From bleeding at bleedingthreats.net Thu Feb 1 20:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Thu Feb 1 20:00:08 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070201200005.59B7C22C09C@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Thu Feb 1 20:00:05 2007 [***] [+++] Added rules: [+++] 2003362 - BLEEDING-EDGE MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7) (bleeding-malware.rules) 2003363 - BLEEDING-EDGE MALWARE Spamblockerutility.com-Hotbar User Agent (sbu-hb-) (bleeding-malware.rules) 2003364 - BLEEDING-EDGE Malware Hotbar Agent Adopt/Zango (bleeding-malware.rules) 2003365 - BLEEDING-EDGE MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar ) (bleeding-malware.rules) 2003366 - BLEEDING-EDGE MALWARE qsrch.com/Casalemedia Spyware Reporting URL Visited3 (bleeding-malware.rules) 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [///] Modified active rules: [///] 2001400 - BLEEDING-EDGE MALWARE 180solutions Spyware Reporting (bleeding-malware.rules) 2003305 - BLEEDING-EDGE MALWARE Zango-Hotbar User Agent (zbu-hb-) (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Removed rules: [---] 2003338 - BLEEDING-EDGE MALWARE Paretologic Xoftspy Fake Antispyware Update (bleeding-malware.rules) 2003339 - BLEEDING-EDGE MALWARE Paretologic Xoftspy Fake Antispyware Update 2 (bleeding-malware.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 73 -> Added to bleeding-drop.rules (1): # VERSION 73 -> Added to bleeding-malware.rules (1): #Matt Jonkman from spyware lp data -> Added to bleeding-sid-msg.map (8): 2003305 || BLEEDING-EDGE MALWARE Zango-Hotbar User Agent (zbu-hb-) 2003362 || BLEEDING-EDGE MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7) 2003363 || BLEEDING-EDGE MALWARE Spamblockerutility.com-Hotbar User Agent (sbu-hb-) 2003364 || BLEEDING-EDGE Malware Hotbar Agent Adopt/Zango || url,www.hotbar.com 2003365 || BLEEDING-EDGE MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar ) 2003366 || BLEEDING-EDGE MALWARE qsrch.com/Casalemedia Spyware Reporting URL Visited3 2404007 || BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) || url,www.shadowserver.org 2405007 || BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 72 -> Removed from bleeding-drop.rules (1): # VERSION 72 -> Removed from bleeding-sid-msg.map (9): 2003305 || BLEEDING-EDGE MALWARE Zango-Hotbar User Agent (sbu-hb-) 2003338 || BLEEDING-EDGE MALWARE Paretologic Xoftspy Fake Antispyware Update 2003339 || BLEEDING-EDGE MALWARE Paretologic Xoftspy Fake Antispyware Update 2 2400001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso From bhartstein at demarc.com Thu Feb 1 22:04:24 2007 From: bhartstein at demarc.com (Blake Hartstein) Date: Thu Feb 1 22:05:09 2007 Subject: [Bleeding-sigs] Rule Modify: sid 2001365 Message-ID: <20070201220431.A948510459@corp.demarc.com> From CVE-1999-0278 "In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL." This rule has 2 occurences of the $$, uricontent:"|3a 3a 24|$DATA"; alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt"; flow: to_server,established; uricontent:"|3A 3A 24|$DATA"; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; classtype: web-application-activity; sid: 2001365; rev:5; ) -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. -------------- next part -------------- A non-text attachment was scrubbed... Name: bhartstein.vcf Type: text/x-vcard Size: 156 bytes Desc: not available Url : http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20070201/b54de4d5/bhartstein.vcf From bhartstein at demarc.com Thu Feb 1 21:40:29 2007 From: bhartstein at demarc.com (Blake Hartstein) Date: Thu Feb 1 22:10:33 2007 Subject: [Bleeding-sigs] Rule Submit: CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption Message-ID: <20070201214037.CC19110455@corp.demarc.com> Hi, I wrote this rule based on an advisory from NGS Software, "All packets to the Mobile Backup Service process (LGSERVER.EXE) on TCP port 2200 appear to begin with the sequence "\x4e\x3d\x2c\x1b". Sending a packet that contains \x4e\x3d\x2c\x1b followed by a string of 65535 characters causes the process to terminate. The string overwrites the heap in memory it is possible to further leverage the vulnerability so as to execute arbitrary code as SYSTEM. " I chose to use 2891 bytes because with "flush_behavior large_window", seems to be limited to this value. Since the actual lower limit is unknown, if anyone has this software installed please test the limits and relay that information. If you experience any problems with this rule, due to varying stream reassembly options, please let me know. #alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"BLEEDING-EDGE EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; classtype:attempted-admin; sid:2003???; rev:1; ) -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. -------------- next part -------------- A non-text attachment was scrubbed... Name: bhartstein.vcf Type: text/x-vcard Size: 156 bytes Desc: not available Url : http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20070201/03470b64/bhartstein.vcf From bhartstein at demarc.com Thu Feb 1 22:51:07 2007 From: bhartstein at demarc.com (Blake Hartstein) Date: Thu Feb 1 22:51:52 2007 Subject: [Bleeding-sigs] Rule Submit: (From Shirkdog) Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS Message-ID: <20070201225110.64D3710456@corp.demarc.com> Another sig from Shirkdog and exploit too, www.milw0rm.com/exploits/3248. Catirpc.exe - Provides the endpoint mapper and enables RPC services for BrightStor Backup products. (7c.350): Access violation - code c0000005 (!!! second chance !!!) eax=007ef924 ebx=2e009560 ecx=00325ad8 edx=007ef900 esi=00000000 edi=00324308 eip=2e00eda8 esp=007ef8b8 ebp=2e00be00 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206 *** WARNING: Unable to verify checksum for C:\Program Files\CA\BrightStor ARCserve Backup\CATIRPC.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\CA\BrightStor ARCserve Backup\CATIRPC.dll - CATIRPC_2e000000!get_hostbyname+478: 2e00eda8 668b4602 mov ax,[esi+0x2] ds:0023:00000002=???? CATIRPC.dll does not properly handle TADDR2UADDR procedures used in RPC communications with the CA RPC Server (Catirpc.exe). This leads to a condition where a null memory pointer is dereferenced. This appears to be only a DoS, but please prove me otherwise. This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"BLEEDING-EDGE EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; classtype:attempted-dos; reference:url,www.milw0rm.com/exploits/3248; sid:2003370; rev:1; ) Thanks Shirkdog! -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. -------------- next part -------------- A non-text attachment was scrubbed... Name: bhartstein.vcf Type: text/x-vcard Size: 156 bytes Desc: not available Url : http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20070201/f80d31bd/bhartstein.vcf From jonkman at bleedingthreats.net Fri Feb 2 14:05:51 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Feb 2 14:06:38 2007 Subject: [Bleeding-sigs] Update Summaries Message-ID: <45C3453F.5050805@bleedingthreats.net> Had a few folks ask for a weekly update email of signature changes. We discussed this a while ago but I think I forgot to follow through. I'll get the weekly setup. How about sometime friday morning US Eastern time? That should let most folks around the world get it before the end of the day friday. Good? Also a reminder: if you're looking for immediate update emails, join bleeding-updates. Emails go out on commit. http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Fri Feb 2 14:49:36 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Feb 2 14:50:15 2007 Subject: [Bleeding-sigs] Update Summaries In-Reply-To: <45C3453F.5050805@bleedingthreats.net> References: <45C3453F.5050805@bleedingthreats.net> Message-ID: <45C34F80.4050504@bleedingthreats.net> Wrong link to updates. Should be: http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-updates Matt Matt Jonkman wrote: > Had a few folks ask for a weekly update email of signature changes. We > discussed this a while ago but I think I forgot to follow through. > > I'll get the weekly setup. How about sometime friday morning US Eastern > time? That should let most folks around the world get it before the end > of the day friday. Good? > > Also a reminder: if you're looking for immediate update emails, join > bleeding-updates. Emails go out on commit. > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > Matt > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Fri Feb 2 17:51:52 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Feb 2 17:52:36 2007 Subject: [Bleeding-sigs] Official Superbowl Site with a VML Exploit and Trojan Message-ID: <45C37A38.7090408@bleedingthreats.net> The researchers at Websense have discovered and are remediating a VML exploit on one of the official supoerbowl sites. This will certainly be a high traffic thing, so there may be a number of infections. It?s not clear how long the exploit?s been there. http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733 We?ve got sigs out for the trojan eventually installed. It?s unlike most we?ve seen, and doesn?t have an official name yet. more as we get it. The signature is here. If you get hits on this I?d react quickly, but your current AV signatures likely do not have coverage yet. http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_Downloader?view=markup Updates soon. Watch the Websense analysis page as well for info. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Fri Feb 2 18:00:04 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Fri Feb 2 18:00:06 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070202180004.B003C22C0A8@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Fri Feb 2 18:00:04 2007 [***] [+++] Added rules: [+++] 2003367 - BLEEDING-EDGE MALWARE www.baidu.com Spyware User Agent (sobar-post) (bleeding-malware.rules) 2003368 - BLEEDING-EDGE MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7) (bleeding-malware.rules) 2003369 - BLEEDING-EDGE EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption (bleeding-exploit.rules) 2003370 - BLEEDING-EDGE EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS (bleeding-exploit.rules) 2003371 - BLEEDING-EDGE WEB PHP Portail Includes.php remote file include (bleeding-web.rules) 2003372 - BLEEDING-EDGE WEB PHPEventMan remote file include (bleeding-web.rules) 2003373 - BLEEDING-EDGE CURRENT_EVENTS Unnamed Downloader Checking In (bleeding.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) [///] Modified active rules: [///] 2001365 - BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt (bleeding-web.rules) 2003109 - BLEEDING-EDGE Microsoft Internet Explorer VML Fill Method Attribute Overflow (bleeding-exploit.rules) 2003362 - BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Pulling Ads) (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [---] Disabled rules: [---] 2003106 - BLEEDING-EDGE EXPLOIT Possible MSIE VML Exploit (bleeding-exploit.rules) [---] Removed rules: [---] 2001226 - BLEEDING-EDGE MALWARE Advertising.com Agent (bleeding-malware.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 75 -> Added to bleeding-drop.rules (1): # VERSION 75 -> Added to bleeding-exploit.rules (2): #Blake Hartstein of Demarc #Commenting out by default. Major threat has passed -> Added to bleeding-sid-msg.map (14): 2003362 || BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Pulling Ads) 2003367 || BLEEDING-EDGE MALWARE www.baidu.com Spyware User Agent (sobar-post) 2003368 || BLEEDING-EDGE MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7) 2003369 || BLEEDING-EDGE EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption || cve,2007-0449 2003370 || BLEEDING-EDGE EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS || url,www.milw0rm.com/exploits/3248 2003371 || BLEEDING-EDGE WEB PHP Portail Includes.php remote file include || bugtraq,22361 2003372 || BLEEDING-EDGE WEB PHPEventMan remote file include || bugtraq,22358 2003373 || BLEEDING-EDGE CURRENT_EVENTS Unnamed Downloader Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733 2400001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2400003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401001 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401002 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso 2401003 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to bleeding.rules (1): #Matt Jonkman. As yet unnamed downloader in a few high profile spots [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 73 -> Removed from bleeding-drop.rules (1): # VERSION 73 -> Removed from bleeding-sid-msg.map (2): 2001226 || BLEEDING-EDGE MALWARE Advertising.com Agent || url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html 2003362 || BLEEDING-EDGE MALWARE Web-nexus.net Spyware User Agent (z_v5.2.7) From jscheidell at secnap.net Fri Feb 2 19:09:15 2007 From: jscheidell at secnap.net (Jonathan Scheidell) Date: Fri Feb 2 19:34:10 2007 Subject: [Bleeding-sigs] FP in SID: 2003337 (www.paretologic.com SPYWARE) Message-ID: I love all the new Spyware rules, as with anything else they aren't all 100% on the first rev. We noticed that this signature is triggered with all the new Dell Laptops running the OEM installed EMBASSY Trust Suite software. Here is an example packet; we are going to oinkmaster the signature to ignore packets with www.wave.com in the content. I would suggest doing the same with the source code. GET /downloads/1019/etsVersions.xml HTTP/1.1 User-Agent: HTTP GET AutoUpdate Host: www.wave.com -- Jon Scheidell Security Engineer Secnap Network Security (561) 999-5000 x:4110 www.secnap.com ----------------------------------------------------------------- This email has been scanned and certified safe by SpammerTrap(tm) For Information please see http://www.spammertrap.com ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20070202/c2469560/attachment.htm From jonkman at bleedingthreats.net Fri Feb 2 19:38:57 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Feb 2 19:41:39 2007 Subject: [Bleeding-sigs] FP in SID: 2003337 (www.paretologic.com SPYWARE) In-Reply-To: References: Message-ID: <45C39351.8080601@bleedingthreats.net> Thanks for the report. I dropped that sig for other reasons earlier. Paretologic is apparently a legit antispyware product now, as confirmed by some trusted spyware researchers. The install I was making sigs from was by a bad affiliate using a vml exploit. So the sigs would see good installs, regardless of the install method. I'd jsut remove the sig. It'll not do you much good. :) Matt Jonathan Scheidell wrote: > I love all the new Spyware rules, as with anything else they aren?t all > 100% on the first rev. > > > > We noticed that this signature is triggered with all the new Dell > Laptops running the OEM installed EMBASSY Trust Suite software. > > > > Here is an example packet; we are going to oinkmaster the signature to > ignore packets with www.wave.com in the content. > I would suggest doing the same with the source code. > > > > > > GET /downloads/1019/etsVersions.xml HTTP/1.1 > > > > User-Agent: HTTP GET AutoUpdate > > > > Host: www.wave.com > > > > > > > > > > > > -- > > Jon Scheidell > > Security Engineer > > Secnap Network Security > > (561) 999-5000 x:4110 > > www.secnap.com > > > > > ----------------------------------------------------------------- This > email has been scanned and certified safe by SpammerTrap(tm) For > Information please see http://www.spammertrap.com > ----------------------------------------------------------------- > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jscheidell at secnap.net Fri Feb 2 19:40:32 2007 From: jscheidell at secnap.net (Jonathan Scheidell) Date: Fri Feb 2 19:42:55 2007 Subject: [Bleeding-sigs] FP in SID: 2003337 (www.paretologic.com SPYWARE) References: Message-ID: Here is the oinkmaster line I'm using if you want to add it to your local settings. # FP from 2003337 (paretologic spyware) modifysid 2003337 "content:!\"Gator\";" | "content:!\"Gator\"; content:!\"www.wave.com\ ";" -- Jon Scheidell Security Engineer Secnap Network Security (561) 999-5000 x:4110 www.secnap.com _____ From: bleeding-sigs-bounces@bleedingthreats.net [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf Of Jonathan Scheidell Sent: Friday, February 02, 2007 2:09 PM To: bleeding-sigs@bleedingthreats.net Subject: [Bleeding-sigs] FP in SID: 2003337 (www.paretologic.com SPYWARE) I love all the new Spyware rules, as with anything else they aren't all 100% on the first rev. We noticed that this signature is triggered with all the new Dell Laptops running the OEM installed EMBASSY Trust Suite software. Here is an example packet; we are going to oinkmaster the signature to ignore packets with www.wave.com in the content. I would suggest doing the same with the source code. GET /downloads/1019/etsVersions.xml HTTP/1.1 User-Agent: HTTP GET AutoUpdate Host: www.wave.com -- Jon Scheidell Security Engineer Secnap Network Security (561) 999-5000 x:4110 www.secnap.com ----------------------------------------------------------------- This email has been scanned and certified safe by SpammerTrap(tm) For Information please see http://www.spammertrap.com ----------------------------------------------------------------- ----------------------------------------------------------------- This email has been scanned and certified safe by SpammerTrap(tm) For Information please see http://www.spammertrap.com ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.bleedingthreats.net/pipermail/bleeding-sigs/attachments/20070202/44751d5e/attachment.html From jonkman at bleedingthreats.net Fri Feb 2 19:49:58 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Fri Feb 2 19:54:49 2007 Subject: [Bleeding-sigs] FP in SID: 2003337 (www.paretologic.com SPYWARE) In-Reply-To: References: Message-ID: <45C395E6.2000201@bleedingthreats.net> Ohh, I'm looking at the wrong sig. Yes, that should be added to this one. I'll do so now. I removed the url based sigs for pareto. This one can stay though. It's an unusual user agent. :) Matt Jonathan Scheidell wrote: > Here is the oinkmaster line I?m using if you want to add it to your > local settings. > > > > # FP from 2003337 (paretologic spyware) > > modifysid 2003337 "content:!\"Gator\";" | "content:!\"Gator\"; > content:!\"www.wave.com\ ";" > > > > > > -- > > Jon Scheidell > > Security Engineer > > Secnap Network Security > > (561) 999-5000 x:4110 > > www.secnap.com > > > > ------------------------------------------------------------------------ > > *From:* bleeding-sigs-bounces@bleedingthreats.net > [mailto:bleeding-sigs-bounces@bleedingthreats.net] *On Behalf Of > *Jonathan Scheidell > *Sent:* Friday, February 02, 2007 2:09 PM > *To:* bleeding-sigs@bleedingthreats.net > *Subject:* [Bleeding-sigs] FP in SID: 2003337 (www.paretologic.com SPYWARE) > > > > I love all the new Spyware rules, as with anything else they aren?t all > 100% on the first rev. > > > > We noticed that this signature is triggered with all the new Dell > Laptops running the OEM installed EMBASSY Trust Suite software. > > > > Here is an example packet; we are going to oinkmaster the signature to > ignore packets with www.wave.com in the content. > I would suggest doing the same with the source code. > > > > > > GET /downloads/1019/etsVersions.xml HTTP/1.1 > > > > > > > > User-Agent: HTTP GET AutoUpdate > > > > > > > > Host: www.wave.com > > > > > > > > > > > > -- > > Jon Scheidell > > Security Engineer > > Secnap Network Security > > (561) 999-5000 x:4110 > > www.secnap.com > > > > > ----------------------------------------------------------------- This > email has been scanned and certified safe by SpammerTrap(tm) For > Information please see http://www.spammertrap.com > ----------------------------------------------------------------- > > > ----------------------------------------------------------------- This > email has been scanned and certified safe by SpammerTrap(tm) For > Information please see http://www.spammertrap.com > ----------------------------------------------------------------- > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From bleeding at bleedingthreats.net Sat Feb 3 18:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Sat Feb 3 18:00:13 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070203180006.35F2622C0AB@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Sat Feb 3 18:00:05 2007 [***] [+++] Added rules: [+++] 2003375 - BLEEDING-EDGE MALWARE Spy-Not.com Spyware Pulling Fake Sigs (bleeding-malware.rules) 2003376 - BLEEDING-EDGE Instafinder.com spyware (bleeding-malware.rules) 2003377 - BLEEDING-EDGE MALWARE Spy-Not.com Spyware Updating (bleeding-malware.rules) 2003378 - BLEEDING-EDGE EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow (bleeding-exploit.rules) [///] Modified active rules: [///] 2003337 - BLEEDING-EDGE MALWARE www.paretologic.com Suspect Anti-Spyware AutoUpdate User Agent (Autoupdate) (bleeding-malware.rules) 2003373 - BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In (bleeding.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 76 -> Added to bleeding-drop.rules (1): # VERSION 76 -> Added to bleeding-sid-msg.map (5): 2003373 || BLEEDING-EDGE CURRENT_EVENTS Generic PWStealer Trojan Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733 2003375 || BLEEDING-EDGE MALWARE Spy-Not.com Spyware Pulling Fake Sigs 2003376 || BLEEDING-EDGE Instafinder.com spyware 2003377 || BLEEDING-EDGE MALWARE Spy-Not.com Spyware Updating 2003378 || BLEEDING-EDGE EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow || url,www.milw0rm.com/exploits/3244 [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 75 -> Removed from bleeding-drop.rules (1): # VERSION 75 -> Removed from bleeding-sid-msg.map (1): 2003373 || BLEEDING-EDGE CURRENT_EVENTS Unnamed Downloader Checking In || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=733 From bleeding at bleedingthreats.net Sun Feb 4 18:00:05 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Sun Feb 4 18:00:07 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070204180005.8759B22C0A7@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Sun Feb 4 18:00:04 2007 [***] [+++] Added rules: [+++] 2003379 - BLEEDING-EDGE EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS (bleeding-exploit.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-exploit.rules (1): #Also by Shirkdog -> Added to bleeding-sid-msg.map (1): 2003379 || BLEEDING-EDGE EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS || url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded From bleeding at bleedingthreats.net Mon Feb 5 18:00:06 2007 From: bleeding at bleedingthreats.net (bleeding@bleedingthreats.net) Date: Mon Feb 5 18:00:11 2007 Subject: [Bleeding-sigs] Bleeding Edge Threats Daily Signature Changes Message-ID: <20070205180006.8B06022C0A7@sb03.us.bleedingsnort.com> [***] Results from Oinkmaster started Mon Feb 5 18:00:06 2007 [***] [+++] Added rules: [+++] 2003380 - BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader (bleeding-virus.rules) 2003381 - BLEEDING-EDGE POLICY McAfee Update User Agent (McAfee AutoUpdate) (bleeding-policy.rules) 2003383 - BLEEDING-EDGE MALWARE Hotbar Tools Spyware User Agent (hbtools) (bleeding-malware.rules) 2003384 - BLEEDING-EDGE MALWARE SpamBlockerUtility Fake Anti-Spyware User Agent (SpamBlockerUtility x.x.x) (bleeding-malware.rules) 2003385 - BLEEDING-EDGE MALWARE sgrunt Dialer User Agent (sgrunt) (bleeding-malware.rules) 2003386 - BLEEDING-EDGE MALWARE snprtz Dialer User Agent (snprtz) (bleeding-malware.rules) 2003387 - BLEEDING-EDGE MALWARE dialno Dialer User Agent (dialno) (bleeding-malware.rules) 2003388 - BLEEDING-EDGE Malware Hotbar Keywords Download (bleeding-malware.rules) 2003389 - BLEEDING-EDGE Malware WhenUClick.com Application Version Check (bleeding-malware.rules) 2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) [///] Modified active rules: [///] 2000908 - BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (1) (bleeding-malware.rules) 2000909 - BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (2) (bleeding-malware.rules) 2000910 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (bleeding-malware.rules) 2000911 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (bleeding-malware.rules) 2000912 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (1) (bleeding-malware.rules) 2000913 - BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (2) (bleeding-malware.rules) 2000914 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (1) (bleeding-malware.rules) 2000915 - BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (2) (bleeding-malware.rules) 2000916 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave App Checkin (bleeding-malware.rules) 2000917 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (offersdata) (bleeding-malware.rules) 2000918 - BLEEDING-EDGE Malware WhenUClick.com Desktop Bar Install (bleeding-malware.rules) 2000919 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (Searchdb) (bleeding-malware.rules) 2001443 - BLEEDING-EDGE Malware WhenUClick.com Desktop Bar App Checkin (bleeding-malware.rules) 2003102 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID (bleeding-exploit.rules) 2003103 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object (bleeding-exploit.rules) 2003105 - BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object (bleeding-exploit.rules) 2003110 - BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy (bleeding-exploit.rules) 2003231 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (bleeding-exploit.rules) 2003232 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) (bleeding-exploit.rules) 2003233 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (bleeding-exploit.rules) 2003234 - BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) (bleeding-exploit.rules) 2003337 - BLEEDING-EDGE MALWARE Suspcious User Agent (Autoupdate) (bleeding-malware.rules) 2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound (bleeding-drop.rules) 2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules) 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding-dshield.rules) 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING (bleeding-dshield-BLOCK.rules) 2404000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) (bleeding-botcc.rules) 2404001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2) (bleeding-botcc.rules) 2404002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3) (bleeding-botcc.rules) 2404003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4) (bleeding-botcc.rules) 2404004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5) (bleeding-botcc.rules) 2404005 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 6) (bleeding-botcc.rules) 2404006 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 7) (bleeding-botcc.rules) 2404007 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 8) (bleeding-botcc.rules) 2405000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405005 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405006 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) 2405007 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (bleeding-botcc-BLOCK.rules) [+++] Added non-rule lines: [+++] -> Added to bleeding-drop-BLOCK.rules (1): # VERSION 78 -> Added to bleeding-drop.rules (1): # VERSION 78 -> Added to bleeding-exploit.rules (4): # Submitted 2006-09-18 by Christian Seifert, updated 2/5/07 #by Chris Byrd, updated by Christian Siefert 2/5/07 #Updated by Christian Siefert 2/5/07 #Updated by Christian Siefert, 2/5/07 -> Added to bleeding-policy.rules (1): #This will let you know when McAffee is updating sigs. Not a security threat, but could be of interest to folks using mcafee to track updates -> Added to bleeding-sid-msg.map (19): 2003102 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 2003110 || BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy || cve,2006-3730 || url,osvdb.org/27110 || url, riosec.com/msie-setslice-vuln 2003231 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url, osvdb.org/10705 2003232 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url, osvdb.org/10705 2003233 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url, osvdb.org/7913 2003234 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url, osvdb.org/7913 2003337 || BLEEDING-EDGE MALWARE Suspcious User Agent (Autoupdate) 2003380 || BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader 2003381 || BLEEDING-EDGE POLICY McAfee Update User Agent (McAfee AutoUpdate) 2003383 || BLEEDING-EDGE MALWARE Hotbar Tools Spyware User Agent (hbtools) 2003384 || BLEEDING-EDGE MALWARE SpamBlockerUtility Fake Anti-Spyware User Agent (SpamBlockerUtility x.x.x) 2003385 || BLEEDING-EDGE MALWARE sgrunt Dialer User Agent (sgrunt) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347 2003386 || BLEEDING-EDGE MALWARE snprtz Dialer User Agent (snprtz) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347 2003387 || BLEEDING-EDGE MALWARE dialno Dialer User Agent (dialno) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347 2003388 || BLEEDING-EDGE Malware Hotbar Keywords Download || url,www.hotbar.com 2003389 || BLEEDING-EDGE Malware WhenUClick.com Application Version Check || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,www.whenusearch.com 2400004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound || url,www.spamhaus.org/drop/drop.lasso 2401004 || BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE || url,www.spamhaus.org/drop/drop.lasso -> Added to bleeding-virus.rules (2): #Sigs for general downloader trojans and worms. Not all get unique names #by Matt Jonkman. Saw a downloader appending ver7 to the end of a regular UA. No spaces. very unique [---] Removed non-rule lines: [---] -> Removed from bleeding-drop-BLOCK.rules (1): # VERSION 76 -> Removed from bleeding-drop.rules (1): # VERSION 76 -> Removed from bleeding-exploit.rules (2): # Submitted 2006-09-18 by Christian Seifert #by Chris Byrd -> Removed from bleeding-sid-msg.map (8): 2003102 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX controls spline function call CSLID || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003103 || BLEEDING-EDGE EXPLOIT Microsoft Multimedia Controls - ActiveX control's spline function call Object || cve,2006-4446 || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 2003110 || BLEEDING-EDGE EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy || cve,2006-3730 || url,osvdb.org/27110 || url,riosec.com/msie-setslice-vuln 2003231 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || cve,2004-0216 || url,osvdb.org/10705 2003232 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || cve,2004-0216 || url,osvdb.org/10705 2003233 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || cve,2004-2291 || url,osvdb.org/7913 2003234 || BLEEDING-EDGE EXPLOIT Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || cve,2004-2291 || url,osvdb.org/7913 2003337 || BLEEDING-EDGE MALWARE www.paretologic.com Suspect Anti-Spyware AutoUpdate User Agent (Autoupdate) From jonkman at bleedingthreats.net Mon Feb 5 18:34:28 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Feb 5 18:35:16 2007 Subject: [Bleeding-sigs] Interesting spyware Message-ID: <45C778B4.1060507@bleedingthreats.net> Found some hits in the spyware listeningpost from nastydollars.com using url's as the user agent. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE User Agent Containing http\:// - Possible Spyware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+http\:\/\//i"; classtype:trojan-activity; sid:2003394; rev:1;) Please let me know what you get on this one. It could false some, but I can't imagine any legitimate hits that you'd not want to know about. Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From kyphros at gmail.com Mon Feb 5 20:19:10 2007 From: kyphros at gmail.com (Mike Owen) Date: Mon Feb 5 20:19:48 2007 Subject: [Bleeding-sigs] Snort 2.6.1.2 patch for MSSQL ODBC Message-ID: <8f5ca2210702051219q49147e58yf0b4763a04af6073@mail.gmail.com> I haven't been subscribed to snort-user in a while because of the noise, so I thought I'd send this over here. This is a 2.6.1.2 version of the patch by Easysoft [1] that patches spo_database.c to fix ODBC support, and allows sending of Snort alerts to a MS-SQL database via ODBC. Works perfectly with unixODBC[2] and FreeTDS[3] for sending to MS-SQL 2000 databases. [1] http://www.easysoft.com/applications/snort/odbc.html [2] http://www.unixodbc.org [3] http://www.freetds.org -------------- next part -------------- --- spo_database.c.orig 2007-02-05 12:06:03.322757568 -0800 +++ spo_database.c 2007-02-05 12:06:03.270757516 -0800 @@ -155,11 +155,11 @@ MYSQL_ROW m_row; #endif #ifdef ENABLE_ODBC - SQLHENV u_handle; + SQLHENV u_environment; SQLHDBC u_connection; SQLHSTMT u_statement; SQLINTEGER u_col; - SQLINTEGER u_rows; + SQLCHAR u_quote_char[2]; dbtype_t u_underlying_dbtype_id; #endif #ifdef ENABLE_ORACLE @@ -251,6 +251,9 @@ static int instances = 0; /******** Database Specific Extras ************************************/ +#ifdef ENABLE_ODBC +static void odbc_errors(SQLHENV henv, SQLHDBC hdbc, SQLHSTMT hstmt); +#endif /* ENABLE_ODBC */ /* The following is for supporting Microsoft SQL Server */ #ifdef ENABLE_MSSQL @@ -1019,10 +1022,11 @@ { timestamp_string = GetCurrentTimestamp(); } -#ifdef ENABLE_MSSQL - if(data->shared->dbtype_id == DB_MSSQL) +#if defined(ENABLE_MSSQL) || defined(ODBC) + if((data->shared->dbtype_id == DB_MSSQL) || + (data->shared->dbtype_id == DB_ODBC)) { - /* SQL Server uses a date format which is slightly + /* SQL Server (and ODBC) uses a date format which is slightly * different from the ISO-8601 standard generated * by GetTimestamp() and GetCurrentTimestamp(). We * need to convert from the ISO-8601 format of: @@ -1924,6 +1928,25 @@ } } else +#else if ENABLE_ODBC + /* + * In ODBC ' is used to delimit strings and a ' inside a string is + * doubled up not escaped. There should not need to be any other + * translations. + */ + if (data->shared->dbtype_id == DB_ODBC) + { + for (end=from+from_length; from != end; from++) + { + if (*from == '\'') { + *to++ = '\''; + *to++ = '\''; + } + else + *to++= *from; + } + } + else #endif { for (end=from+from_length; from != end; from++) @@ -2042,6 +2065,13 @@ "FROM `schema`"); } else +#ifdef ENABLE_ODBC + if (data->shared->dbtype_id == DB_ODBC) + snprintf(select0, MAX_QUERY_LENGTH, + "SELECT vseq FROM %sschema%s", + data->u_quote_char, data->u_quote_char); + else +#endif #endif { snprintf(select0, MAX_QUERY_LENGTH, @@ -2473,25 +2503,46 @@ #ifdef ENABLE_ODBC if(data->shared->dbtype_id == DB_ODBC) { - if(SQLAllocStmt(data->u_connection, &data->u_statement) == SQL_SUCCESS) - if(SQLPrepare(data->u_statement, query, SQL_NTS) == SQL_SUCCESS) - if(SQLExecute(data->u_statement) == SQL_SUCCESS) - if(SQLRowCount(data->u_statement, &data->u_rows) == SQL_SUCCESS) - if(data->u_rows) - { - if(data->u_rows > 1) - { - ErrorMessage("database: warning (%s) returned more than one result\n", query); - result = 0; - } - else - { - if(SQLFetch(data->u_statement) == SQL_SUCCESS) - if(SQLGetData(data->u_statement,1,SQL_INTEGER,&data->u_col, - sizeof(data->u_col), NULL) == SQL_SUCCESS) - result = (int)data->u_col; - } - } + SQLRETURN osts; + + osts = SQLExecDirect(data->u_statement, query, SQL_NTS); + if (!SQL_SUCCEEDED(osts)) { + odbc_errors(NULL, NULL, data->u_statement); + } + else { + SQLSMALLINT cols; + + /* + * This code used to use SQLRowCount which hardly ever returns + * anything other than -1 in ODBC drivers for select and was + * just working by accident. + */ + osts = SQLNumResultCols(data->u_statement, &cols); + if (!SQL_SUCCEEDED(osts)) { + odbc_errors(NULL, NULL, data->u_statement); + } + else if (cols != 1) { + ErrorMessage("database: warning (%s) returned more than " + "one column\n", query); + result = 0; + } + else { + if (SQLFetch(data->u_statement) != SQL_SUCCESS) { + odbc_errors(NULL, NULL, data->u_statement); + } + else { + if (SQLGetData(data->u_statement,1,SQL_INTEGER, + &data->u_col, sizeof(data->u_col), + NULL) != SQL_SUCCESS) { + odbc_errors(NULL, NULL, data->u_statement); + } + else { + result = (int)data->u_col; + } + } + } + SQLFreeStmt(data->u_statement, SQL_CLOSE); + } } #endif @@ -2639,11 +2690,11 @@ data->u_underlying_dbtype_id = DB_UNDEFINED; - if(!(SQLAllocEnv(&data->u_handle) == SQL_SUCCESS)) + if (SQLAllocEnv(&data->u_environment) != SQL_SUCCESS) { FatalError("database: unable to allocate ODBC environment\n"); } - if(!(SQLAllocConnect(data->u_handle, &data->u_connection) == SQL_SUCCESS)) + if (SQLAllocConnect(data->u_environment, &data->u_connection) != SQL_SUCCESS) { FatalError("database: unable to allocate ODBC connection handle\n"); } @@ -2852,10 +2903,14 @@ #ifdef ENABLE_ODBC if(data->shared->dbtype_id == DB_ODBC) { - if(data->u_handle) + if(data->u_environment) { - SQLDisconnect(data->u_connection); - SQLFreeHandle(SQL_HANDLE_ENV, data->u_handle); + SQLFreeStmt(data->u_statement, SQL_DROP); + /* Just in cas we get here with an outstanding transaction */ + SQLEndTran(SQL_HANDLE_DBC, data->u_connection, SQL_ROLLBACK); + SQLDisconnect(data->u_connection); + SQLFreeConnect(data->u_connection); + SQLFreeEnv(data->u_environment); } } #endif @@ -2998,6 +3053,28 @@ current = NULL; } } +#ifdef ENABLE_ODBC +static void odbc_errors( + SQLHENV henv, + SQLHDBC hdbc, + SQLHSTMT hstmt) +{ + SQLRETURN ests; + SQLCHAR errmsg[512]; + SQLCHAR state[7]; + SQLINTEGER native; + SQLSMALLINT errmsg_len; + + do { + ests = SQLError(henv, hdbc, hstmt, state, &native, errmsg, + sizeof(errmsg), &errmsg_len); + if (SQL_SUCCEEDED(ests)) { + ErrorMessage("database: ODBC state:%s, native:%ld,%s\n", + state, native, errmsg); + } + } while (SQL_SUCCEEDED(ests)); +} +#endif /* ENABLE_ODBC */ #ifdef ENABLE_MSSQL /* From jonkman at bleedingthreats.net Mon Feb 5 20:44:13 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Feb 5 20:44:57 2007 Subject: [Bleeding-sigs] Snort 2.6.1.2 patch for MSSQL ODBC In-Reply-To: <8f5ca2210702051219q49147e58yf0b4763a04af6073@mail.gmail.com> References: <8f5ca2210702051219q49147e58yf0b4763a04af6073@mail.gmail.com> Message-ID: <45C7971D.20300@bleedingthreats.net> Thanks Mike. I'll put this up in cvs if you don't mind, make it easier to find in the future. Appreciate you sending it out, I'm sure it'll help a number of people. Matt Mike Owen wrote: > I haven't been subscribed to snort-user in a while because of the > noise, so I thought I'd send this over here. > > This is a 2.6.1.2 version of the patch by Easysoft [1] that patches > spo_database.c to fix ODBC support, and allows sending of Snort alerts > to a MS-SQL database via ODBC. Works perfectly with unixODBC[2] and > FreeTDS[3] for sending to MS-SQL 2000 databases. > > > > [1] http://www.easysoft.com/applications/snort/odbc.html > [2] http://www.unixodbc.org > [3] http://www.freetds.org > > > ------------------------------------------------------------------------ > > --- spo_database.c.orig 2007-02-05 12:06:03.322757568 -0800 > +++ spo_database.c 2007-02-05 12:06:03.270757516 -0800 > @@ -155,11 +155,11 @@ > MYSQL_ROW m_row; > #endif > #ifdef ENABLE_ODBC > - SQLHENV u_handle; > + SQLHENV u_environment; > SQLHDBC u_connection; > SQLHSTMT u_statement; > SQLINTEGER u_col; > - SQLINTEGER u_rows; > + SQLCHAR u_quote_char[2]; > dbtype_t u_underlying_dbtype_id; > #endif > #ifdef ENABLE_ORACLE > @@ -251,6 +251,9 @@ > static int instances = 0; > > /******** Database Specific Extras ************************************/ > +#ifdef ENABLE_ODBC > +static void odbc_errors(SQLHENV henv, SQLHDBC hdbc, SQLHSTMT hstmt); > +#endif /* ENABLE_ODBC */ > > /* The following is for supporting Microsoft SQL Server */ > #ifdef ENABLE_MSSQL > @@ -1019,10 +1022,11 @@ > { > timestamp_string = GetCurrentTimestamp(); > } > -#ifdef ENABLE_MSSQL > - if(data->shared->dbtype_id == DB_MSSQL) > +#if defined(ENABLE_MSSQL) || defined(ODBC) > + if((data->shared->dbtype_id == DB_MSSQL) || > + (data->shared->dbtype_id == DB_ODBC)) > { > - /* SQL Server uses a date format which is slightly > + /* SQL Server (and ODBC) uses a date format which is slightly > * different from the ISO-8601 standard generated > * by GetTimestamp() and GetCurrentTimestamp(). We > * need to convert from the ISO-8601 format of: > @@ -1924,6 +1928,25 @@ > } > } > else > +#else if ENABLE_ODBC > + /* > + * In ODBC ' is used to delimit strings and a ' inside a string is > + * doubled up not escaped. There should not need to be any other > + * translations. > + */ > + if (data->shared->dbtype_id == DB_ODBC) > + { > + for (end=from+from_length; from != end; from++) > + { > + if (*from == '\'') { > + *to++ = '\''; > + *to++ = '\''; > + } > + else > + *to++= *from; > + } > + } > + else > #endif > { > for (end=from+from_length; from != end; from++) > @@ -2042,6 +2065,13 @@ > "FROM `schema`"); > } > else > +#ifdef ENABLE_ODBC > + if (data->shared->dbtype_id == DB_ODBC) > + snprintf(select0, MAX_QUERY_LENGTH, > + "SELECT vseq FROM %sschema%s", > + data->u_quote_char, data->u_quote_char); > + else > +#endif > #endif > { > snprintf(select0, MAX_QUERY_LENGTH, > @@ -2473,25 +2503,46 @@ > #ifdef ENABLE_ODBC > if(data->shared->dbtype_id == DB_ODBC) > { > - if(SQLAllocStmt(data->u_connection, &data->u_statement) == SQL_SUCCESS) > - if(SQLPrepare(data->u_statement, query, SQL_NTS) == SQL_SUCCESS) > - if(SQLExecute(data->u_statement) == SQL_SUCCESS) > - if(SQLRowCount(data->u_statement, &data->u_rows) == SQL_SUCCESS) > - if(data->u_rows) > - { > - if(data->u_rows > 1) > - { > - ErrorMessage("database: warning (%s) returned more than one result\n", query); > - result = 0; > - } > - else > - { > - if(SQLFetch(data->u_statement) == SQL_SUCCESS) > - if(SQLGetData(data->u_statement,1,SQL_INTEGER,&data->u_col, > - sizeof(data->u_col), NULL) == SQL_SUCCESS) > - result = (int)data->u_col; > - } > - } > + SQLRETURN osts; > + > + osts = SQLExecDirect(data->u_statement, query, SQL_NTS); > + if (!SQL_SUCCEEDED(osts)) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + SQLSMALLINT cols; > + > + /* > + * This code used to use SQLRowCount which hardly ever returns > + * anything other than -1 in ODBC drivers for select and was > + * just working by accident. > + */ > + osts = SQLNumResultCols(data->u_statement, &cols); > + if (!SQL_SUCCEEDED(osts)) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else if (cols != 1) { > + ErrorMessage("database: warning (%s) returned more than " > + "one column\n", query); > + result = 0; > + } > + else { > + if (SQLFetch(data->u_statement) != SQL_SUCCESS) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + if (SQLGetData(data->u_statement,1,SQL_INTEGER, > + &data->u_col, sizeof(data->u_col), > + NULL) != SQL_SUCCESS) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + result = (int)data->u_col; > + } > + } > + } > + SQLFreeStmt(data->u_statement, SQL_CLOSE); > + } > } > #endif > > @@ -2639,11 +2690,11 @@ > > data->u_underlying_dbtype_id = DB_UNDEFINED; > > - if(!(SQLAllocEnv(&data->u_handle) == SQL_SUCCESS)) > + if (SQLAllocEnv(&data->u_environment) != SQL_SUCCESS) > { > FatalError("database: unable to allocate ODBC environment\n"); > } > - if(!(SQLAllocConnect(data->u_handle, &data->u_connection) == SQL_SUCCESS)) > + if (SQLAllocConnect(data->u_environment, &data->u_connection) != SQL_SUCCESS) > { > FatalError("database: unable to allocate ODBC connection handle\n"); > } > @@ -2852,10 +2903,14 @@ > #ifdef ENABLE_ODBC > if(data->shared->dbtype_id == DB_ODBC) > { > - if(data->u_handle) > + if(data->u_environment) > { > - SQLDisconnect(data->u_connection); > - SQLFreeHandle(SQL_HANDLE_ENV, data->u_handle); > + SQLFreeStmt(data->u_statement, SQL_DROP); > + /* Just in cas we get here with an outstanding transaction */ > + SQLEndTran(SQL_HANDLE_DBC, data->u_connection, SQL_ROLLBACK); > + SQLDisconnect(data->u_connection); > + SQLFreeConnect(data->u_connection); > + SQLFreeEnv(data->u_environment); > } > } > #endif > @@ -2998,6 +3053,28 @@ > current = NULL; > } > } > +#ifdef ENABLE_ODBC > +static void odbc_errors( > + SQLHENV henv, > + SQLHDBC hdbc, > + SQLHSTMT hstmt) > +{ > + SQLRETURN ests; > + SQLCHAR errmsg[512]; > + SQLCHAR state[7]; > + SQLINTEGER native; > + SQLSMALLINT errmsg_len; > + > + do { > + ests = SQLError(henv, hdbc, hstmt, state, &native, errmsg, > + sizeof(errmsg), &errmsg_len); > + if (SQL_SUCCEEDED(ests)) { > + ErrorMessage("database: ODBC state:%s, native:%ld,%s\n", > + state, native, errmsg); > + } > + } while (SQL_SUCCEEDED(ests)); > +} > +#endif /* ENABLE_ODBC */ > > #ifdef ENABLE_MSSQL > /* > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Mon Feb 5 20:50:16 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Feb 5 20:50:53 2007 Subject: [Bleeding-sigs] Snort 2.6.1.2 patch for MSSQL ODBC In-Reply-To: <8f5ca2210702051219q49147e58yf0b4763a04af6073@mail.gmail.com> References: <8f5ca2210702051219q49147e58yf0b4763a04af6073@mail.gmail.com> Message-ID: <45C79888.4040601@bleedingthreats.net> Better yet: Mike Owen wrote: > I haven't been subscribed to snort-user in a while because of the > noise, so I thought I'd send this over here. > > This is a 2.6.1.2 version of the patch by Easysoft [1] that patches > spo_database.c to fix ODBC support, and allows sending of Snort alerts > to a MS-SQL database via ODBC. Works perfectly with unixODBC[2] and > FreeTDS[3] for sending to MS-SQL 2000 databases. > > > > [1] http://www.easysoft.com/applications/snort/odbc.html > [2] http://www.unixodbc.org > [3] http://www.freetds.org > > > ------------------------------------------------------------------------ > > --- spo_database.c.orig 2007-02-05 12:06:03.322757568 -0800 > +++ spo_database.c 2007-02-05 12:06:03.270757516 -0800 > @@ -155,11 +155,11 @@ > MYSQL_ROW m_row; > #endif > #ifdef ENABLE_ODBC > - SQLHENV u_handle; > + SQLHENV u_environment; > SQLHDBC u_connection; > SQLHSTMT u_statement; > SQLINTEGER u_col; > - SQLINTEGER u_rows; > + SQLCHAR u_quote_char[2]; > dbtype_t u_underlying_dbtype_id; > #endif > #ifdef ENABLE_ORACLE > @@ -251,6 +251,9 @@ > static int instances = 0; > > /******** Database Specific Extras ************************************/ > +#ifdef ENABLE_ODBC > +static void odbc_errors(SQLHENV henv, SQLHDBC hdbc, SQLHSTMT hstmt); > +#endif /* ENABLE_ODBC */ > > /* The following is for supporting Microsoft SQL Server */ > #ifdef ENABLE_MSSQL > @@ -1019,10 +1022,11 @@ > { > timestamp_string = GetCurrentTimestamp(); > } > -#ifdef ENABLE_MSSQL > - if(data->shared->dbtype_id == DB_MSSQL) > +#if defined(ENABLE_MSSQL) || defined(ODBC) > + if((data->shared->dbtype_id == DB_MSSQL) || > + (data->shared->dbtype_id == DB_ODBC)) > { > - /* SQL Server uses a date format which is slightly > + /* SQL Server (and ODBC) uses a date format which is slightly > * different from the ISO-8601 standard generated > * by GetTimestamp() and GetCurrentTimestamp(). We > * need to convert from the ISO-8601 format of: > @@ -1924,6 +1928,25 @@ > } > } > else > +#else if ENABLE_ODBC > + /* > + * In ODBC ' is used to delimit strings and a ' inside a string is > + * doubled up not escaped. There should not need to be any other > + * translations. > + */ > + if (data->shared->dbtype_id == DB_ODBC) > + { > + for (end=from+from_length; from != end; from++) > + { > + if (*from == '\'') { > + *to++ = '\''; > + *to++ = '\''; > + } > + else > + *to++= *from; > + } > + } > + else > #endif > { > for (end=from+from_length; from != end; from++) > @@ -2042,6 +2065,13 @@ > "FROM `schema`"); > } > else > +#ifdef ENABLE_ODBC > + if (data->shared->dbtype_id == DB_ODBC) > + snprintf(select0, MAX_QUERY_LENGTH, > + "SELECT vseq FROM %sschema%s", > + data->u_quote_char, data->u_quote_char); > + else > +#endif > #endif > { > snprintf(select0, MAX_QUERY_LENGTH, > @@ -2473,25 +2503,46 @@ > #ifdef ENABLE_ODBC > if(data->shared->dbtype_id == DB_ODBC) > { > - if(SQLAllocStmt(data->u_connection, &data->u_statement) == SQL_SUCCESS) > - if(SQLPrepare(data->u_statement, query, SQL_NTS) == SQL_SUCCESS) > - if(SQLExecute(data->u_statement) == SQL_SUCCESS) > - if(SQLRowCount(data->u_statement, &data->u_rows) == SQL_SUCCESS) > - if(data->u_rows) > - { > - if(data->u_rows > 1) > - { > - ErrorMessage("database: warning (%s) returned more than one result\n", query); > - result = 0; > - } > - else > - { > - if(SQLFetch(data->u_statement) == SQL_SUCCESS) > - if(SQLGetData(data->u_statement,1,SQL_INTEGER,&data->u_col, > - sizeof(data->u_col), NULL) == SQL_SUCCESS) > - result = (int)data->u_col; > - } > - } > + SQLRETURN osts; > + > + osts = SQLExecDirect(data->u_statement, query, SQL_NTS); > + if (!SQL_SUCCEEDED(osts)) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + SQLSMALLINT cols; > + > + /* > + * This code used to use SQLRowCount which hardly ever returns > + * anything other than -1 in ODBC drivers for select and was > + * just working by accident. > + */ > + osts = SQLNumResultCols(data->u_statement, &cols); > + if (!SQL_SUCCEEDED(osts)) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else if (cols != 1) { > + ErrorMessage("database: warning (%s) returned more than " > + "one column\n", query); > + result = 0; > + } > + else { > + if (SQLFetch(data->u_statement) != SQL_SUCCESS) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + if (SQLGetData(data->u_statement,1,SQL_INTEGER, > + &data->u_col, sizeof(data->u_col), > + NULL) != SQL_SUCCESS) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + result = (int)data->u_col; > + } > + } > + } > + SQLFreeStmt(data->u_statement, SQL_CLOSE); > + } > } > #endif > > @@ -2639,11 +2690,11 @@ > > data->u_underlying_dbtype_id = DB_UNDEFINED; > > - if(!(SQLAllocEnv(&data->u_handle) == SQL_SUCCESS)) > + if (SQLAllocEnv(&data->u_environment) != SQL_SUCCESS) > { > FatalError("database: unable to allocate ODBC environment\n"); > } > - if(!(SQLAllocConnect(data->u_handle, &data->u_connection) == SQL_SUCCESS)) > + if (SQLAllocConnect(data->u_environment, &data->u_connection) != SQL_SUCCESS) > { > FatalError("database: unable to allocate ODBC connection handle\n"); > } > @@ -2852,10 +2903,14 @@ > #ifdef ENABLE_ODBC > if(data->shared->dbtype_id == DB_ODBC) > { > - if(data->u_handle) > + if(data->u_environment) > { > - SQLDisconnect(data->u_connection); > - SQLFreeHandle(SQL_HANDLE_ENV, data->u_handle); > + SQLFreeStmt(data->u_statement, SQL_DROP); > + /* Just in cas we get here with an outstanding transaction */ > + SQLEndTran(SQL_HANDLE_DBC, data->u_connection, SQL_ROLLBACK); > + SQLDisconnect(data->u_connection); > + SQLFreeConnect(data->u_connection); > + SQLFreeEnv(data->u_environment); > } > } > #endif > @@ -2998,6 +3053,28 @@ > current = NULL; > } > } > +#ifdef ENABLE_ODBC > +static void odbc_errors( > + SQLHENV henv, > + SQLHDBC hdbc, > + SQLHSTMT hstmt) > +{ > + SQLRETURN ests; > + SQLCHAR errmsg[512]; > + SQLCHAR state[7]; > + SQLINTEGER native; > + SQLSMALLINT errmsg_len; > + > + do { > + ests = SQLError(henv, hdbc, hstmt, state, &native, errmsg, > + sizeof(errmsg), &errmsg_len); > + if (SQL_SUCCEEDED(ests)) { > + ErrorMessage("database: ODBC state:%s, native:%ld,%s\n", > + state, native, errmsg); > + } > + } while (SQL_SUCCEEDED(ests)); > +} > +#endif /* ENABLE_ODBC */ > > #ifdef ENABLE_MSSQL > /* > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From jonkman at bleedingthreats.net Mon Feb 5 20:50:37 2007 From: jonkman at bleedingthreats.net (Matt Jonkman) Date: Mon Feb 5 20:52:07 2007 Subject: [Bleeding-sigs] Snort 2.6.1.2 patch for MSSQL ODBC In-Reply-To: <8f5ca2210702051219q49147e58yf0b4763a04af6073@mail.gmail.com> References: <8f5ca2210702051219q49147e58yf0b4763a04af6073@mail.gmail.com> Message-ID: <45C7989D.8090308@bleedingthreats.net> Better yet: http://www.bleedingthreats.net/patches/snort-mssql/ Thanks Mike! matt Mike Owen wrote: > I haven't been subscribed to snort-user in a while because of the > noise, so I thought I'd send this over here. > > This is a 2.6.1.2 version of the patch by Easysoft [1] that patches > spo_database.c to fix ODBC support, and allows sending of Snort alerts > to a MS-SQL database via ODBC. Works perfectly with unixODBC[2] and > FreeTDS[3] for sending to MS-SQL 2000 databases. > > > > [1] http://www.easysoft.com/applications/snort/odbc.html > [2] http://www.unixodbc.org > [3] http://www.freetds.org > > > ------------------------------------------------------------------------ > > --- spo_database.c.orig 2007-02-05 12:06:03.322757568 -0800 > +++ spo_database.c 2007-02-05 12:06:03.270757516 -0800 > @@ -155,11 +155,11 @@ > MYSQL_ROW m_row; > #endif > #ifdef ENABLE_ODBC > - SQLHENV u_handle; > + SQLHENV u_environment; > SQLHDBC u_connection; > SQLHSTMT u_statement; > SQLINTEGER u_col; > - SQLINTEGER u_rows; > + SQLCHAR u_quote_char[2]; > dbtype_t u_underlying_dbtype_id; > #endif > #ifdef ENABLE_ORACLE > @@ -251,6 +251,9 @@ > static int instances = 0; > > /******** Database Specific Extras ************************************/ > +#ifdef ENABLE_ODBC > +static void odbc_errors(SQLHENV henv, SQLHDBC hdbc, SQLHSTMT hstmt); > +#endif /* ENABLE_ODBC */ > > /* The following is for supporting Microsoft SQL Server */ > #ifdef ENABLE_MSSQL > @@ -1019,10 +1022,11 @@ > { > timestamp_string = GetCurrentTimestamp(); > } > -#ifdef ENABLE_MSSQL > - if(data->shared->dbtype_id == DB_MSSQL) > +#if defined(ENABLE_MSSQL) || defined(ODBC) > + if((data->shared->dbtype_id == DB_MSSQL) || > + (data->shared->dbtype_id == DB_ODBC)) > { > - /* SQL Server uses a date format which is slightly > + /* SQL Server (and ODBC) uses a date format which is slightly > * different from the ISO-8601 standard generated > * by GetTimestamp() and GetCurrentTimestamp(). We > * need to convert from the ISO-8601 format of: > @@ -1924,6 +1928,25 @@ > } > } > else > +#else if ENABLE_ODBC > + /* > + * In ODBC ' is used to delimit strings and a ' inside a string is > + * doubled up not escaped. There should not need to be any other > + * translations. > + */ > + if (data->shared->dbtype_id == DB_ODBC) > + { > + for (end=from+from_length; from != end; from++) > + { > + if (*from == '\'') { > + *to++ = '\''; > + *to++ = '\''; > + } > + else > + *to++= *from; > + } > + } > + else > #endif > { > for (end=from+from_length; from != end; from++) > @@ -2042,6 +2065,13 @@ > "FROM `schema`"); > } > else > +#ifdef ENABLE_ODBC > + if (data->shared->dbtype_id == DB_ODBC) > + snprintf(select0, MAX_QUERY_LENGTH, > + "SELECT vseq FROM %sschema%s", > + data->u_quote_char, data->u_quote_char); > + else > +#endif > #endif > { > snprintf(select0, MAX_QUERY_LENGTH, > @@ -2473,25 +2503,46 @@ > #ifdef ENABLE_ODBC > if(data->shared->dbtype_id == DB_ODBC) > { > - if(SQLAllocStmt(data->u_connection, &data->u_statement) == SQL_SUCCESS) > - if(SQLPrepare(data->u_statement, query, SQL_NTS) == SQL_SUCCESS) > - if(SQLExecute(data->u_statement) == SQL_SUCCESS) > - if(SQLRowCount(data->u_statement, &data->u_rows) == SQL_SUCCESS) > - if(data->u_rows) > - { > - if(data->u_rows > 1) > - { > - ErrorMessage("database: warning (%s) returned more than one result\n", query); > - result = 0; > - } > - else > - { > - if(SQLFetch(data->u_statement) == SQL_SUCCESS) > - if(SQLGetData(data->u_statement,1,SQL_INTEGER,&data->u_col, > - sizeof(data->u_col), NULL) == SQL_SUCCESS) > - result = (int)data->u_col; > - } > - } > + SQLRETURN osts; > + > + osts = SQLExecDirect(data->u_statement, query, SQL_NTS); > + if (!SQL_SUCCEEDED(osts)) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + SQLSMALLINT cols; > + > + /* > + * This code used to use SQLRowCount which hardly ever returns > + * anything other than -1 in ODBC drivers for select and was > + * just working by accident. > + */ > + osts = SQLNumResultCols(data->u_statement, &cols); > + if (!SQL_SUCCEEDED(osts)) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else if (cols != 1) { > + ErrorMessage("database: warning (%s) returned more than " > + "one column\n", query); > + result = 0; > + } > + else { > + if (SQLFetch(data->u_statement) != SQL_SUCCESS) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + if (SQLGetData(data->u_statement,1,SQL_INTEGER, > + &data->u_col, sizeof(data->u_col), > + NULL) != SQL_SUCCESS) { > + odbc_errors(NULL, NULL, data->u_statement); > + } > + else { > + result = (int)data->u_col; > + } > + } > + } > + SQLFreeStmt(data->u_statement, SQL_CLOSE); > + } > } > #endif > > @@ -2639,11 +2690,11 @@ > > data->u_underlying_dbtype_id = DB_UNDEFINED; > > - if(!(SQLAllocEnv(&data->u_handle) == SQL_SUCCESS)) > + if (SQLAllocEnv(&data->u_environment) != SQL_SUCCESS) > { > FatalError("database: unable to allocate ODBC environment\n"); > } > - if(!(SQLAllocConnect(data->u_handle, &data->u_connection) == SQL_SUCCESS)) > + if (SQLAllocConnect(data->u_environment, &data->u_connection) != SQL_SUCCESS) > { > FatalError("database: unable to allocate ODBC connection handle\n"); > } > @@ -2852,10 +2903,14 @@ > #ifdef ENABLE_ODBC > if(data->shared->dbtype_id == DB_ODBC) > { > - if(data->u_handle) > + if(data->u_environment) > { > - SQLDisconnect(data->u_connection); > - SQLFreeHandle(SQL_HANDLE_ENV, data->u_handle); > + SQLFreeStmt(data->u_statement, SQL_DROP); > + /* Just in cas we get here with an outstanding transaction */ > + SQLEndTran(SQL_HANDLE_DBC, data->u_connection, SQL_ROLLBACK); > + SQLDisconnect(data->u_connection); > + SQLFreeConnect(data->u_connection); > + SQLFreeEnv(data->u_environment); > } > } > #endif > @@ -2998,6 +3053,28 @@ > current = NULL; > } > } > +#ifdef ENABLE_ODBC > +static void odbc_errors( > + SQLHENV henv, > + SQLHDBC hdbc, > + SQLHSTMT hstmt) > +{ > + SQLRETURN ests; > + SQLCHAR errmsg[512]; > + SQLCHAR state[7]; > + SQLINTEGER native; > + SQLSMALLINT errmsg_len; > + > + do { > + ests = SQLError(henv, hdbc, hstmt, state, &native, errmsg, > + sizeof(errmsg), &errmsg_len); > + if (SQL_SUCCEEDED(ests)) { > + ErrorMessage("database: ODBC state:%s, native:%ld,%s\n", > + state, native, errmsg); > + } > + } while (SQL_SUCCEEDED(ests)); > +} > +#endif /* ENABLE_ODBC */ > > #ifdef ENABLE_MSSQL > /* > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs@bleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc From kyphros at gmail.com Mon Feb 5 21:25:37 2007 From: kyphros at gmail.com (Mike Owen) Date: Mon Feb 5 21:26:20 2007 Subject: [Bleeding-sigs] Snort 2.6.1.2 patch for MSSQL ODBC In-Reply-To: <45C7989D.8090308@bleedingthreats.net> References: <8f5ca2210702051219q49147e58yf0b4763a04af6073@mail.gmail.com> <45C7989D.8090308@bleedingthreats.net> Message-ID: <8f5ca2210702051325y576928e8m4added23c4d6323e@mail.gmail.com> On 2/5/07, Matt Jonkman wrote: > Better yet: > > http://www.bleedingthreats.net/patches/snort-mssql/ > > Thanks Mike! > > matt > No problem :) The last patch was for 1.9.0, and I figured I probably wouldn't be the only one trying to get it working with a more recent version of snort. Mike From lists at ecsc.co.uk Tue Feb 6 17:08:49 2007 From: lists at ecsc.co.uk (Fabien Bourdaire) Date: Tue Feb 6 17:16:24 2007 Subject: [Bleeding-sigs] Javascript payload In-Reply-To: <45C778B4.1060507@bleedingthreats.net> References: <45C778B4.1060507@bleedingthreats.net> Message-ID: <45C8B621.6070307@ecsc.co.uk> Hello, Following up from the ISC article (http://isc.sans.org/diary.html?storyid=2166), I investigated further and created a few signatures. The script used to generate the payload is available at this address: http://216.239.59.104/search?q=cache:5hPSiD30SjEJ:xdiyer.cn/%3Fid%3D174+%27Bypassing+of+web+filters+by+using+ASCII+Exploit+By+CoolDiyer%27&hl=en&ct=clnk&cd=4&client=firefox-a The details of the investigation are available here: http://www.internetdefence.net/2007/02/06/Javascript-payload The "sid" will need to be changed, and if you find some optimisations feel free to comment. Regards, Fabien Bourdaire ECSC Security Analyst # bc d3 c3 d2 c9 d0 d4