_server; >> uricontent: ".mov"; flowbits:set,BE.movuri; flowbits:noalert; >> classtype:not-suspicious; sid:2003206; rev:1;) > >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE >> EXPLOIT Quicktime .mov File with embedded Javascript"; >> flow:established,from_server; flowbits:isset,BE.movuri; >> pcre:"/[AT]<[^>]*javascript\:.*>/im"; classtype:attempted-admin; >> sid:2003207; rev:1;) > > >> Thatll set the bit when requested, and watch for the javascript tag on >> the return traffic. Look good? > >> Matt > > >> Matt Jonkman wrote: >>> That seems like a reasonable rule. The load should be minimal unless >>> you've got a very high volume of .mov's on your net. >>> >>> If no one has any suggestions to add, I'll get it posted in a few minutes. >>> >>> Thanks Mat! >>> >>> Matt >>> >>> mat wrote: >>>> Forgot to add the rule... >>>> >>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File >>>> with embedded Javascript"; uricontent: ".mov"; >>>> pcre:"/[AT]<[^>]*javascript\:.*>/i") >>>> >>>> >>>> >>> _______________________________________________ >>> Bleeding-sigs mailing list >>> Bleeding-sigs@bleedingthreats.net >>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >>> > > _______________________________________________ Bleeding-sigs mailing list Bleeding-sigs@bleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From mrowley at esoft.com Tue Dec 5 15:32:22 2006 From: mrowley at esoft.com (mat) Date: Tue Dec 5 15:36:14 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <45758D81.7090400@esoft.com> References: <4574906D.7050100@esoft.com> <45749241.3090303@bleedingthreats.net> <45749731.4040002@bleedingthreats.net> <45758D81.7090400@esoft.com> Message-ID: <45759106.7090009@esoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry, Matt, you are right.... The URI is going outbound to the server, and the actual file is coming inbound to the client. Thanks. mat wrote: > The javascript is actually in the .mov file... There is a malicious > sample here (which just does an alert): > http://www.gnucitizen.org/blog/backdooring-quicktime-movies/sample_backdoored.mov > > Viewing it in a hex editor, you can see the javascript tags in plain > text. So, you can set it up the way I initially had it. > > > Matt Jonkman wrote: >>> Wait a sec... The mov wil lbe putbound to the server, and the javascript >>> inbound from the hostile server. So we'd need to set a flowbit, and >>> check it on the way back. no? >>> >>> How about this then: >>> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE >>> EXPLOIT Quicktime .mov File Requested"; flow:established,to_server; >>> uricontent: ".mov"; flowbits:set,BE.movuri; flowbits:noalert; >>> classtype:not-suspicious; sid:2003206; rev:1;) >>> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE >>> EXPLOIT Quicktime .mov File with embedded Javascript"; >>> flow:established,from_server; flowbits:isset,BE.movuri; >>> pcre:"/[AT]<[^>]*javascript\:.*>/im"; classtype:attempted-admin; >>> sid:2003207; rev:1;) >>> >>> >>> Thatll set the bit when requested, and watch for the javascript tag on >>> the return traffic. Look good? >>> >>> Matt >>> >>> >>> Matt Jonkman wrote: >>>> That seems like a reasonable rule. The load should be minimal unless >>>> you've got a very high volume of .mov's on your net. >>>> >>>> If no one has any suggestions to add, I'll get it posted in a few minutes. >>>> >>>> Thanks Mat! >>>> >>>> Matt >>>> >>>> mat wrote: >>>>> Forgot to add the rule... >>>>> >>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File >>>>> with embedded Javascript"; uricontent: ".mov"; >>>>> pcre:"/[AT]<[^>]*javascript\:.*>/i") >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Bleeding-sigs mailing list >>>> Bleeding-sigs@bleedingthreats.net >>>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >>>> > > > -- > > > \\ Mathew Rowley > \\ eSoft Inc. > \\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;' _______________________________________________ Bleeding-sigs mailing list Bleeding-sigs@bleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs - -- \\ Mathew Rowley \\ eSoft Inc. \\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFdZEF47s/xIwy7o0RAmabAJ97AcnX2xWlSRSBVn7BY88dHJnffgCeKnsJ BBAt5adVeQmxxjRqFKofSK8= =kum2 -----END PGP SIGNATURE----- From mrowley at esoft.com Tue Dec 5 16:26:36 2006 From: mrowley at esoft.com (mat) Date: Tue Dec 5 16:30:40 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <45758F10.9030408@bleedingthreats.net> References: <4574906D.7050100@esoft.com> <45749241.3090303@bleedingthreats.net> <45749731.4040002@bleedingthreats.net> <45758D81.7090400@esoft.com> <45758F10.9030408@bleedingthreats.net> Message-ID: <45759DBC.6070008@esoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The second part of the rule should be alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Quicktime .mov File with embedded Javascript"; flow:established,from_server; flowbits:isset,BE.movuri; pcre:"/A<[^>]*javascript\:.*>T<.*>/im"; classtype:attempted-admin; sid:2003207; rev:1;) Matt Jonkman wrote: > So what's up now is accurate then: > > http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_MOV_Javascript?view=markup > > Matt > > > > (Matt's with 2 t's are cooler than mat's with one t.) > > mat wrote: >> The javascript is actually in the .mov file... There is a malicious >> sample here (which just does an alert): >> http://www.gnucitizen.org/blog/backdooring-quicktime-movies/sample_backdoored.mov >> >> Viewing it in a hex editor, you can see the javascript tags in plain >> text. So, you can set it up the way I initially had it. >> >> >> Matt Jonkman wrote: >>> Wait a sec... The mov wil lbe putbound to the server, and the javascript >>> inbound from the hostile server. So we'd need to set a flowbit, and >>> check it on the way back. no? >>> How about this then: >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE >>> EXPLOIT Quicktime .mov File Requested"; flow:established,to_server; >>> uricontent: ".mov"; flowbits:set,BE.movuri; flowbits:noalert; >>> classtype:not-suspicious; sid:2003206; rev:1;) >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE >>> EXPLOIT Quicktime .mov File with embedded Javascript"; >>> flow:established,from_server; flowbits:isset,BE.movuri; >>> pcre:"/[AT]<[^>]*javascript\:.*>/im"; classtype:attempted-admin; >>> sid:2003207; rev:1;) >> >>> Thatll set the bit when requested, and watch for the javascript tag on >>> the return traffic. Look good? >>> Matt >> >>> Matt Jonkman wrote: >>>> That seems like a reasonable rule. The load should be minimal unless >>>> you've got a very high volume of .mov's on your net. >>>> >>>> If no one has any suggestions to add, I'll get it posted in a few minutes. >>>> >>>> Thanks Mat! >>>> >>>> Matt >>>> >>>> mat wrote: >>>>> Forgot to add the rule... >>>>> >>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File >>>>> with embedded Javascript"; uricontent: ".mov"; >>>>> pcre:"/[AT]<[^>]*javascript\:.*>/i") >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Bleeding-sigs mailing list >>>> Bleeding-sigs@bleedingthreats.net >>>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >>>> >> > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > - -- \\ Mathew Rowley \\ eSoft Inc. \\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFdZ2847s/xIwy7o0RAgolAJ9j2TSHIOv2EKWbsTH67C+Wa6CoegCfZ/WZ Wc4BbWW2avmioHpAzZAIIJA= =DShs -----END PGP SIGNATURE----- From jonkman at bleedingthreats.net Tue Dec 5 18:22:42 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Dec 5 18:26:17 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <45759DBC.6070008@esoft.com> References: <4574906D.7050100@esoft.com> <45749241.3090303@bleedingthreats.net> <45749731.4040002@bleedingthreats.net> <45758D81.7090400@esoft.com> <45758F10.9030408@bleedingthreats.net> <45759DBC.6070008@esoft.com> Message-ID: <4575B8F2.9050203@bleedingthreats.net> OK, got it posted. Look right now? matt mat wrote: > The second part of the rule should be > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > EXPLOIT Quicktime .mov File with embedded Javascript"; > flow:established,from_server; flowbits:isset,BE.movuri; > pcre:"/A<[^>]*javascript\:.*>T<.*>/im"; classtype:attempted-admin; > sid:2003207; rev:1;) > > > > Matt Jonkman wrote: >> So what's up now is accurate then: > >> http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_MOV_Javascript?view=markup > >> Matt > > > >> (Matt's with 2 t's are cooler than mat's with one t.) > >> mat wrote: >>> The javascript is actually in the .mov file... There is a malicious >>> sample here (which just does an alert): >>> http://www.gnucitizen.org/blog/backdooring-quicktime-movies/sample_backdoored.mov >>> >>> Viewing it in a hex editor, you can see the javascript tags in plain >>> text. So, you can set it up the way I initially had it. >>> >>> >>> Matt Jonkman wrote: >>>> Wait a sec... The mov wil lbe putbound to the server, and the javascript >>>> inbound from the hostile server. So we'd need to set a flowbit, and >>>> check it on the way back. no? >>>> How about this then: >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE >>>> EXPLOIT Quicktime .mov File Requested"; flow:established,to_server; >>>> uricontent: ".mov"; flowbits:set,BE.movuri; flowbits:noalert; >>>> classtype:not-suspicious; sid:2003206; rev:1;) >>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE >>>> EXPLOIT Quicktime .mov File with embedded Javascript"; >>>> flow:established,from_server; flowbits:isset,BE.movuri; >>>> pcre:"/[AT]<[^>]*javascript\:.*>/im"; classtype:attempted-admin; >>>> sid:2003207; rev:1;) >>>> Thatll set the bit when requested, and watch for the javascript tag on >>>> the return traffic. Look good? >>>> Matt >>>> Matt Jonkman wrote: >>>>> That seems like a reasonable rule. The load should be minimal unless >>>>> you've got a very high volume of .mov's on your net. >>>>> >>>>> If no one has any suggestions to add, I'll get it posted in a few minutes. >>>>> >>>>> Thanks Mat! >>>>> >>>>> Matt >>>>> >>>>> mat wrote: >>>>>> Forgot to add the rule... >>>>>> >>>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File >>>>>> with embedded Javascript"; uricontent: ".mov"; >>>>>> pcre:"/[AT]<[^>]*javascript\:.*>/i") >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Bleeding-sigs mailing list >>>>> Bleeding-sigs@bleedingthreats.net >>>>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >>>>> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > _______________________________________________ Bleeding-sigs mailing list Bleeding-sigs@bleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From mrowley at esoft.com Tue Dec 5 19:06:15 2006 From: mrowley at esoft.com (mat) Date: Tue Dec 5 19:10:23 2006 Subject: [Bleeding-sigs] myspace .mov worm In-Reply-To: <4575B8F2.9050203@bleedingthreats.net> References: <4574906D.7050100@esoft.com> <45749241.3090303@bleedingthreats.net> <45749731.4040002@bleedingthreats.net> <45758D81.7090400@esoft.com> <45758F10.9030408@bleedingthreats.net> <45759DBC.6070008@esoft.com> <4575B8F2.9050203@bleedingthreats.net> Message-ID: <4575C327.2040203@esoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looks good. Matt Jonkman wrote: > OK, got it posted. Look right now? > > matt > > mat wrote: >> The second part of the rule should be >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE >> EXPLOIT Quicktime .mov File with embedded Javascript"; >> flow:established,from_server; flowbits:isset,BE.movuri; >> pcre:"/A<[^>]*javascript\:.*>T<.*>/im"; classtype:attempted-admin; >> sid:2003207; rev:1;) >> >> >> >> Matt Jonkman wrote: >>> So what's up now is accurate then: >>> http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_MOV_Javascript?view=markup >>> Matt >> >> >>> (Matt's with 2 t's are cooler than mat's with one t.) >>> mat wrote: >>>> The javascript is actually in the .mov file... There is a malicious >>>> sample here (which just does an alert): >>>> http://www.gnucitizen.org/blog/backdooring-quicktime-movies/sample_backdoored.mov >>>> >>>> Viewing it in a hex editor, you can see the javascript tags in plain >>>> text. So, you can set it up the way I initially had it. >>>> >>>> >>>> Matt Jonkman wrote: >>>>> Wait a sec... The mov wil lbe putbound to the server, and the javascript >>>>> inbound from the hostile server. So we'd need to set a flowbit, and >>>>> check it on the way back. no? >>>>> How about this then: >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE >>>>> EXPLOIT Quicktime .mov File Requested"; flow:established,to_server; >>>>> uricontent: ".mov"; flowbits:set,BE.movuri; flowbits:noalert; >>>>> classtype:not-suspicious; sid:2003206; rev:1;) >>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE >>>>> EXPLOIT Quicktime .mov File with embedded Javascript"; >>>>> flow:established,from_server; flowbits:isset,BE.movuri; >>>>> pcre:"/[AT]<[^>]*javascript\:.*>/im"; classtype:attempted-admin; >>>>> sid:2003207; rev:1;) >>>>> Thatll set the bit when requested, and watch for the javascript tag on >>>>> the return traffic. Look good? >>>>> Matt >>>>> Matt Jonkman wrote: >>>>>> That seems like a reasonable rule. The load should be minimal unless >>>>>> you've got a very high volume of .mov's on your net. >>>>>> >>>>>> If no one has any suggestions to add, I'll get it posted in a few minutes. >>>>>> >>>>>> Thanks Mat! >>>>>> >>>>>> Matt >>>>>> >>>>>> mat wrote: >>>>>>> Forgot to add the rule... >>>>>>> >>>>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Quicktime .mov File >>>>>>> with embedded Javascript"; uricontent: ".mov"; >>>>>>> pcre:"/[AT]<[^>]*javascript\:.*>/i") >>>>>>> >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> Bleeding-sigs mailing list >>>>>> Bleeding-sigs@bleedingthreats.net >>>>>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >>>>>> >>> _______________________________________________ >>> Bleeding-sigs mailing list >>> Bleeding-sigs@bleedingthreats.net >>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >> >> > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > - -- \\ Mathew Rowley \\ eSoft Inc. \\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFdcMn47s/xIwy7o0RAjoqAJ909kdjDf5mIuE4hUqyuwa3g+/jLwCffrbE GlitHdQTTyGKj8hAmWwNR1Y= =JADn -----END PGP SIGNATURE----- From bleeding at bleedingthreats.net Tue Dec 5 20:00:04 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue Dec 5 20:00:05 2006 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20061205200004.8A3B722C0AA@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Tue Dec 5 20:00:04 2006 [***] [+++] Added rules: [+++] 2003206 - BLEEDING-EDGE EXPLOIT Quicktime .mov File Requested (bleeding-exploit.rules) 2003207 - BLEEDING-EDGE EXPLOIT Quicktime .mov File with embedded Javascript (bleeding-exploit.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2001184 - BLEEDING-EDGE WORM RXBOT / RBOT Vulnerability Scan (bleeding-virus.rules) 2001220 - BLEEDING-EDGE WORM RXBOT / RBOT Exploit Report (bleeding-virus.rules) 2001554 - BLEEDING-EDGE WORM Rbot.Gen Infection Attempt (bleeding-virus.rules) 2001584 - BLEEDING-EDGE VIRUS Bot Reporting Scan/Exploit (bleeding-virus.rules) 2001676 - BLEEDING-EDGE VIRUS Bot Reporting/Commencing DDoS (bleeding-virus.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 14 -> Added to bleeding-drop.rules (1): # VERSION 14 -> Added to bleeding-exploit.rules (1): #by Mat Rowley of esoft -> Added to bleeding-sid-msg.map (2): 2003206 || BLEEDING-EDGE EXPLOIT Quicktime .mov File Requested 2003207 || BLEEDING-EDGE EXPLOIT Quicktime .mov File with embedded Javascript -> Added to bleeding-virus.rules (3): #Disabling by default. To be removed soon. These are better covered by the mass irc command sigs. MAJ 12/5/06 #Obsoleted, to be removed. MAJ 12/5/06 #Disabling. Better covered by 2002029 MAJ 12/5/06 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 13 -> Removed from bleeding-drop.rules (1): # VERSION 13 From bleeding at bleedingthreats.net Wed Dec 6 20:00:04 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Wed Dec 6 20:00:07 2006 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20061206200004.5C37822C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Wed Dec 6 20:00:04 2006 [***] [///] Modified active rules: [///] 2002852 - BLEEDING-EDGE EXPLOIT HP-UX Printer LPD Command Insertion (bleeding-exploit.rules) 2002872 - BLEEDING-EDGE POLICY Myspace Login Attempt (bleeding-policy.rules) 2002888 - BLEEDING-EDGE EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt (bleeding-exploit.rules) 2003179 - BLEEDING-EDGE POLICY exe download without User Agent (bleeding-policy.rules) 2003196 - BLEEDING-EDGE EXPLOIT FTP .message file write (bleeding-exploit.rules) 2003197 - BLEEDING-EDGE EXPLOIT ProFTPD .message file overflow attempt (bleeding-exploit.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [///] Modified inactive rules: [///] 2002948 - BLEEDING-EDGE POLICY External Windows Update in Progress (bleeding-policy.rules) 2002949 - BLEEDING-EDGE POLICY Windows Update in Progress (bleeding-policy.rules) 2002969 - BLEEDING-EDGE POLICY Microsoft BITS User Agent (bleeding-policy.rules) [---] Disabled rules: [---] 2000004 - BLEEDING-EDGE EXPLOIT Microsoft MHTML URL Redirection Attempt (bleeding-exploit.rules) 2003090 - BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Outbound (bleeding.rules) 2003091 - BLEEDING-EDGE CURRENT TROJAN Unknown Bot C&C Traffic Inbound (bleeding.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-attack_response.rules (1): # $Id: bleeding-attack_response.rules $ -> Added to bleeding-dos.rules (1): # $Id: bleeding-dos.rules $ -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 15 -> Added to bleeding-drop.rules (1): # VERSION 15 -> Added to bleeding-exploit.rules (2): # $Id: bleeding-exploit.rules $ #Disabling by default. Long since obsoleted. To be deleted MAJ 12.6.06 -> Added to bleeding-game.rules (1): # $Id: bleeding-game.rules $ -> Added to bleeding-inappropriate.rules (1): # $Id: bleeding-inappropriate.rules $ -> Added to bleeding-malware.rules (1): # $Id: bleeding-malware.rules $ -> Added to bleeding-p2p.rules (1): # $Id: bleeding-p2p.rules $ -> Added to bleeding-policy.rules (1): # $Id: bleeding-policy.rules $ -> Added to bleeding-scan.rules (1): # $Id: bleeding-scan.rules $ -> Added to bleeding-virus.rules (1): # $Id: bleeding-virus.rules $ -> Added to bleeding-web.rules (1): # $Id: bleeding-web.rules $ -> Added to bleeding.rules (2): #by Jeff Kell #Disabling, not new info, need more research [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 14 -> Removed from bleeding-drop.rules (1): # VERSION 14 -> Removed from bleeding.rules (2): #by Jef Kell #Matt JOnkman From tech at jameson.co.uk Thu Dec 7 12:44:13 2006 From: tech at jameson.co.uk (Brian Jameson) Date: Thu Dec 7 13:02:18 2006 Subject: [Bleeding-sigs] spyware-dns.rules with content:"|02|co|02|uk"; Message-ID: I have three sids(1028948, 1032259 and 1029240) that fire with the utmost regularity and are only checking for a content of "|02|co|02|uk"; which explains the frequency of the alert. Shouldn't they be checking for a bit more than that? And there appear to be other spyware-dns.rules that only have this limited content check e.g. sid: 1035983; which are not alerting but I have not figured out why yet. Any thoughts? regards, Brian From jonkman at bleedingthreats.net Thu Dec 7 17:09:49 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Dec 7 17:10:21 2006 Subject: [Bleeding-sigs] spyware-dns.rules with content:"|02|co|02|uk"; In-Reply-To: References: Message-ID: <45784ADD.2050908@bleedingthreats.net> Careful with those rules at the moment. The core bhdns had a flaw we're just getting fixed, the scripts accidentally listed co.uk as part of a longer url. It should not have been that way. For the moment I'd drop that sig. We're fixing the issue shortly... thanks for pointing it out. More to come... Matt Brian Jameson wrote: > I have three sids(1028948, 1032259 and 1029240) that fire with the utmost > regularity and are only checking for a content of "|02|co|02|uk"; which > explains the frequency of the alert. Shouldn't they be checking for a bit > more than that? And there appear to be other spyware-dns.rules that only > have this limited content check e.g. sid: 1035983; which are not alerting > but I have not figured out why yet. Any thoughts? > > regards, > Brian > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Thu Dec 7 18:20:32 2006 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Dec 7 18:21:03 2006 Subject: [Bleeding-sigs] spyware-dns.rules with content:"|02|co|02|uk"; In-Reply-To: <45784ADD.2050908@bleedingthreats.net> References: <45784ADD.2050908@bleedingthreats.net> Message-ID: <45785B70.5030603@bleedingthreats.net> All fixed up, sorry for the hassles there. Unfortunately the only issues we really had in the server move were with David's project, but he's thankfully been very patient with me getting things fixed. :) I've updated the snort sigs some, and moved them to a non-private sid range to avoid conflicts. They're now in the 2450000 range, part of our allocated range. The 2.4 millions are all for dynamic rules, like the spamhaus, dshield and shadowserver block rules. Take a look at the new snort rules for the spyware dns at: http://www.bleedingthreats.net/blackhole-dns/files/bleeding-spyware-dns.rules See if those are correct. I'll also be including these in the master tarball for easier access. There are over 11k rules in this ruleset, but they're all udp port 53. Unless you have a huge volume of dns traffic these are safe from a load perspective. They are risky in that some of these domains may have legitimate services, but they will at least point you toward workstations that might need some extra attention. Matt Matt Jonkman wrote: > Careful with those rules at the moment. The core bhdns had a flaw we're > just getting fixed, the scripts accidentally listed co.uk as part of a > longer url. It should not have been that way. > > For the moment I'd drop that sig. We're fixing the issue shortly... > thanks for pointing it out. > > More to come... > > Matt > > > Brian Jameson wrote: >> I have three sids(1028948, 1032259 and 1029240) that fire with the utmost >> regularity and are only checking for a content of "|02|co|02|uk"; which >> explains the frequency of the alert. Shouldn't they be checking for a bit >> more than that? And there appear to be other spyware-dns.rules that only >> have this limited content check e.g. sid: 1035983; which are not alerting >> but I have not figured out why yet. Any thoughts? >> >> regards, >> Brian >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Thu Dec 7 20:00:07 2006 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Dec 7 20:17:36 2006 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20061207200007.6A75522C0AB@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Thu Dec 7 20:00:06 2006 [***] [///] Modified active rules: [///] 2002197 - BLEEDING-EDGE MALWARE Tickle.com Spyware (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2410005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2410006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2410007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2410008 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 9) (bleeding-botcc.rules) 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2411008 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2001205 - BLEEDING-EDGE DOS Internet Explorer Memory Corruption Bug (bleeding-dos.rules) 2002958 - BLEEDING-EDGE MALWARE Blueskyltd.biz Spyware Checkin or Download (bleeding-malware.rules) [---] Removed rules: [---] 2410009 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 10) (bleeding-botcc.rules) 2411009 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-dos.rules (1): #Disabling by default. Very old, relatively high load considering the risk involved -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 16 -> Added to bleeding-drop.rules (1): # VERSION 16 -> Added to bleeding-malware.rules (1): #Disabling 2002958, falses I odn't have more info to try to prevent -> Added to bleeding-sid-msg.map (11965): 2450000 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0-29.com || url,www.bleedingthreats.net/blackhole-dns/ 2450001 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0-2u.com || url,www.bleedingthreats.net/blackhole-dns/ 2450002 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0-days.net || url,www.bleedingthreats.net/blackhole-dns/ 2450003 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 00.devoid.us || url,www.bleedingthreats.net/blackhole-dns/ 2450004 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 000info.com || url,www.bleedingthreats.net/blackhole-dns/ 2450005 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 007arcadegames.com || url,www.bleedingthreats.net/blackhole-dns/ 2450006 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 007ground.com || url,www.bleedingthreats.net/blackhole-dns/ 2450007 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 008i.com || url,www.bleedingthreats.net/blackhole-dns/ 2450008 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 008k.com || url,www.bleedingthreats.net/blackhole-dns/ 2450009 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 00hq.com || url,www.bleedingthreats.net/blackhole-dns/ 2450010 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 00info.com || url,www.bleedingthreats.net/blackhole-dns/ 2450011 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 00z70az77mnsa-00swj1zzprh.com || url,www.bleedingthreats.net/blackhole-dns/ 2450012 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 010402.com || url,www.bleedingthreats.net/blackhole-dns/ 2450013 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0190-dialer.com || url,www.bleedingthreats.net/blackhole-dns/ 2450014 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 02pmnzy5eo29bfk4.com || url,www.bleedingthreats.net/blackhole-dns/ 2450015 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 04080.com || url,www.bleedingthreats.net/blackhole-dns/ 2450016 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0503.pass.as || url,www.bleedingthreats.net/blackhole-dns/ 2450017 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 05p.com || url,www.bleedingthreats.net/blackhole-dns/ 2450018 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 07ic5do2myz3vzpk.com || url,www.bleedingthreats.net/blackhole-dns/ 2450019 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 08nigbmwk43i01y6.com || url,www.bleedingthreats.net/blackhole-dns/ 2450020 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 093qpeuqpmz6ebfa.com || url,www.bleedingthreats.net/blackhole-dns/ 2450021 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0calories.net || url,www.bleedingthreats.net/blackhole-dns/ 2450022 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0cat.com || url,www.bleedingthreats.net/blackhole-dns/ 2450023 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0cj.net || url,www.bleedingthreats.net/blackhole-dns/ 2450024 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0fkhzhpoxstn717y.com || url,www.bleedingthreats.net/blackhole-dns/ 2450025 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0i4ixakh2d6hun43.com || url,www.bleedingthreats.net/blackhole-dns/ 2450026 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0racle.info || url,www.bleedingthreats.net/blackhole-dns/ 2450027 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0texkax7c6hzuidk.com || url,www.bleedingthreats.net/blackhole-dns/ 2450028 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0un8yo7rh82m416k.com || url,www.bleedingthreats.net/blackhole-dns/ 2450029 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0vibd7viihxrtpyu.com || url,www.bleedingthreats.net/blackhole-dns/ 2450030 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0websearch.com || url,www.bleedingthreats.net/blackhole-dns/ 2450031 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0x80.online-software.org || url,www.bleedingthreats.net/blackhole-dns/ 2450032 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0ym6ei1saev6eiuw.com || url,www.bleedingthreats.net/blackhole-dns/ 2450033 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 0zoafrqnit8em7xa.com || url,www.bleedingthreats.net/blackhole-dns/ 2450034 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1-2-1cam.com || url,www.bleedingthreats.net/blackhole-dns/ 2450035 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1-2-1webcam.com || url,www.bleedingthreats.net/blackhole-dns/ 2450036 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1-britney-spears-nude.com || url,www.bleedingthreats.net/blackhole-dns/ 2450037 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1-domains-registrations.com || url,www.bleedingthreats.net/blackhole-dns/ 2450038 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1-extreme.biz || url,www.bleedingthreats.net/blackhole-dns/ 2450039 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1-se.com || url,www.bleedingthreats.net/blackhole-dns/ 2450040 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1.zloyamer.z8.ru || url,www.bleedingthreats.net/blackhole-dns/ 2450041 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 100000games.net || url,www.bleedingthreats.net/blackhole-dns/ 2450042 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1000funnyvideos.com || url,www.bleedingthreats.net/blackhole-dns/ 2450043 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1000ip.net || url,www.bleedingthreats.net/blackhole-dns/ 2450044 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1000s-great-dates.com || url,www.bleedingthreats.net/blackhole-dns/ 2450045 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1001-search.com || url,www.bleedingthreats.net/blackhole-dns/ 2450046 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1001movie.com || url,www.bleedingthreats.net/blackhole-dns/ 2450047 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1001night.biz || url,www.bleedingthreats.net/blackhole-dns/ 2450048 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1001porngalleries.com || url,www.bleedingthreats.net/blackhole-dns/ 2450049 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 100freegalls.com || url,www.bleedingthreats.net/blackhole-dns/ 2450050 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 100gal.net || url,www.bleedingthreats.net/blackhole-dns/ 2450051 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 100mature.net || url,www.bleedingthreats.net/blackhole-dns/ 2450052 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 100pantyhose.com || url,www.bleedingthreats.net/blackhole-dns/ 2450053 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 100sexlinks.com || url,www.bleedingthreats.net/blackhole-dns/ 2450054 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 101lottery.com || url,www.bleedingthreats.net/blackhole-dns/ 2450055 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 10k1txdk35mt02xx.com || url,www.bleedingthreats.net/blackhole-dns/ 2450056 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 10money.us || url,www.bleedingthreats.net/blackhole-dns/ 2450057 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 10s.com.br || url,www.bleedingthreats.net/blackhole-dns/ 2450058 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1110100011o1window.info || url,www.bleedingthreats.net/blackhole-dns/ 2450059 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 116ron.org || url,www.bleedingthreats.net/blackhole-dns/ 2450060 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 12.tnssearch.com || url,www.bleedingthreats.net/blackhole-dns/ 2450061 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123-find4u.com || url,www.bleedingthreats.net/blackhole-dns/ 2450062 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123-search.net || url,www.bleedingthreats.net/blackhole-dns/ 2450063 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123-search4u.com || url,www.bleedingthreats.net/blackhole-dns/ 2450064 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123-searchengine.com || url,www.bleedingthreats.net/blackhole-dns/ 2450065 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123greetings.2mydns.com || url,www.bleedingthreats.net/blackhole-dns/ 2450066 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123keno.com || url,www.bleedingthreats.net/blackhole-dns/ 2450067 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123mania.com || url,www.bleedingthreats.net/blackhole-dns/ 2450068 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123search.com || url,www.bleedingthreats.net/blackhole-dns/ 2450069 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123search4u.com || url,www.bleedingthreats.net/blackhole-dns/ 2450070 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123spywar.com || url,www.bleedingthreats.net/blackhole-dns/ 2450071 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123ticket.com || url,www.bleedingthreats.net/blackhole-dns/ 2450072 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123xxl.com || url,www.bleedingthreats.net/blackhole-dns/ 2450073 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 123zae.biz || url,www.bleedingthreats.net/blackhole-dns/ 2450074 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 12rix.info || url,www.bleedingthreats.net/blackhole-dns/ 2450075 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1337creations.com || url,www.bleedingthreats.net/blackhole-dns/ 2450076 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 136136.net || url,www.bleedingthreats.net/blackhole-dns/ 2450077 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 13bbs.info || url,www.bleedingthreats.net/blackhole-dns/ 2450078 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 13tw22rigobert.de || url,www.bleedingthreats.net/blackhole-dns/ 2450079 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 143fuck.com || url,www.bleedingthreats.net/blackhole-dns/ 2450080 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 171203.com || url,www.bleedingthreats.net/blackhole-dns/ 2450081 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 17cunts.com || url,www.bleedingthreats.net/blackhole-dns/ 2450082 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 17dk.com || url,www.bleedingthreats.net/blackhole-dns/ 2450083 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 17re8px9v1ypc6w7.com || url,www.bleedingthreats.net/blackhole-dns/ 2450084 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 17webplace.com || url,www.bleedingthreats.net/blackhole-dns/ 2450085 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1800-search.com || url,www.bleedingthreats.net/blackhole-dns/ 2450086 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1800searchonline.com || url,www.bleedingthreats.net/blackhole-dns/ 2450087 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1800taxfree.com || url,www.bleedingthreats.net/blackhole-dns/ 2450088 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 180searchassistant.com || url,www.bleedingthreats.net/blackhole-dns/ 2450089 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 180solutions.com || url,www.bleedingthreats.net/blackhole-dns/ 2450090 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 18age-domination.com || url,www.bleedingthreats.net/blackhole-dns/ 2450091 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 18party.com || url,www.bleedingthreats.net/blackhole-dns/ 2450092 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 18post.com || url,www.bleedingthreats.net/blackhole-dns/ 2450093 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 18teenpic.biz || url,www.bleedingthreats.net/blackhole-dns/ 2450094 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 18uz3wkpu86hbu3v.com || url,www.bleedingthreats.net/blackhole-dns/ 2450095 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1a7r4k8ccwtfynqh.com || url,www.bleedingthreats.net/blackhole-dns/ 2450096 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1access4free.com || url,www.bleedingthreats.net/blackhole-dns/ 2450097 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1ccf.estserver.com || url,www.bleedingthreats.net/blackhole-dns/ 2450098 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1check.us || url,www.bleedingthreats.net/blackhole-dns/ 2450099 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1clickspyclean.com || url,www.bleedingthreats.net/blackhole-dns/ 2450100 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1clicksuite.net || url,www.bleedingthreats.net/blackhole-dns/ 2450101 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1cost.us || url,www.bleedingthreats.net/blackhole-dns/ 2450102 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1fgka1hyvn4wktui.com || url,www.bleedingthreats.net/blackhole-dns/ 2450103 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1gb.ru || url,www.bleedingthreats.net/blackhole-dns/ 2450104 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1ivk5kdbnq984yhk.com || url,www.bleedingthreats.net/blackhole-dns/ 2450105 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1k0k2kqipuh9utdg.com || url,www.bleedingthreats.net/blackhole-dns/ 2450106 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1ky4owcrh7ziwukm.com || url,www.bleedingthreats.net/blackhole-dns/ 2450107 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1loss.us || url,www.bleedingthreats.net/blackhole-dns/ 2450108 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1mv8hnwmyskkpgm9.com || url,www.bleedingthreats.net/blackhole-dns/ 2450109 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1pill.us || url,www.bleedingthreats.net/blackhole-dns/ 2450110 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1q5sarab3mpri3hs.com || url,www.bleedingthreats.net/blackhole-dns/ 2450111 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1qiq0okzb7hcb3xr.com || url,www.bleedingthreats.net/blackhole-dns/ 2450112 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1rot0u3rw3ho5wdi.com || url,www.bleedingthreats.net/blackhole-dns/ 2450113 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1se.ru || url,www.bleedingthreats.net/blackhole-dns/ 2450114 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1sexparty.com || url,www.bleedingthreats.net/blackhole-dns/ 2450115 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1spmt1xfmumz2isf.com || url,www.bleedingthreats.net/blackhole-dns/ 2450116 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1spyware-removal.com || url,www.bleedingthreats.net/blackhole-dns/ 2450117 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1spywarekiller.com || url,www.bleedingthreats.net/blackhole-dns/ 2450118 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1stantivirus.com || url,www.bleedingthreats.net/blackhole-dns/ 2450119 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1stblaze.com || url,www.bleedingthreats.net/blackhole-dns/ 2450120 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1stfind.com || url,www.bleedingthreats.net/blackhole-dns/ 2450121 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1stflirt.org || url,www.bleedingthreats.net/blackhole-dns/ 2450122 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1sthardsex.com || url,www.bleedingthreats.net/blackhole-dns/ 2450123 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1stpagehere.com || url,www.bleedingthreats.net/blackhole-dns/ 2450124 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1stsearchportal.com || url,www.bleedingthreats.net/blackhole-dns/ 2450125 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1stspywar.com || url,www.bleedingthreats.net/blackhole-dns/ 2450126 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1traff.us || url,www.bleedingthreats.net/blackhole-dns/ 2450127 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1vi5x3s4d9x7pn36.com || url,www.bleedingthreats.net/blackhole-dns/ 2450128 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1vvzq5t3kwfiwzmt.com || url,www.bleedingthreats.net/blackhole-dns/ 2450129 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1weight.us || url,www.bleedingthreats.net/blackhole-dns/ 2450130 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1xvodqv3mtxp9dyy.com || url,www.bleedingthreats.net/blackhole-dns/ 2450131 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1xxx.us || url,www.bleedingthreats.net/blackhole-dns/ 2450132 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1yegswkkcroeertt.com || url,www.bleedingthreats.net/blackhole-dns/ 2450133 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1ypal.upzll.com || url,www.bleedingthreats.net/blackhole-dns/ 2450134 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 1ze.net || url,www.bleedingthreats.net/blackhole-dns/ 2450135 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2-antispyware.com || url,www.bleedingthreats.net/blackhole-dns/ 2450136 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2-extreme.biz || url,www.bleedingthreats.net/blackhole-dns/ 2450137 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2000guys.com || url,www.bleedingthreats.net/blackhole-dns/ 2450138 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2001positions.com || url,www.bleedingthreats.net/blackhole-dns/ 2450139 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2004search.cc || url,www.bleedingthreats.net/blackhole-dns/ 2450140 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2005-search.com || url,www.bleedingthreats.net/blackhole-dns/ 2450141 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2005onlinecasinos.com || url,www.bleedingthreats.net/blackhole-dns/ 2450142 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2020search.com || url,www.bleedingthreats.net/blackhole-dns/ 2450143 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 20health.com || url,www.bleedingthreats.net/blackhole-dns/ 2450144 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 20shots.com || url,www.bleedingthreats.net/blackhole-dns/ 2450145 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 20x2p.com || url,www.bleedingthreats.net/blackhole-dns/ 2450146 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 212-229-05.com || url,www.bleedingthreats.net/blackhole-dns/ 2450147 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 21andover.com || url,www.bleedingthreats.net/blackhole-dns/ 2450148 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 21century-mp3.nu || url,www.bleedingthreats.net/blackhole-dns/ 2450149 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 22-0yxxz44banjks76dg23000.net || url,www.bleedingthreats.net/blackhole-dns/ 2450150 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 220sex.com || url,www.bleedingthreats.net/blackhole-dns/ 2450151 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2288.org || url,www.bleedingthreats.net/blackhole-dns/ 2450152 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 22fti4g6f8f2dg5e.com || url,www.bleedingthreats.net/blackhole-dns/ 2450153 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 22pics.com || url,www.bleedingthreats.net/blackhole-dns/ 2450154 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2332kxifxiynpznr.com || url,www.bleedingthreats.net/blackhole-dns/ 2450155 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 235.regvista.com || url,www.bleedingthreats.net/blackhole-dns/ 2450156 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 235inmya16h6kiob.com || url,www.bleedingthreats.net/blackhole-dns/ 2450157 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 24-7-search.com || url,www.bleedingthreats.net/blackhole-dns/ 2450158 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 24-7searching-and-more.com || url,www.bleedingthreats.net/blackhole-dns/ 2450159 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 247liveexpose.com || url,www.bleedingthreats.net/blackhole-dns/ 2450160 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 24hwebsex.com || url,www.bleedingthreats.net/blackhole-dns/ 2450161 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 24ixpao58q1zk1fc.com || url,www.bleedingthreats.net/blackhole-dns/ 2450162 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 24teen.com || url,www.bleedingthreats.net/blackhole-dns/ 2450163 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 27f8k8i3ihkd7afb.com || url,www.bleedingthreats.net/blackhole-dns/ 2450164 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 284b.com || url,www.bleedingthreats.net/blackhole-dns/ 2450165 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 28q7nmca95b0yuhs.com || url,www.bleedingthreats.net/blackhole-dns/ 2450166 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2a3n1cekigexxhsg.com || url,www.bleedingthreats.net/blackhole-dns/ 2450167 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2av5zqthvi5u4kup.com || url,www.bleedingthreats.net/blackhole-dns/ 2450168 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2awm.com || url,www.bleedingthreats.net/blackhole-dns/ 2450169 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2b0hgb2vwkkq4evu.com || url,www.bleedingthreats.net/blackhole-dns/ 2450170 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2b20k27wuid0znfi.com || url,www.bleedingthreats.net/blackhole-dns/ 2450171 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2c3rnzqw1rd96cpx.com || url,www.bleedingthreats.net/blackhole-dns/ 2450172 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2fastsearch.net || url,www.bleedingthreats.net/blackhole-dns/ 2450173 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2freepics.com || url,www.bleedingthreats.net/blackhole-dns/ 2450174 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2gc2gu0uq034rmcp.com || url,www.bleedingthreats.net/blackhole-dns/ 2450175 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2hotdownloads.com || url,www.bleedingthreats.net/blackhole-dns/ 2450176 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2ift0ab04ikkdfer.com || url,www.bleedingthreats.net/blackhole-dns/ 2450177 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2k3ckr4twauciy9s.com || url,www.bleedingthreats.net/blackhole-dns/ 2450178 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2kkh3naw5kinmzcw.com || url,www.bleedingthreats.net/blackhole-dns/ 2450179 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2mgames.com || url,www.bleedingthreats.net/blackhole-dns/ 2450180 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2nd-dream.com || url,www.bleedingthreats.net/blackhole-dns/ 2450181 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2nd-thought.com || url,www.bleedingthreats.net/blackhole-dns/ 2450182 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2oqsakzcxe2kv21y.com || url,www.bleedingthreats.net/blackhole-dns/ 2450183 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2qh302ui3pk9f9dv.com || url,www.bleedingthreats.net/blackhole-dns/ 2450184 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2quyhvx05gykkqk1.com || url,www.bleedingthreats.net/blackhole-dns/ 2450185 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2ruoy1knriti0ima.com || url,www.bleedingthreats.net/blackhole-dns/ 2450186 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2search.org || url,www.bleedingthreats.net/blackhole-dns/ 2450187 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2udating.com || url,www.bleedingthreats.net/blackhole-dns/ 2450188 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2udating.net || url,www.bleedingthreats.net/blackhole-dns/ 2450189 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2wd.info || url,www.bleedingthreats.net/blackhole-dns/ 2450190 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2wmtgugcsk62qbmh.com || url,www.bleedingthreats.net/blackhole-dns/ 2450191 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2x2.biz || url,www.bleedingthreats.net/blackhole-dns/ 2450192 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 2z0o.net || url,www.bleedingthreats.net/blackhole-dns/ 2450193 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3-extreme.biz || url,www.bleedingthreats.net/blackhole-dns/ 2450194 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 300per.com || url,www.bleedingthreats.net/blackhole-dns/ 2450195 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 30search.com || url,www.bleedingthreats.net/blackhole-dns/ 2450196 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 31234.com || url,www.bleedingthreats.net/blackhole-dns/ 2450197 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 31ca00c3f07dcknq.com || url,www.bleedingthreats.net/blackhole-dns/ 2450198 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3322.org || url,www.bleedingthreats.net/blackhole-dns/ 2450199 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 333999.net || url,www.bleedingthreats.net/blackhole-dns/ 2450200 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 33r9hs3no7days3i.com || url,www.bleedingthreats.net/blackhole-dns/ 2450201 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 33search.cc || url,www.bleedingthreats.net/blackhole-dns/ 2450202 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 34f5ubx95k0zb1zi.com || url,www.bleedingthreats.net/blackhole-dns/ 2450203 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 34yo.com || url,www.bleedingthreats.net/blackhole-dns/ 2450204 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 353-fjusj-fd5mfjw-jw-8463287-8gjd878-7x-0qq0.com || url,www.bleedingthreats.net/blackhole-dns/ 2450205 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 356563.net || url,www.bleedingthreats.net/blackhole-dns/ 2450206 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 369.com || url,www.bleedingthreats.net/blackhole-dns/ 2450207 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 36site.com || url,www.bleedingthreats.net/blackhole-dns/ 2450208 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3721.com || url,www.bleedingthreats.net/blackhole-dns/ 2450209 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 38ee.com || url,www.bleedingthreats.net/blackhole-dns/ 2450210 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 39-93.com || url,www.bleedingthreats.net/blackhole-dns/ 2450211 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 39as6y7ikptfnmte.com || url,www.bleedingthreats.net/blackhole-dns/ 2450212 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 39com.net || url,www.bleedingthreats.net/blackhole-dns/ 2450213 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3byomx2kkw8dqkyz.com || url,www.bleedingthreats.net/blackhole-dns/ 2450214 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3danimaldreams.com || url,www.bleedingthreats.net/blackhole-dns/ 2450215 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3dme.com || url,www.bleedingthreats.net/blackhole-dns/ 2450216 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3dxxx3d.com || url,www.bleedingthreats.net/blackhole-dns/ 2450217 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3enysrxs9ngimbsi.com || url,www.bleedingthreats.net/blackhole-dns/ 2450218 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3epo.com || url,www.bleedingthreats.net/blackhole-dns/ 2450219 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3hhxix5vwkg58vtk.com || url,www.bleedingthreats.net/blackhole-dns/ 2450220 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3is2sbouonuuk1x6.com || url,www.bleedingthreats.net/blackhole-dns/ 2450221 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3p0vpmodkdku4x01.com || url,www.bleedingthreats.net/blackhole-dns/ 2450222 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3porndvd.com || url,www.bleedingthreats.net/blackhole-dns/ 2450223 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3rdspherehosting.com || url,www.bleedingthreats.net/blackhole-dns/ 2450224 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3rgsdi003ih5o2y1.com || url,www.bleedingthreats.net/blackhole-dns/ 2450225 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3search.info || url,www.bleedingthreats.net/blackhole-dns/ 2450226 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3t7oihdtcnkg3xx2.com || url,www.bleedingthreats.net/blackhole-dns/ 2450227 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3t98o01vi52i16v1.com || url,www.bleedingthreats.net/blackhole-dns/ 2450228 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3x-mpeg.com || url,www.bleedingthreats.net/blackhole-dns/ 2450229 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3x18.com || url,www.bleedingthreats.net/blackhole-dns/ 2450230 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3xcash.biz || url,www.bleedingthreats.net/blackhole-dns/ 2450231 || BLEEDING-EDGE SPYWARE-DNS DNS Client Lookup of 3xstuff.com || url,www.