'[Snort-sigs] Bleedingsnort.com Daily Update'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Bleedingsnort.com Daily Update
From:       bleeding () bleedingsnort ! com
Date:       2005-01-31 1:00:01
Message-ID: 20050131010001.02CC155025D () james ! offsitefilter ! com
[Download RAW message or body]


[***] Results from Oinkmaster started Sun Jan 30 20:00:01 2005 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-virus.rules (18):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS \
Possible Atak.mm Worm Outbound"; content:"Authorized Researcher Only"; pcre:"m/(Read\ \
the\ Result\!|Important\ Data\!)/"; content:"filename="; content:".zip"; \
flow:to_server,established; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html; \
sid:2000494; rev:2;)  new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 \
(msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm Outbound"; content:"Authorized \
Researcher Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; \
content:"filename="; content:".zip"; flow:to_server,established; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html; \
classtype:trojan-activity; sid:2000494; rev:3;)  old: alert tcp $HOME_NET any -> any \
any (msg:"BLEEDING-EDGE Korgo.P binary upload"; \
content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; \
reference:url,www.f-secure.com/v-descs/korgo_p.shtml; flow:to_server,established; \
sid:2001338; rev:2;)  new: alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE \
Korgo.P binary upload"; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; \
reference:url,www.f-secure.com/v-descs/korgo_p.shtml; flow:to_server,established; \
classtype:trojan-activity; sid:2001338; rev:3;)  old: alert tcp $HOME_NET any -> \
$EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM MyDoom.S Outbound"; content:"LOL!\;)"; \
nocase; content:"filename=photos_arc.exe"; nocase; \
reference:url,www.f-secure.com/v-descs/mydoom_s.shtml; \
reference:url,isc.sans.org/diary.php?date=2004-08-16; flow:to_server,established; \
sid:2001196; rev:3;)  new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 \
(msg:"BLEEDING-EDGE WORM MyDoom.S Outbound"; content:"LOL!\;)"; nocase; \
content:"filename=photos_arc.exe"; nocase; \
reference:url,www.f-secure.com/v-descs/mydoom_s.shtml; \
reference:url,isc.sans.org/diary.php?date=2004-08-16; flow:to_server,established; \
classtype:trojan-activity; sid:2001196; rev:4;)  old: alert tcp $HOME_NET any -> \
$EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm"; \
content:"Authorized Resear cher Only"; pcre:"m/(Read\ the\ Result\!|Important\ \
Data\!)/"; content:"filename="; content:".zip"; flow:to_server,established; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html; \
sid:2001291; rev:2;)  new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 \
(msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm"; content:"Authorized Resear cher \
Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; \
content:".zip"; flow:to_server,established; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html; \
classtype:trojan-activity; sid:2001291; rev:3;)  old: alert tcp $HOME_NET $HTTP_PORTS \
-> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; \
content:"This site is defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm \
generation X"; nocase; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; \
flow:from_server,established; sid:2001607; rev:2;)  new: alert tcp $HOME_NET \
$HTTP_PORTS -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Possible santy.A Worm \
Defaced Page"; content:"This site is defaced!!!"; nocase; content:"NeverEverNoSanity \
WebWorm generation X"; nocase; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; \
flow:from_server,established; classtype:trojan-activity; sid:2001607; rev:3;)  old: \
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible \
Bagle.AQ Worm Outbound"; content:"filename="; \
pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; \
nocase; flow:to_server,established; sid:2001065; rev:2;)  new: alert tcp $HOME_NET \
any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; \
content:"filename="; \
pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; \
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001065; rev:3;)  \
old: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible \
Bagle.AI Worm"; content:"filename="; \
pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; \
pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ \
Music|Lovely\ animals|Predators|The\ snake)/"; flow:to_server,established; \
sid:2001292; rev:4;)  new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 \
(msg:"BLEEDING-EDGE VIRUS Possible Bagle.AI Worm"; content:"filename="; \
pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; \
pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ \
Music|Lovely\ animals|Predators|The\ snake)/"; flow:to_server,established; \
classtype:trojan-activity; sid:2001292; rev:5;)  old: alert tcp $HOME_NET any -> \
$EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Outbound"; \
content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; \
flow:to_server,established; sid:2001390; rev:2;)  new: alert tcp $HOME_NET any -> \
$EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Outbound"; \
content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; \
flow:to_server,established; classtype:trojan-activity; sid:2001390; rev:3;)  old: \
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus \
PHPInclude.Worm Outbound Attack --LOCAL INFECTION--"; \
content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; \
reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; \
flow:to_server,established; sid:2001615; rev:8;)  new: alert tcp $HOME_NET any -> \
$EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Virus PHPInclude.Worm Outbound Attack \
--LOCAL INFECTION--"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; \
nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; \
flow:to_server,established; classtype:trojan-activity; sid:2001615; rev:9;)  old: \
alert tcp any any -> \
[194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248] \
6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity"; threshold: type \
limit, track by_src, count 1, seconds 1800; sid:2001439; rev:1;)  new: alert tcp any \
any -> [194.68.45.50,194.134.7.195,193.109.122.67,213.48.150.13,213.48.150.1,129.27.9.248] \
6667 (msg:"BLEEDING-EDGE WORM Mydoom.ah/i Infection IRC Activity"; threshold: type \
limit, track by_src, count 1, seconds 1800; classtype:trojan-activity; sid:2001439; \
rev:2;)  old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( \
msg:"BLEEDING-EDGE VIRUS Psyme Trojan Download"; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html; \
uricontent:"/download/IEService215.chm"; nocase; flow:to_server,established; \
sid:2000365; rev:4;)  new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( \
msg:"BLEEDING-EDGE VIRUS Psyme Trojan Download"; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html; \
uricontent:"/download/IEService215.chm"; nocase; flow:to_server,established; \
classtype:trojan-activity; sid:2000365; rev:5;)  old: alert tcp $HOME_NET any -> any \
445 (msg:"BLEEDING-EDGE Korgo.P offering executable"; content:"|FF|SMB"; \
flow:to_server,established; depth:10; content:"|58|http"; content:".exe"; nocase; \
within:36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; rev:1; sid:2001337;) \
new: alert tcp $HOME_NET any -> any 445 (msg:"BLEEDING-EDGE Korgo.P offering \
executable"; content:"|FF|SMB"; flow:to_server,established; depth:10; \
content:"|58|http"; content:".exe"; nocase; within:36; \
reference:url,www.f-secure.com/v-descs/korgo_p.shtml; rev:2; \
classtype:trojan-activity; sid:2001337;)  old: alert tcp $HOME_NET any -> \
$EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AI Worm Outbound"; \
content:"filename="; \
pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; \
pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ \
Music|Lovely\ animals|Predators|The\ snake)/"; content:"\<html\>"; \
flow:to_server,established; sid:2000561; rev:6;)  new: alert tcp $HOME_NET any -> \
$EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AI Worm Outbound"; \
content:"filename="; \
pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; \
pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ \
Music|Lovely\ animals|Predators|The\ snake)/"; content:"\<html\>"; \
flow:to_server,established; classtype:trojan-activity; sid:2000561; rev:7;)  old: \
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Evaman \
Worm Outbound"; content:"filename="; pcre: \
"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; \
flow:to_server,established; reference:url,secunia.com/virus_information/10429/evaman; \
sid:2000343; rev:5;)  new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 \
(msg:"BLEEDING-EDGE VIRUS Possible Evaman Worm Outbound"; content:"filename="; pcre: \
"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; \
flow:to_server,established; reference:url,secunia.com/virus_information/10429/evaman; \
classtype:trojan-activity; sid:2000343; rev:6;)  old: alert tcp $HOME_NET any -> \
$EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; \
reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; \
flow:established; sid:2001061; rev:4;)  new: alert tcp $HOME_NET any -> $EXTERNAL_NET \
$HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; \
reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; \
flow:established; classtype:trojan-activity; sid:2001061; rev:5;)  old: alert tcp \
$HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MyDoom.P Query"; \
content:"/py/psSearch.py|3f|"; nocase; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM"; \
flow:to_server,established; sid:2001045; rev:5;)  new: alert tcp $HOME_NET any -> \
$EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MyDoom.P Query"; \
content:"/py/psSearch.py|3f|"; nocase; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM"; \
flow:to_server,established; classtype:trojan-activity; sid:2001045; rev:6;)  old: \
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle \
Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; \
uricontent:"/spyware.php"; flow:established; sid:2001064; rev:2;)  new: alert tcp \
$HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Checking \
In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; \
flow:established; classtype:trojan-activity; sid:2001064; rev:3;)  old: alert tcp \
$HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Evaman Worm"; \
content:"filename="; \
pcre:"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; \
content:"formart"; flow:to_server,established; \
reference:url,secunia.com/virus_information/10429/evaman; sid:2001290; rev:4;)  new: \
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Evaman \
Worm"; content:"filename="; \
pcre:"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; \
content:"formart"; flow:to_server,established; \
reference:url,secunia.com/virus_information/10429/evaman; classtype:trojan-activity; \
sid:2001290; rev:5;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-virus.rules (2):
        old: #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS \
Possible Beagle.AV Worm Inbound"; content:"filename="; \
pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; \
flow:to_server,established; sid:2001391; rev:2;)  new: #alert tcp $EXTERNAL_NET any \
-> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Inbound"; \
content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; \
flow:to_server,established; classtype:trojan-activity; sid:2001391; rev:3;)  old: \
#alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE Worm Zincite Probing \
port 1034"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html; \
flags:S,12; sid:2001011; threshold: type threshold, track by_src, count 30,seconds \
60; rev:5;)  new: #alert tcp $HOME_NET 1024:65535 -> any 1034 (msg:"BLEEDING-EDGE \
Worm Zincite Probing port 1034"; \
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html; \
flags:S,12; classtype:trojan-activity; sid:2001011; threshold: type threshold, track \
by_src, count 30,seconds 60; rev:6;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE \
Virus PHPInclude.Worm Inbound Attack"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; \
content:"perl%20"; nocase; \
reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; \
flow:to_server,established; sid:2001614; rev:8;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-virus.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE \
Virus PHPInclude.Worm Inbound Attack"; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; \
content:"perl%20"; nocase; \
reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; \
flow:to_server,established; classtype:trojan-activity; id:2001614; rev:9;)

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2001614 || BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack || \
url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php

[*] Added files: [*]
    None.



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic