From jonkman at bleedingthreats.net Mon Apr 2 00:03:40 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Apr 2 00:04:55 2007 Subject: [Bleeding-sigs] More ANI sigs Message-ID: <4610485C.7090004@bleedingthreats.net> We have several other versions of the ANI sig. I've just posted a replacement for 2003519, the first one we had: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,80,0,relative; classtype:attempted-admin; sid:2003519; rev:2;) Should be less evadable and much lower load. The previous content string version was quickly evaded by several malware authors with a null padded header. The other pcre based one will be commented out and replaced as well. Please test, if this sig proves good we'll run with it. -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Mon Apr 2 00:10:17 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Apr 2 00:12:24 2007 Subject: [Bleeding-sigs] Updated Bogon Sig Message-ID: <461049E9.8040806@bleedingthreats.net> Thanks to Markus Lude for the research and the new rule: alert ip [50.0.0.0/8,94.0.0.0/7,100.0.0.0/6,104.0.0.0/5,112.0.0.0/6,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:8;) Posted. Reflects newly allocated IP space. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jeff-kell at utc.edu Mon Apr 2 03:01:59 2007 From: jeff-kell at utc.edu (Jeff Kell) Date: Mon Apr 2 03:03:21 2007 Subject: [Bleeding-sigs] More ANI sigs In-Reply-To: <4610485C.7090004@bleedingthreats.net> References: <4610485C.7090004@bleedingthreats.net> Message-ID: <46107227.8030603@utc.edu> Matt Jonkman wrote: > We have several other versions of the ANI sig. I've just posted a > replacement for 2003519, the first one we had: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; > nocase; content:"anih"; nocase; byte_test:4,>,80,0,relative; > classtype:attempted-admin; sid:2003519; rev:2;) Didn't take long to accumulate a handful of FPs on this one with full dorms on a Sunday night :-) The "chunk length" test (the byte_test) needs to be little-endian, ref: http://en.wikipedia.org/wiki/RIFF_%28File_format%29: > All chunks have the following format: > > * 4 bytes: an ASCII identifier for this chunk, e.g. "fmt " or "data". > * 4 bytes: an unsigned, little-endian 32-bit integer with the > length of this chunk > so let's make that: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,80,0,relative,little; classtype:attempted-admin; sid:2003519; rev:3;) Jeff From jeff-kell at utc.edu Mon Apr 2 03:13:58 2007 From: jeff-kell at utc.edu (Jeff Kell) Date: Mon Apr 2 03:15:15 2007 Subject: [Bleeding-sigs] More ANI sigs In-Reply-To: <46107227.8030603@utc.edu> References: <4610485C.7090004@bleedingthreats.net> <46107227.8030603@utc.edu> Message-ID: <461074F6.8040806@utc.edu> Jeff Kell wrote: > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; > nocase; content:"anih"; nocase; byte_test:4,>,80,0,relative,little; > classtype:attempted-admin; sid:2003519; rev:3;) Actually, word on the street says the buffer overflow is on a 36-byte buffer, so let's make that: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; classtype:attempted-admin; sid:2003519; rev:3;) Jeff From jonkman at bleedingthreats.net Mon Apr 2 03:22:51 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Apr 2 03:24:04 2007 Subject: [Bleeding-sigs] More ANI sigs In-Reply-To: <461074F6.8040806@utc.edu> References: <4610485C.7090004@bleedingthreats.net> <46107227.8030603@utc.edu> <461074F6.8040806@utc.edu> Message-ID: <4610770B.7010901@bleedingthreats.net> Done. Sharp eye. Matt Jeff Kell wrote: > Jeff Kell wrote: > >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE >> CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; >> nocase; content:"anih"; nocase; byte_test:4,>,80,0,relative,little; >> classtype:attempted-admin; sid:2003519; rev:3;) > > Actually, word on the street says the buffer overflow is on a 36-byte > buffer, so let's make that: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; > nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; > classtype:attempted-admin; sid:2003519; rev:3;) > > > Jeff > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From andre.ludwig at gmail.com Mon Apr 2 03:55:41 2007 From: andre.ludwig at gmail.com (Andre Ludwig) Date: Mon Apr 2 03:56:22 2007 Subject: [Bleeding-sigs] More ANI sigs In-Reply-To: <461074F6.8040806@utc.edu> References: <4610485C.7090004@bleedingthreats.net> <46107227.8030603@utc.edu> <461074F6.8040806@utc.edu> Message-ID: <9d03f28f0704012055v50245509p7d48f3a173c39452@mail.gmail.com> Word is wrong, while it is a 36 byte value for a valid anih header block in order for an attacker to overwrite the two (or four depending on which variant) bytes to redirect into shell code it requires a anih header size of 82 bytes. So for this specific exploit it is 82 bytes, if you want to catch any invalid ani file then > 36 will do the trick (ala VRT signature from snort). And my bad for cutting off the little (i swear it was on there before!). My honest to god/allah/buddah/xenu suggestion is just rock the snort VRT sig, unless you get a rash of ani/icon files that are garbled or other wise b0rked up. The single largest issue with this vulnerability (and snort) is to make sure that you have your flow depth for http_inspect set to something greater then the default (300). With out that change even the vrt sig wont alert (i suggest 500, if you have a big box and low http traffic 0 will allow for inspection against the entire payload, but you might take a massive resource hit) reference on this ani parsing vuln. http://www.mnin.org/write/ani-notes.pdf I of course am completely open to being absolutely wrong on this matter. All i need is data to prove that I have no clue wtf i am talking about. On a side not i have yet to see a working exploit that has a header size below 80. (doesn't mean one doesn't exist) Andre On 4/1/07, Jeff Kell wrote: > Jeff Kell wrote: > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > > CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; > > nocase; content:"anih"; nocase; byte_test:4,>,80,0,relative,little; > > classtype:attempted-admin; sid:2003519; rev:3;) > > Actually, word on the street says the buffer overflow is on a 36-byte > buffer, so let's make that: > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > CURRENT EVENTS MS ANI exploit"; content:"RIFF"; nocase; content:"ACON"; > nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; > classtype:attempted-admin; sid:2003519; rev:3;) > > > Jeff > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > From bleeding at bleedingthreats.net Mon Apr 2 18:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Mon Apr 2 18:00:12 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070402180005.B906822C08A@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Mon Apr 2 14:00:05 2007 [***] [///] Modified active rules: [///] 2002750 - BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 (bleeding-policy.rules) 2003519 - BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (bleeding.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 141 -> Added to bleeding-drop.rules (1): # VERSION 141 -> Added to bleeding-sid-msg.map (1): 2003519 || BLEEDING-EDGE CURRENT EVENTS MS ANI exploit [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 139 -> Removed from bleeding-drop.rules (1): # VERSION 139 -> Removed from bleeding-sid-msg.map (3): 2003519 || BLEEDING-EDGE CURRENT EVENTS MS ANI exploit || url,doc.bleedingthreats.net/2003519 || url,www.avertlabs.com/research/blog/?p=233 || url,isc.sans.org/diary.html?storyid=2534 2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org From jonkman at bleedingthreats.net Mon Apr 2 19:06:30 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Apr 2 19:07:46 2007 Subject: [Bleeding-sigs] ANI Sig Message-ID: <46115436.4090101@bleedingthreats.net> It's been accurately pointed out that the sig we've ended up with for the ani exploit is exactly the same as the Snort GPL sig 3079, other than the references. This raises a number of conversations I welcome on the list. I'll weigh in on several in a moment. But for now, I'll leave our existing 2003519 up and active. Once this blows over we'll drop it or comment out. Why comment out or drop you ask? We don't need duplication of the GPL sigs. If this were a dupe of a VRT licensed sig then this would be a different discussion as many of our users for whatever reason have issues using the VRT sigs. Since we came to the same sig the snort guys did long ago through our own research there aren't any infringement issues to deal with. And I'm glad we did go through that process, it allowed a lot of folks to learn a lot about the vulnerability. It also let us all as a community make sure that we weren't missing something. We can hopefully push some of the new references to the GPL rule for the long term. The entry on the bleeding docs site will remain regardless of what we do with the rule, so any info you'd like to record for the long term can go there as well and will be searchable. http://doc.bleedingthreats.net/2003519 Comments and discussion welcome, and many thanks to the many people that have contributed to both the research and have submitted false positives. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Tue Apr 3 13:02:54 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Tue Apr 3 13:03:42 2007 Subject: [Bleeding-sigs] Don't Overlook the Snort.conf Samples project Message-ID: <4612507E.40702@bleedingthreats.net> Jim McQuaid has picked up and updated the Snort.conf samples project here at Bleeding Edge Threats. He's doing a good deal of work updating the configs to 2.6, and adding some support for smoothwall and other projects. He's also placed and written some papers about home network setups and the like. If you're new to snort, this is a great place to look for orienting information and help. But even if you're already an expert, it's worth your time to take a quick look, and even contribute any tips and tricks. The project is in the wiki; http://doc.bleedingthreats.net/bin/view/Main/SnortConfSamples Thanks to Jim for taking this project on. It's very useful, but requires a good deal of work to keep up to date. Please lend him a hand if you see something that needs it. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Tue Apr 3 18:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue Apr 3 18:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070403180006.0D07D22C08A@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Tue Apr 3 14:00:05 2007 [***] [+++] Added rules: [+++] 2003491 - BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) (bleeding-malware.rules) 2003492 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) (bleeding-malware.rules) 2003513 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) (bleeding-malware.rules) 2003525 - BLEEDING-EDGE MALWARE Supergames.aavalue.com Spyware (bleeding-malware.rules) 2003526 - BLEEDING-EDGE MALWARE KMIP.net Spyware 2 (bleeding-malware.rules) 2003527 - BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (WinSoftware) (bleeding-malware.rules) 2003528 - BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (NetInstaller) (bleeding-malware.rules) 2003529 - BLEEDING-EDGE MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3) (bleeding-malware.rules) 2003530 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) (bleeding-malware.rules) 2003531 - BLEEDING-EDGE MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans) (bleeding-malware.rules) 2003532 - BLEEDING-EDGE MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent) (bleeding-malware.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2003491 - BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent (Mozila/4.0...) (bleeding.rules) 2003492 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0) (bleeding.rules) 2003513 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0) (bleeding.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 142 -> Added to bleeding-drop.rules (1): # VERSION 142 -> Added to bleeding-malware.rules (5): #Seeing hits with a misspelled Mozila in the UA. #also seeing just Mozilla/4.0. That's unusual as well #from rras, another typo'd trojan #Pluses in a UA, suspicious as well #Matt Jonkman, from spyware lp data -> Added to bleeding-sid-msg.map (11): 2003491 || BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491 2003492 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492 2003513 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) || url,doc.bleedingthreats.net/2003513 2003525 || BLEEDING-EDGE MALWARE Supergames.aavalue.com Spyware || url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189 2003526 || BLEEDING-EDGE MALWARE KMIP.net Spyware 2 || url,www.kmip.net 2003527 || BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (WinSoftware) || url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037 2003528 || BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (NetInstaller) || url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037 2003529 || BLEEDING-EDGE MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3) || url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931 2003530 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) || url,doc.bleedingthreats.net/2003530 2003531 || BLEEDING-EDGE MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans) || url,www.bleepingcomputer.com/forums/topic69886.htm 2003532 || BLEEDING-EDGE MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent) || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 141 -> Removed from bleeding-drop.rules (1): # VERSION 141 -> Removed from bleeding-sid-msg.map (3): 2003491 || BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491 2003492 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492 2003513 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0) || url,doc.bleedingthreats.net/2003513 -> Removed from bleeding.rules (3): #Seeing hits with a misspelled Mozila in the UA. Want to see how widespread this is. #also seeing just Mozilla/4.0. That's unusual as well #from rras, another typo'd trojan From bleeding at bleedingthreats.net Wed Apr 4 18:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Wed Apr 4 18:00:09 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070404180005.BB9F422C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Wed Apr 4 14:00:05 2007 [***] [+++] Added rules: [+++] 2003533 - BLEEDING-EDGE MALWARE Sytes.net Related Spyware Reporting (bleeding-malware.rules) 2003534 - BLEEDING-EDGE MALWARE Weatherbug Vista Gadget Activity (bleeding-malware.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-malware.rules (1): #By Matt Jonkman from spyware lp data -> Added to bleeding-sid-msg.map (2): 2003533 || BLEEDING-EDGE MALWARE Sytes.net Related Spyware Reporting || url,www.sophos.com/security/analyses/w32forbotdv.html 2003534 || BLEEDING-EDGE MALWARE Weatherbug Vista Gadget Activity From bleeding at bleedingthreats.net Thu Apr 5 18:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Apr 5 18:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070405180006.09F3122C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Thu Apr 5 14:00:06 2007 [***] [+++] Added rules: [+++] 2003535 - BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected (bleeding-attack_response.rules) 2003536 - BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded (bleeding-attack_response.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-attack_response.rules (2): #by Cees Elzinga #note: most effective with a deep flow depth, or 0 -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 144 -> Added to bleeding-drop.rules (1): # VERSION 144 -> Added to bleeding-sid-msg.map (2): 2003535 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 142 -> Removed from bleeding-drop.rules (1): # VERSION 142 From bleeding at bleedingthreats.net Fri Apr 6 15:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Apr 6 15:00:10 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Weekly Signature Changes Message-ID: <20070406150005.33F9B22C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Apr 6 11:00:05 2007 [***] [+++] Added rules: [+++] 2003491 - BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) (bleeding-malware.rules) 2003492 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) (bleeding-malware.rules) 2003513 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) (bleeding-malware.rules) 2003519 - BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (bleeding.rules) 2003521 - BLEEDING-EDGE TROJAN TROJ_ANICMOO.AX Downloading wincf.exe (bleeding.rules) 2003522 - BLEEDING-EDGE TROJAN PossibleExploit-W32/Ani.C Traffic (bleeding.rules) 2003523 - BLEEDING-EDGE TROJAN Possible Exploit-W32/Ani.C Traffic (bleeding.rules) 2003524 - BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (rule 2) (bleeding.rules) 2003525 - BLEEDING-EDGE MALWARE Supergames.aavalue.com Spyware (bleeding-malware.rules) 2003526 - BLEEDING-EDGE MALWARE KMIP.net Spyware 2 (bleeding-malware.rules) 2003527 - BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (WinSoftware) (bleeding-malware.rules) 2003528 - BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (NetInstaller) (bleeding-malware.rules) 2003529 - BLEEDING-EDGE MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3) (bleeding-malware.rules) 2003530 - BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) (bleeding-malware.rules) 2003531 - BLEEDING-EDGE MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans) (bleeding-malware.rules) 2003532 - BLEEDING-EDGE MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent) (bleeding-malware.rules) 2003533 - BLEEDING-EDGE MALWARE Sytes.net Related Spyware Reporting (bleeding-malware.rules) 2003534 - BLEEDING-EDGE MALWARE Weatherbug Vista Gadget Activity (bleeding-malware.rules) 2003535 - BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected (bleeding-attack_response.rules) 2003536 - BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded (bleeding-attack_response.rules) [///] Modified active rules: [///] 2002750 - BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2 (bleeding-policy.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2003491 - BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent (Mozila/4.0...) (bleeding.rules) 2003492 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0) (bleeding.rules) 2003513 - BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0) (bleeding.rules) 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-attack_response.rules (2): #by Cees Elzinga #note: most effective with a deep flow depth, or 0 -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 144 -> Added to bleeding-drop.rules (1): # VERSION 144 -> Added to bleeding-malware.rules (6): #By Matt Jonkman from spyware lp data #Seeing hits with a misspelled Mozila in the UA. #also seeing just Mozilla/4.0. That's unusual as well #from rras, another typo'd trojan #Pluses in a UA, suspicious as well #Matt Jonkman, from spyware lp data -> Added to bleeding-sid-msg.map (20): 2003491 || BLEEDING-EDGE MALWARE Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491 2003492 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492 2003513 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent typo (MOzilla/4.0) || url,doc.bleedingthreats.net/2003513 2003519 || BLEEDING-EDGE CURRENT EVENTS MS ANI exploit 2003521 || BLEEDING-EDGE TROJAN TROJ_ANICMOO.AX Downloading wincf.exe || url,uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=TROJ_ANICMOO.AX 2003522 || BLEEDING-EDGE TROJAN PossibleExploit-W32/Ani.C Traffic || url,www.f-secure.com/v-descs/trojan-downloader_w32_small_ekv.shtml 2003523 || BLEEDING-EDGE TROJAN Possible Exploit-W32/Ani.C Traffic || url,www.f-secure.com/v-descs/trojan-downloader_w32_small_ekv.shtml 2003524 || BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (rule 2) || url,doc.bleedingthreats.net/2003524 || url,www.avertlabs.com/research/blog/?p=233 || url,isc.sans.org/diary.html?storyid=2534 2003525 || BLEEDING-EDGE MALWARE Supergames.aavalue.com Spyware || url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189 2003526 || BLEEDING-EDGE MALWARE KMIP.net Spyware 2 || url,www.kmip.net 2003527 || BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (WinSoftware) || url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037 2003528 || BLEEDING-EDGE MALWARE WinSoftware.com Spyware User-Agent (NetInstaller) || url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037 2003529 || BLEEDING-EDGE MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3) || url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931 2003530 || BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) || url,doc.bleedingthreats.net/2003530 2003531 || BLEEDING-EDGE MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans) || url,www.bleepingcomputer.com/forums/topic69886.htm 2003532 || BLEEDING-EDGE MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent) || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618 2003533 || BLEEDING-EDGE MALWARE Sytes.net Related Spyware Reporting || url,www.sophos.com/security/analyses/w32forbotdv.html 2003534 || BLEEDING-EDGE MALWARE Weatherbug Vista Gadget Activity 2003535 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 2003536 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 -> Added to bleeding.rules (2): #by dajackman #A new approach, details from malaware [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 138 -> Removed from bleeding-drop.rules (1): # VERSION 138 -> Removed from bleeding-sid-msg.map (5): 2003491 || BLEEDING-EDGE MALWARE Invalid Mozilla Faked User-Agent (Mozila/4.0...) || url,doc.bleedingthreats.net/2003491 2003492 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0) || url,doc.bleedingthreats.net/2003492 2003513 || BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent typo (MOzilla/4.0) || url,doc.bleedingthreats.net/2003513 2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org -> Removed from bleeding.rules (3): #Seeing hits with a misspelled Mozila in the UA. Want to see how widespread this is. #also seeing just Mozilla/4.0. That's unusual as well #from rras, another typo'd trojan From bleeding at bleedingthreats.net Fri Apr 6 18:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Apr 6 18:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070406180005.DC47222C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Apr 6 14:00:05 2007 [***] [+++] Added rules: [+++] 2003537 - TROJAN Trojan.Duntek establishing remote connection (bleeding-virus.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 145 -> Added to bleeding-drop.rules (1): # VERSION 145 -> Added to bleeding-sid-msg.map (1): 2003537 || TROJAN Trojan.Duntek establishing remote connection || url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99 -> Added to bleeding-virus.rules (1): # Submitted 4-6-07 Mark Warren [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 144 -> Removed from bleeding-drop.rules (1): # VERSION 144 From scheidell at secnap.net Sat Apr 7 12:03:18 2007 From: scheidell at secnap.net (Michael Scheidell) Date: Sat Apr 7 12:04:11 2007 Subject: [Bleeding-sigs] possible MS DNS exploit? Message-ID: <46178886.5080406@secnap.net> Possible sig to start capturing data? alert udp 61.63.0.0 any -> $HOME_NET 53: (msg: "possible MS DNS exploit"; \ reference:url,www.dshield.org/diary.html?storyid=2584; classtype:attempted-admin; \ threshold:type limit, track by_src, count 60, seconds 60; rev:1;) From: http://www.dshield.org/diary.html?storyid=2584 New MS DNS Vulnerability creeping up? Published: 2007-04-07, Last Updated: 2007-04-07 05:33:40 UTC by Tony Carothers (Version: 1) We are currently investigating a possible exploit with MS, Active Directory, and DNS. At this point the information looks solid, provided initially by Bill O. for review. Further information has been provided by Bill, who is working on contacting MS, as things have progressed. Looking at the description of the attack method, it looks solid based on my experience with MS. If anybody has any scans from the 61.63.xxx.xxx range, I would be very interested in seeing full captures. We will keep you posted as things progress. I will be sending on what we have discovered as well to MS tomorrow. It is 0130EST right now in the US, I will be passing the findings on to the other Handlers for review and input later this morning. _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20070407/668d0ed6/attachment.htm From jonkman at bleedingthreats.net Sat Apr 7 12:46:35 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Sat Apr 7 12:47:32 2007 Subject: [Bleeding-sigs] possible MS DNS exploit? In-Reply-To: <46178886.5080406@secnap.net> References: <46178886.5080406@secnap.net> Message-ID: <461792AB.8000607@bleedingthreats.net> Posted this: # ISC reports a possible active MS DNS exploit. Please report any hits. More info as we get it. alert udp 61.63.0.0/18 any -> $HOME_NET 53 (msg: "BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit - Please report any hits to bleeding@bleedingthreats.net"; reference:url,www.dshield.org/diary.html?storyid=2584; classtype:attempted-admin; sid:2003539; rev:1;) Thanks michael!! Matt Michael Scheidell wrote: > Possible sig to start capturing data? > > > alert udp 61.63.0.0 any -> $HOME_NET 53: (msg: "possible MS DNS exploit"; \ > reference:url,www.dshield.org/diary.html?storyid=2584; > classtype:attempted-admin; \ > threshold:type limit, track by_src, count 60, seconds 60; rev:1;) > > From: > > http://www.dshield.org/diary.html?storyid=2584 > > New MS DNS Vulnerability creeping up? > > Published: 2007-04-07, > Last Updated: 2007-04-07 05:33:40 UTC > by Tony Carothers (Version: 1) > We are currently investigating a possible exploit with MS, Active > Directory, and DNS. At this point the information looks solid, provided > initially by Bill O. for review. Further information has been provided > by Bill, who is working on contacting MS, as things have progressed. > Looking at the description of the attack method, it looks solid based on > my experience with MS. If anybody has any scans from the 61.63.xxx.xxx > range, I would be very interested in seeing full captures. > > We will keep you posted as things progress. I will be sending on what > we have discovered as well to MS tomorrow. It is 0130EST right now in > the US, I will be passing the findings on to the other Handlers for > review and input later this morning. > > > > > ------------------------------------------------------------------------ > This email has been scanned and certified safe by SpammerTrap^(TM). > For Information please see www.spammertrap.com > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Sat Apr 7 18:00:09 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Sat Apr 7 18:00:12 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070407180009.7539022C08A@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Sat Apr 7 14:00:08 2007 [***] [+++] Added rules: [+++] 2003538 - BLEEDING-EDGE TROJAN Klom.A Connecting to Controller (bleeding-virus.rules) 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 146 -> Added to bleeding-drop.rules (1): # VERSION 146 -> Added to bleeding-sid-msg.map (2): 2003538 || BLEEDING-EDGE TROJAN Klom.A Connecting to Controller || url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html 2003539 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit - Please report any hits to bleeding@bleedingthreats.net || url,www.dshield.org/diary.html?storyid=2584 -> Added to bleeding.rules (2): #by Michael Schidell # ISC reports a possible active MS DNS exploit. Please report any hits. More info as we get it. [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 145 -> Removed from bleeding-drop.rules (1): # VERSION 145 From scheidell at secnap.net Sat Apr 7 21:33:42 2007 From: scheidell at secnap.net (Michael Scheidell) Date: Sat Apr 7 21:34:31 2007 Subject: [Bleeding-sigs] possible MS DNS exploit? References: <46178886.5080406@secnap.net> <461792AB.8000607@bleedingthreats.net> Message-ID: More information attacking RPC ports, so it might be 53: (short for 53:65536) Or, information I have is its attacking ports 1024:2048, so to be safe: 53:2048. (or 53: '-) > -----Original Message----- > From: bleeding-sigs-bounces@bleedingthreats.net > [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf > Of Matt Jonkman > Sent: Saturday, April 07, 2007 8:47 AM > To: Bleeding Sigs > Subject: Re: [Bleeding-sigs] possible MS DNS exploit? > > Posted this: > > # ISC reports a possible active MS DNS exploit. Please report > any hits. > More info as we get it. > alert udp 61.63.0.0/18 any -> $HOME_NET 53 (msg: > "BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit > - Please report any hits to bleeding@bleedingthreats.net"; > reference:url,www.dshield.org/diary.html?storyid=2584; > classtype:attempted-admin; sid:2003539; rev:1;) > > Thanks michael!! > > Matt > > > Michael Scheidell wrote: > > Possible sig to start capturing data? > > > > > > alert udp 61.63.0.0 any -> $HOME_NET 53: (msg: "possible MS DNS > > exploit"; \ reference:url,www.dshield.org/diary.html?storyid=2584; > > classtype:attempted-admin; \ > > threshold:type limit, track by_src, count 60, seconds 60; rev:1;) > > > > From: > > > > http://www.dshield.org/diary.html?storyid=2584 > > > > New MS DNS Vulnerability creeping up? > > > > Published: 2007-04-07, > > Last Updated: 2007-04-07 05:33:40 UTC > > by Tony Carothers (Version: 1) > > We are currently investigating a possible exploit with MS, Active > > Directory, and DNS. At this point the information looks solid, > > provided initially by Bill O. for review. Further information has > > been provided by Bill, who is working on contacting MS, as > things have progressed. > > Looking at the description of the attack method, it looks > solid based > > on my experience with MS. If anybody has any scans from the > > 61.63.xxx.xxx range, I would be very interested in seeing > full captures. > > > > We will keep you posted as things progress. I will be > sending on what > > we have discovered as well to MS tomorrow. It is 0130EST > right now in > > the US, I will be passing the findings on to the other Handlers for > > review and input later this morning. > > > > > > > > > > > ---------------------------------------------------------------------- > > -- This email has been scanned and certified safe by > SpammerTrap^(TM). > > For Information please see www.spammertrap.com > > > > > ---------------------------------------------------------------------- > > -- > > > > > > > ---------------------------------------------------------------------- > > -- > > > > _______________________________________________ > > Bleeding-sigs mailing list > > Bleeding-sigs@bleedingthreats.net > > > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sig > > s > > -- > -------------------------------------------- > Matthew Jonkman > Bleeding Edge Threats > 765-429-0398 > 765-807-3060 fax > http://www.bleedingthreats.net > -------------------------------------------- > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/blee ding-sigs > > > _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________ From jonkman at bleedingthreats.net Sat Apr 7 22:02:38 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Sat Apr 7 22:03:45 2007 Subject: [Bleeding-sigs] possible MS DNS exploit? In-Reply-To: References: <46178886.5080406@secnap.net> <461792AB.8000607@bleedingthreats.net> Message-ID: <461814FE.8070002@bleedingthreats.net> Updated, and split to 2 rules for udp and tcp. matt Michael Scheidell wrote: > More information attacking RPC ports, so it might be 53: (short for > 53:65536) > > Or, information I have is its attacking ports 1024:2048, so to be safe: > > 53:2048. (or 53: '-) > > > > > >> -----Original Message----- >> From: bleeding-sigs-bounces@bleedingthreats.net >> [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf >> Of Matt Jonkman >> Sent: Saturday, April 07, 2007 8:47 AM >> To: Bleeding Sigs >> Subject: Re: [Bleeding-sigs] possible MS DNS exploit? >> >> Posted this: >> >> # ISC reports a possible active MS DNS exploit. Please report >> any hits. >> More info as we get it. >> alert udp 61.63.0.0/18 any -> $HOME_NET 53 (msg: >> "BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit >> - Please report any hits to bleeding@bleedingthreats.net"; >> reference:url,www.dshield.org/diary.html?storyid=2584; >> classtype:attempted-admin; sid:2003539; rev:1;) >> >> Thanks michael!! >> >> Matt >> >> >> Michael Scheidell wrote: >>> Possible sig to start capturing data? >>> >>> >>> alert udp 61.63.0.0 any -> $HOME_NET 53: (msg: "possible MS DNS >>> exploit"; \ reference:url,www.dshield.org/diary.html?storyid=2584; >>> classtype:attempted-admin; \ >>> threshold:type limit, track by_src, count 60, seconds 60; rev:1;) >>> >>> From: >>> >>> http://www.dshield.org/diary.html?storyid=2584 >>> >>> New MS DNS Vulnerability creeping up? >>> >>> Published: 2007-04-07, >>> Last Updated: 2007-04-07 05:33:40 UTC >>> by Tony Carothers (Version: 1) >>> We are currently investigating a possible exploit with MS, Active >>> Directory, and DNS. At this point the information looks solid, >>> provided initially by Bill O. for review. Further information has >>> been provided by Bill, who is working on contacting MS, as >> things have progressed. >>> Looking at the description of the attack method, it looks >> solid based >>> on my experience with MS. If anybody has any scans from the >>> 61.63.xxx.xxx range, I would be very interested in seeing >> full captures. >>> We will keep you posted as things progress. I will be >> sending on what >>> we have discovered as well to MS tomorrow. It is 0130EST >> right now in >>> the US, I will be passing the findings on to the other Handlers for >>> review and input later this morning. >>> >>> >>> >>> >>> >> ---------------------------------------------------------------------- >>> -- This email has been scanned and certified safe by >> SpammerTrap^(TM). >>> For Information please see www.spammertrap.com >>> >>> >> ---------------------------------------------------------------------- >>> -- >>> >>> >>> >> ---------------------------------------------------------------------- >>> -- >>> >>> _______________________________________________ >>> Bleeding-sigs mailing list >>> Bleeding-sigs@bleedingthreats.net >>> >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sig >>> s >> -- >> -------------------------------------------- >> Matthew Jonkman >> Bleeding Edge Threats >> 765-429-0398 >> 765-807-3060 fax >> http://www.bleedingthreats.net >> -------------------------------------------- >> >> PGP: http://www.bleedingthreats.com/mattjonkman.asc >> >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/blee > ding-sigs >> >> > _________________________________________________________________________ > This email has been scanned and certified safe by SpammerTrap(tm). > For Information please see http://www.spammertrap.com > _________________________________________________________________________ > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Sat Apr 7 22:06:38 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Sat Apr 7 22:08:19 2007 Subject: [Bleeding-sigs] possible MS DNS exploit? In-Reply-To: <461814FE.8070002@bleedingthreats.net> References: <46178886.5080406@secnap.net> <461792AB.8000607@bleedingthreats.net> <461814FE.8070002@bleedingthreats.net> Message-ID: <461815EE.1080707@bleedingthreats.net> Info from ISC notes a dcom-like exploit. Hoping to get some more payload info soon.... Matt Matt Jonkman wrote: > Updated, and split to 2 rules for udp and tcp. > > matt > > Michael Scheidell wrote: >> More information attacking RPC ports, so it might be 53: (short for >> 53:65536) >> >> Or, information I have is its attacking ports 1024:2048, so to be safe: >> >> 53:2048. (or 53: '-) >> >> >> >> >> >>> -----Original Message----- >>> From: bleeding-sigs-bounces@bleedingthreats.net >>> [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf >>> Of Matt Jonkman >>> Sent: Saturday, April 07, 2007 8:47 AM >>> To: Bleeding Sigs >>> Subject: Re: [Bleeding-sigs] possible MS DNS exploit? >>> >>> Posted this: >>> >>> # ISC reports a possible active MS DNS exploit. Please report >>> any hits. >>> More info as we get it. >>> alert udp 61.63.0.0/18 any -> $HOME_NET 53 (msg: >>> "BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit >>> - Please report any hits to bleeding@bleedingthreats.net"; >>> reference:url,www.dshield.org/diary.html?storyid=2584; >>> classtype:attempted-admin; sid:2003539; rev:1;) >>> >>> Thanks michael!! >>> >>> Matt >>> >>> >>> Michael Scheidell wrote: >>>> Possible sig to start capturing data? >>>> >>>> >>>> alert udp 61.63.0.0 any -> $HOME_NET 53: (msg: "possible MS DNS >>>> exploit"; \ reference:url,www.dshield.org/diary.html?storyid=2584; >>>> classtype:attempted-admin; \ >>>> threshold:type limit, track by_src, count 60, seconds 60; rev:1;) >>>> >>>> From: >>>> >>>> http://www.dshield.org/diary.html?storyid=2584 >>>> >>>> New MS DNS Vulnerability creeping up? >>>> >>>> Published: 2007-04-07, >>>> Last Updated: 2007-04-07 05:33:40 UTC >>>> by Tony Carothers (Version: 1) >>>> We are currently investigating a possible exploit with MS, Active >>>> Directory, and DNS. At this point the information looks solid, >>>> provided initially by Bill O. for review. Further information has >>>> been provided by Bill, who is working on contacting MS, as >>> things have progressed. >>>> Looking at the description of the attack method, it looks >>> solid based >>>> on my experience with MS. If anybody has any scans from the >>>> 61.63.xxx.xxx range, I would be very interested in seeing >>> full captures. >>>> We will keep you posted as things progress. I will be >>> sending on what >>>> we have discovered as well to MS tomorrow. It is 0130EST >>> right now in >>>> the US, I will be passing the findings on to the other Handlers for >>>> review and input later this morning. >>>> >>>> >>>> >>>> >>>> >>> ---------------------------------------------------------------------- >>>> -- This email has been scanned and certified safe by >>> SpammerTrap^(TM). >>>> For Information please see www.spammertrap.com >>>> >>>> >>> ---------------------------------------------------------------------- >>>> -- >>>> >>>> >>>> >>> ---------------------------------------------------------------------- >>>> -- >>>> >>>> _______________________________________________ >>>> Bleeding-sigs mailing list >>>> Bleeding-sigs@bleedingthreats.net >>>> >>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sig >>>> s >>> -- >>> -------------------------------------------- >>> Matthew Jonkman >>> Bleeding Edge Threats >>> 765-429-0398 >>> 765-807-3060 fax >>> http://www.bleedingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.bleedingthreats.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> Bleeding-sigs mailing list >>> Bleeding-sigs@bleedingthreats.net >>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/blee >> ding-sigs >>> >> _________________________________________________________________________ >> This email has been scanned and certified safe by SpammerTrap(tm). >> For Information please see http://www.spammertrap.com >> _________________________________________________________________________ >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigs@bleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Sun Apr 8 18:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Sun Apr 8 18:00:10 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070408180005.EFDAF22C08B@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Sun Apr 8 14:00:05 2007 [***] [+++] Added rules: [+++] 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) [///] Modified active rules: [///] 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-sid-msg.map (2): 2003539 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding@bleedingthreats.net || url,www.dshield.org/diary.html?storyid=2584 2003540 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding@bleedingthreats.net || url,www.dshield.org/diary.html?storyid=2584 [---] Removed non-rule lines: [---] -> Removed from bleeding-sid-msg.map (1): 2003539 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit - Please report any hits to bleeding@bleedingthreats.net || url,www.dshield.org/diary.html?storyid=2584 From bleeding at bleedingthreats.net Mon Apr 9 18:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Mon Apr 9 18:00:13 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070409180005.2B1BC22C088@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Mon Apr 9 14:00:05 2007 [***] [+++] Added rules: [+++] 2003541 - BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Updating (bleeding-malware.rules) 2003542 - BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting (bleeding-malware.rules) [///] Modified active rules: [///] 2002954 - BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 148 -> Added to bleeding-drop.rules (1): # VERSION 148 -> Added to bleeding-sid-msg.map (3): 2002954 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com 2003541 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Updating || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com 2003542 || BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 146 -> Removed from bleeding-drop.rules (1): # VERSION 146 -> Removed from bleeding-sid-msg.map (1): 2002954 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download || url,www.bravesentry.com From bleeding at bleedingthreats.net Tue Apr 10 20:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Tue Apr 10 20:00:12 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070410200006.975E222C0B0@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Tue Apr 10 16:00:06 2007 [***] [+++] Added rules: [+++] 2003155 - BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling (bleeding-policy.rules) 2003514 - BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding-exploit.rules) [///] Modified active rules: [///] 2002388 - BLEEDING-EDGE WEB vBulletin misc.php Template Name Arbitrary Code Execution (bleeding-web.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2003191 - BLEEDING-EDGE CURRENT EVENTS Acer LunchApp.Aplunch ActiveX control access (bleeding.rules) 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) [---] Removed rules: [---] 2002930 - BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit (bleeding-virus.rules) 2003155 - BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling (bleeding.rules) 2003177 - BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) (bleeding.rules) 2003178 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access (bleeding.rules) 2003181 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access (bleeding.rules) 2003213 - BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function Memory Corruption - There are many legitimate uses of the normalize function (bleeding.rules) 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS (bleeding.rules) 2003373 - BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In (bleeding.rules) 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser (bleeding.rules) 2003430 - BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt (bleeding.rules) 2003460 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet (bleeding.rules) 2003461 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet (bleeding.rules) 2003514 - BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 149 -> Added to bleeding-drop.rules (1): # VERSION 149 -> Added to bleeding-exploit.rules (1): # steven@securityzone -> Added to bleeding-policy.rules (2): #by Jeff Kell # Microsoft teredo tunnel -> Added to bleeding-sid-msg.map (2): 2003155 || BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling 2003514 || BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 -> Added to bleeding.rules (2): # Threat has mostly passed. Leaving in but commented out for now. ### Commenting out for now. More information hasn't surfaced yet. Will update when we can [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 148 -> Removed from bleeding-drop.rules (1): # VERSION 148 -> Removed from bleeding-sid-msg.map (13): 2002930 || BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit 2003155 || BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling 2003177 || BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) || url,www.microsoft.com/technet/security/bulletin/ms06-068.mspx 2003178 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access || cve,2006-5198 2003181 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access || cve,2006-5198 2003213 || BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function Memory Corruption - There are many legitimate uses of the normalize function || url,osvdb/30814 || cve,2006-5581 2003252 || BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS || url,www.milw0rm.com/exploits/3111 || url,determina.blogspot.com/2007/01/whats-wrong-with-wmf.html 2003373 || BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733 2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/ || url,isc.sans.org/diary.html?n&storyid=2277 || url,asert.arbornetworks.com/2007/02/phpwebguard-and-aspwebguard-attacks/ 2003430 || BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt || url,isc.sans.org/diary.html?n&storyid=2277 || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/ 2003460 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet || url,doc.bleedingthreats.net/2003460 2003461 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet || url,doc.bleedingthreats.net/2003460 2003514 || BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 -> Removed from bleeding-virus.rules (2): #by Jamie Riden #disabling, redundant -> Removed from bleeding.rules (18): #This is being sent to many victims under the pretense of being a securityt audit script for colocated customers #These should catch it in it's current form. More information coming soon #Analysis by Jose Nazario # These are coming in zips asking you to run on the server. This will hit on the html coming FROM the infected server to a client browser, NOT the zip in transit #The email drop is dead, but phishes are still going out with this address. If you see it, someone ran the script... follow up! #by Shirkdog # steven@securityzone #by Christian Siefert # There are many legit uses for this, so we're disabling by default. Use where appropriate #by Blake Hartstein of Demarc #by shirkdog #by Jeff Kell # Microsoft teredo tunnel #So far unidentified bot and c&c channel. Working on it. These are crude sigs, # please let me know if you get hits. Need more information on this one. #Matt Jonkman #Matt Jonkman. As yet unnamed downloader in a few high profile spots #by Mr Magic Pants From bleeding at bleedingthreats.net Thu Apr 12 05:00:07 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Apr 12 05:00:12 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070412050007.BB38C22C0A7@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Thu Apr 12 01:00:07 2007 [***] [+++] Added rules: [+++] 2003543 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware Install (bleeding-malware.rules) 2003544 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster) (bleeding-malware.rules) 2003545 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master) (bleeding-malware.rules) 2003546 - BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others (bleeding-malware.rules) 2003547 - BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Install (bleeding-malware.rules) 2003548 - BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Checkin (bleeding-malware.rules) [///] Modified active rules: [///] 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 151 -> Added to bleeding-drop.rules (1): # VERSION 151 -> Added to bleeding-malware.rules (3): #By Matt Jonkman from spyware listening post data #Matt Jonkman, from spyware lp data and Castlecops #By Matt Jonkman from spyware listening post data -> Added to bleeding-sid-msg.map (6): 2003543 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware Install 2003544 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster) 2003545 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master) 2003546 || BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others 2003547 || BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Install 2003548 || BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Checkin [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 149 -> Removed from bleeding-drop.rules (1): # VERSION 149 From jonkman at bleedingthreats.net Thu Apr 12 15:43:54 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Thu Apr 12 15:45:27 2007 Subject: [Bleeding-sigs] Bandook Trojan Sigs Posted Message-ID: <461E53BA.2040205@bleedingthreats.net> Ran into an interesting use of Bandook, so put the time into some sigs for the last two versions of it, 1.2 and 1.35. They're available here: http://doc.bleedingthreats.net/bin/view/Main/WebSearch?search=bandook And an overview page for the set: http://doc.bleedingthreats.net/bin/view/Main/TrojanBandook As always, please let me know about any false positives. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Fri Apr 13 05:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Apr 13 05:00:09 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070413050006.714F822C0B8@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Apr 13 01:00:06 2007 [***] [+++] Added rules: [+++] 2003549 - BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report (bleeding-virus.rules) 2003550 - BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes (bleeding-virus.rules) 2003551 - BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command (bleeding-virus.rules) 2003552 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active (bleeding-virus.rules) 2003553 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off (bleeding-virus.rules) 2003554 - BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply (bleeding-virus.rules) 2003555 - BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report (bleeding-virus.rules) 2003556 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send (bleeding-virus.rules) 2003557 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply (bleeding-virus.rules) 2003558 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send (bleeding-virus.rules) 2003559 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send (bleeding-virus.rules) 2003560 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send (bleeding-virus.rules) 2003561 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply (bleeding-virus.rules) 2003562 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send (bleeding-virus.rules) 2003563 - BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send (bleeding-virus.rules) 2003564 - BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply (bleeding-virus.rules) 2003565 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply (bleeding-virus.rules) 2003566 - BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) (bleeding-malware.rules) 2003567 - BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) (bleeding-malware.rules) 2003568 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating (bleeding-malware.rules) 2003569 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) (bleeding-malware.rules) 2003570 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) (bleeding-malware.rules) [///] Modified active rules: [///] 2001537 - BLEEDING-EDGE Malware Spyspotter.com Access (bleeding-malware.rules) 2001663 - BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host) (bleeding-malware.rules) 2002160 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat) (bleeding-malware.rules) [---] Removed rules: [---] 2002198 - BLEEDING-EDGE MALWARE Bidclix.com Spyware (bleeding-malware.rules) 2002204 - BLEEDING-EDGE MALWARE Websponsors.com Spyware (bleeding-malware.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-malware.rules (2): #matt Jonkman from Spyware LP Data #from spyware LP Data -> Added to bleeding-sid-msg.map (22): 2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || url,doc.bleedingthreats.net/2003566 2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) || url,doc.bleedingthreats.net/2003567 2003568 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating || url,www.evidencenuker.com 2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) || url,doc.bleedingthreats.net/2003567 2003570 || BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) || url,www.applicationsignatures.com/backend/index.php -> Added to bleeding-virus.rules (2): #Bandook 1.2 #Bandook 1.35 [---] Removed non-rule lines: [---] -> Removed from bleeding-malware.rules (2): #Matt Jonkman from Spyware listening post data #disabling for now, seems only to be hitting on ad pulls, not a spyware infection -> Removed from bleeding-sid-msg.map (2): 2002198 || BLEEDING-EDGE MALWARE Bidclix.com Spyware 2002204 || BLEEDING-EDGE MALWARE Websponsors.com Spyware From bleeding at bleedingthreats.net Fri Apr 13 06:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Apr 13 06:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Weekly Signature Changes Message-ID: <20070413060005.E512822C0BA@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Apr 13 02:00:05 2007 [***] [+++] Added rules: [+++] 2003155 - BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling (bleeding-policy.rules) 2003514 - BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding-exploit.rules) 2003537 - TROJAN Trojan.Duntek establishing remote connection (bleeding-virus.rules) 2003538 - BLEEDING-EDGE TROJAN Klom.A Connecting to Controller (bleeding-virus.rules) 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) 2003541 - BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Updating (bleeding-malware.rules) 2003542 - BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting (bleeding-malware.rules) 2003543 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware Install (bleeding-malware.rules) 2003544 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster) (bleeding-malware.rules) 2003545 - BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master) (bleeding-malware.rules) 2003546 - BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others (bleeding-malware.rules) 2003547 - BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Install (bleeding-malware.rules) 2003548 - BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Checkin (bleeding-malware.rules) 2003549 - BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report (bleeding-virus.rules) 2003550 - BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes (bleeding-virus.rules) 2003551 - BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command (bleeding-virus.rules) 2003552 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active (bleeding-virus.rules) 2003553 - BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off (bleeding-virus.rules) 2003554 - BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply (bleeding-virus.rules) 2003555 - BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report (bleeding-virus.rules) 2003556 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send (bleeding-virus.rules) 2003557 - BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply (bleeding-virus.rules) 2003558 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send (bleeding-virus.rules) 2003559 - BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send (bleeding-virus.rules) 2003560 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send (bleeding-virus.rules) 2003561 - BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply (bleeding-virus.rules) 2003562 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send (bleeding-virus.rules) 2003563 - BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send (bleeding-virus.rules) 2003564 - BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply (bleeding-virus.rules) 2003565 - BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply (bleeding-virus.rules) 2003566 - BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) (bleeding-malware.rules) 2003567 - BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) (bleeding-malware.rules) 2003568 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating (bleeding-malware.rules) 2003569 - BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) (bleeding-malware.rules) 2003570 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) (bleeding-malware.rules) [///] Modified active rules: [///] 2001537 - BLEEDING-EDGE Malware Spyspotter.com Access (bleeding-malware.rules) 2001663 - BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host) (bleeding-malware.rules) 2002160 - BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat) (bleeding-malware.rules) 2002388 - BLEEDING-EDGE WEB vBulletin misc.php Template Name Arbitrary Code Execution (bleeding-web.rules) 2002954 - BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2003191 - BLEEDING-EDGE CURRENT EVENTS Acer LunchApp.Aplunch ActiveX control access (bleeding.rules) [---] Removed rules: [---] 2002198 - BLEEDING-EDGE MALWARE Bidclix.com Spyware (bleeding-malware.rules) 2002204 - BLEEDING-EDGE MALWARE Websponsors.com Spyware (bleeding-malware.rules) 2002930 - BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit (bleeding-virus.rules) 2003155 - BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling (bleeding.rules) 2003177 - BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) (bleeding.rules) 2003178 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access (bleeding.rules) 2003181 - BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access (bleeding.rules) 2003213 - BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function Memory Corruption - There are many legitimate uses of the normalize function (bleeding.rules) 2003252 - BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS (bleeding.rules) 2003373 - BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In (bleeding.rules) 2003413 - BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser (bleeding.rules) 2003430 - BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt (bleeding.rules) 2003460 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet (bleeding.rules) 2003461 - BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet (bleeding.rules) 2003514 - BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 (bleeding.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 151 -> Added to bleeding-drop.rules (1): # VERSION 151 -> Added to bleeding-exploit.rules (1): # steven@securityzone -> Added to bleeding-malware.rules (5): #matt Jonkman from Spyware LP Data #By Matt Jonkman from spyware listening post data #Matt Jonkman, from spyware lp data and Castlecops #from spyware LP Data #By Matt Jonkman from spyware listening post data -> Added to bleeding-policy.rules (2): #by Jeff Kell # Microsoft teredo tunnel -> Added to bleeding-sid-msg.map (37): 2002954 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com 2003155 || BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling 2003514 || BLEEDING-EDGE EXPLOIT Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 2003537 || TROJAN Trojan.Duntek establishing remote connection || url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99 2003538 || BLEEDING-EDGE TROJAN Klom.A Connecting to Controller || url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html 2003539 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding@bleedingthreats.net || url,www.dshield.org/diary.html?storyid=2584 2003540 || BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding@bleedingthreats.net || url,www.dshield.org/diary.html?storyid=2584 2003541 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Updating || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com 2003542 || BLEEDING-EDGE MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,www.bravesentry.com 2003543 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware Install 2003544 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster) 2003545 || BLEEDING-EDGE MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master) 2003546 || BLEEDING-EDGE MALWARE Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others 2003547 || BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Install 2003548 || BLEEDING-EDGE MALWARE Privacyprotector.com Fake Anti-Spyware Checkin 2003549 || BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003550 || BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003551 || BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003552 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003553 || BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003554 || BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003555 || BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003556 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003557 || BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003558 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003559 || BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003560 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003561 || BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003562 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003563 || BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003564 || BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003565 || BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply || url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,www.nuclearwintercrew.com 2003566 || BLEEDING-EDGE MALWARE Suspicious User-Agent (DIALER) || url,doc.bleedingthreats.net/2003566 2003567 || BLEEDING-EDGE MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) || url,doc.bleedingthreats.net/2003567 2003568 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV Updating || url,www.evidencenuker.com 2003569 || BLEEDING-EDGE MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) || url,doc.bleedingthreats.net/2003567 2003570 || BLEEDING-EDGE MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) || url,www.applicationsignatures.com/backend/index.php -> Added to bleeding-virus.rules (3): #Bandook 1.2 #Bandook 1.35 # Submitted 4-6-07 Mark Warren -> Added to bleeding.rules (4): # Threat has mostly passed. Leaving in but commented out for now. #by Michael Schidell # ISC reports a possible active MS DNS exploit. Please report any hits. More info as we get it. ### Commenting out for now. More information hasn't surfaced yet. Will update when we can [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 144 -> Removed from bleeding-drop.rules (1): # VERSION 144 -> Removed from bleeding-malware.rules (2): #Matt Jonkman from Spyware listening post data #disabling for now, seems only to be hitting on ad pulls, not a spyware infection -> Removed from bleeding-sid-msg.map (16): 2002198 || BLEEDING-EDGE MALWARE Bidclix.com Spyware 2002204 || BLEEDING-EDGE MALWARE Websponsors.com Spyware 2002930 || BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit 2002954 || BLEEDING-EDGE MALWARE Bravesentry.com Fake Antispyware Download || url,www.bravesentry.com 2003155 || BLEEDING-EDGE CURRENT Microsoft TEREDO IPv6 tunneling 2003177 || BLEEDING-EDGE CURRENT EVENTS Microsoft acf File Access (Microsoft Agent Memory Corruption) || url,www.microsoft.com/technet/security/bulletin/ms06-068.mspx 2003178 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FileView ActiveX Control Access || cve,2006-5198 2003181 || BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer WinZip FolderView ActiveX Control Access || cve,2006-5198 2003213 || BLEEDING-EDGE EXPLOIT Potential Microsoft IE DHTML Script Function Memory Corruption - There are many legitimate uses of the normalize function || url,osvdb/30814 || cve,2006-5581 2003252 || BLEEDING-EDGE CURRENT WMF POC CreateBrushIndirect DoS || url,www.milw0rm.com/exploits/3111 || url,determina.blogspot.com/2007/01/whats-wrong-with-wmf.html 2003373 || BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733 2003413 || BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/ || url,isc.sans.org/diary.html?n&storyid=2277 || url,asert.arbornetworks.com/2007/02/phpwebguard-and-aspwebguard-attacks/ 2003430 || BLEEDING-EDGE CURRENT EVENTS Guard Targeted Phish Email Drop Attempt || url,isc.sans.org/diary.html?n&storyid=2277 || url,www.bleedingthreats.net/index.php/2007/02/13/guardzip-phish-very-targeted-sig-available/ 2003460 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Outbound C&C Packet || url,doc.bleedingthreats.net/2003460 2003461 || BLEEDING-EDGE CURRENT EVENTS Unknown Bot Inbound C&C Packet || url,doc.bleedingthreats.net/2003460 2003514 || BLEEDING-EDGE CURRENT EVENTS Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,www.milw0rm.com/exploits/3577 -> Removed from bleeding-virus.rules (2): #by Jamie Riden #disabling, redundant -> Removed from bleeding.rules (18): #This is being sent to many victims under the pretense of being a securityt audit script for colocated customers #These should catch it in it's current form. More information coming soon #Analysis by Jose Nazario # These are coming in zips asking you to run on the server. This will hit on the html coming FROM the infected server to a client browser, NOT the zip in transit #The email drop is dead, but phishes are still going out with this address. If you see it, someone ran the script... follow up! #by Shirkdog # steven@securityzone #by Christian Siefert # There are many legit uses for this, so we're disabling by default. Use where appropriate #by Blake Hartstein of Demarc #by shirkdog #by Jeff Kell # Microsoft teredo tunnel #So far unidentified bot and c&c channel. Working on it. These are crude sigs, # please let me know if you get hits. Need more information on this one. #Matt Jonkman #Matt Jonkman. As yet unnamed downloader in a few high profile spots #by Mr Magic Pants From jonkman at bleedingthreats.net Fri Apr 13 14:34:58 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Apr 13 14:35:39 2007 Subject: [Bleeding-sigs] DNS Exploit Information Message-ID: <461F9512.7050409@bleedingthreats.net> ISC has posted new information regarding the MS DNS compromises we saw last week. http://isc.sans.org/diary.html?storyid=2627 There is a BO in the MS DNS RPC service. http://www.microsoft.com/technet/security/advisory/935964.mspx MS is developing a patch. Workarounds are to disable remote management over RPC or block inbound ports 1024 to 5000. I know I don't have to say it to the bleeding edge community, but I will anyway in case this email gets forwarded on: :) Don't ever leave a windows box exposed to the internet! You'll regret it. Maybe not today, maybe not tomorrow, but soon, and for the rest of your life. [1] I've dropped sigs 2003539 and 2003240. They're no longer necessary. Many thanks to everyone that reported hits, it was very helpful. We do not have enough information yet to write a signature for the vulnerability. Once we do we'll post as soon as possible. If anyone happens to talk to MS, or gets hints of information via other sources, please let us know! Matt [1] en.wikipedia.org/wiki/Casablanca_(film) -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Fri Apr 13 15:54:20 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Apr 13 15:54:52 2007 Subject: [Bleeding-sigs] Storm Worm rules Message-ID: <461FA7AC.3060000@bleedingthreats.net> In light of the number of storm worm emails out there, it's been suggested we put some sigs up for them. The attachments are predictable, so they're pretty reliable sigs: alert tcp any any -> $HOME_NET 25 (msg:"BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (patch-)"; flow:established,to_server; content:"filename=|22|patch|2e|"; nocase; pcre:"/patch-\d{4,5}\x2ezip/i"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2612; sid:2003571; rev:1;) alert tcp any any -> $HOME_NET 25 (msg:"BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (bugfix-)"; flow:established,to_server; content:"filename=|22|bugfix|2e|"; nocase; pcre:"/bugfix-\d{4,5}\x2ezip/i"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2612; sid:2003572; rev:1;) alert tcp any any -> $HOME_NET 25 (msg:"BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (hotfix-)"; flow:established,to_server; content:"filename=|22|hotfix|2e|"; nocase; pcre:"/hotfix-\d{4,5}\x2ezip/i"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2612; sid:2003573; rev:1;) alert tcp any any -> $HOME_NET 25 (msg:"BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (removal-)"; flow:established,to_server; content:"filename=|22|removal|2e|"; nocase; pcre:"/removal-\d{4,5}\x2ezip/i"; classtype:attempted-admin; reference :url,isc.sans.org/diary.html?storyid=2612; sid:2003574; rev:1;) Please let me know how they fare. We'll remove them in a week or so, once the volume drops. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Fri Apr 13 19:44:23 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Apr 13 19:44:56 2007 Subject: [Bleeding-sigs] Temporary MS DNS Rule Message-ID: <461FDD97.4010809@bleedingthreats.net> This is a temporary sig till we have more information. I'd recommend running it only on your Internet facing sensors. Discussion is very useful at the first reference link. ### EXPERIMENTAL ### alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack "; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratase c.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:1;) Please report and falses asap. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Fri Apr 13 20:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Apr 13 20:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070413200006.563A322C0DF@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Apr 13 16:00:06 2007 [***] [+++] Added rules: [+++] 2003571 - BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (patch-) (bleeding.rules) 2003572 - BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (bugfix-) (bleeding.rules) 2003573 - BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (hotfix-) (bleeding.rules) 2003574 - BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (removal-) (bleeding.rules) 2003575 - BLEEDING-EDGE MALWARE Gator/Clarian Spyware Posting Data (bleeding-malware.rules) 2003576 - BLEEDING-EDGE MALWARE Security-updater.com Spyware Posting Data (bleeding-malware.rules) 2003577 - BLEEDING-EDGE MALWARE Mirarsearch.com Spyware Posting Data (bleeding-malware.rules) 2003578 - BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Pulling Data (bleeding-malware.rules) 2003579 - BLEEDING-EDGE MALWARE Findwhat.com Spyware (clickthrough) (bleeding-malware.rules) 2003580 - BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendtracker) (bleeding-malware.rules) 2003581 - BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendmedia) (bleeding-malware.rules) 2003582 - BLEEDING-EDGE MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped) (bleeding-malware.rules) 2003583 - BLEEDING-EDGE MALWARE Suspicious User-Agent (update) (bleeding-malware.rules) 2003584 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) (bleeding-malware.rules) 2003585 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Windows Updates Manager) (bleeding-malware.rules) 2003586 - BLEEDING-EDGE MALWARE Suspicious User-Agent (WinXP Pro Service Pack 2) (bleeding-malware.rules) 2003587 - BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack (bleeding.rules) [///] Modified active rules: [///] 2003306 - BLEEDING-EDGE MALWARE 180solutions Spyware (tracked event 2 reporting) (bleeding-malware.rules) 2003463 - BLEEDING-EDGE MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2003447 - BLEEDING-EDGE MALWARE Humanclick.com Client Checkin (bleeding-malware.rules) 2003448 - BLEEDING-EDGE MALWARE Humanclick.com Client Update (bleeding-malware.rules) [---] Removed rules: [---] 2003361 - BLEEDING-EDGE Malware My Search Spyware Config Download 2 (bleeding-malware.rules) 2003393 - BLEEDING-EDGE Malware My Search Spyware Config Download 3 (bleeding-malware.rules) 2003539 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit udp - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) 2003540 - BLEEDING-EDGE CURRENT EVENTS Possible Unknown MS DNS exploit tcp - Please report any hits to bleeding@bleedingthreats.net (bleeding.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 152 -> Added to bleeding-drop.rules (1): # VERSION 152 -> Added to bleeding-malware.rules (4): #Matt Jonkman, from spyware LP Data # Commenting these out. They're generating to many false positives, and may just be ads. #by Matt Jonkman, from spyware LP Data #by Matt Jonkman, from spyware LP Data -> Added to bleeding-sid-msg.map (17): 2003571 || BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (patch-) || url,isc.sans.org/diary.html?storyid=2612 2003572 || BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (bugfix-) || url,isc.sans.org/diary.html?storyid=2612 2003573 || BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (hotfix-) || url,isc.sans.org/diary.html?storyid=2612 2003574 || BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (removal-) || url,isc.sans.org/diary.html?storyid=2612 2003575 || BLEEDING-EDGE MALWARE Gator/Clarian Spyware Posting Data || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999 2003576 || BLEEDING-EDGE MALWARE Security-updater.com Spyware Posting Data 2003577 || BLEEDING-EDGE MALWARE Mirarsearch.com Spyware Posting Data 2003578 || BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Pulling Data || url,www.pctools.com/mrc/infections/id/BaiDu/ 2003579 || BLEEDING-EDGE MALWARE Findwhat.com Spyware (clickthrough) 2003580 || BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendtracker) 2003581 || BLEEDING-EDGE MALWARE Findwhat.com Spyware (sendmedia) 2003582 || BLEEDING-EDGE MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped) 2003583 || BLEEDING-EDGE MALWARE Suspicious User-Agent (update) || url,doc.bleedingthreats.net/2003583 2003584 || BLEEDING-EDGE MALWARE Suspicious User-Agent (Updater) || url,doc.bleedingthreats.net/2003584 2003585 || BLEEDING-EDGE MALW