[***] Results from Oinkmaster started Fri Jun 23 21:00:11
2006 [***]
[+++] Added rules: [+++]
2002973 - BLEEDING-EDGE Behavioral Unusual Port 3127
traffic, Potential Scan or Backdoor (bleeding-scan.rules)
2002974 - BLEEDING-EDGE TROJAN Backdoor.Hupigon Possible
Control Connection Being Established (bleeding-virus.rules)
2002975 - BLEEDING-EDGE TROJAN Backdoor.Hupigon INFECTION -
Reporting Host Type (bleeding-virus.rules)
2002976 - BLEEDING-EDGE TROJAN Banker.Delf Infection -
Sending Initial Email to Owner (bleeding-virus.rules)
2002977 - BLEEDING-EDGE TROJAN Banload Downloader Infection
- Sending initial email to owner (bleeding-virus.rules)
2002978 - BLEEDING-EDGE TROJAN Banker.Delf Infection
variant 2 - Sending Initial Email to Owner
(bleeding-virus.rules)
2002979 - BLEEDING-EDGE POLICY SC-KeyLog Keylogger
Installed - Sending Initial Email Report
(bleeding-policy.rules)
2002980 - BLEEDING-EDGE TROJAN Banker.Delf Infection
variant 3 - Sending Initial Email to Owner
(bleeding-virus.rules)
2002981 - BLEEDING-EDGE TROJAN Banker.Delf Infection
variant 4 - Sending Initial Email to Owner
(bleeding-virus.rules)
2002982 - BLEEDING-EDGE TROJAN GENERAL Possible Trojan
Sending Initial Email to Owner - INFECTADO
(bleeding-virus.rules)
2002983 - BLEEDING-EDGE TROJAN GENERAL Possible Trojan
Sending Initial Email to Owner - SUCCESSO
(bleeding-virus.rules)
[///] Modified active rules: [///]
2001569 - BLEEDING-EDGE Behavioral Unusual Port 445
traffic, Potential Scan or Infection (bleeding-scan.rules)
2001579 - BLEEDING-EDGE Behavioral Unusual Port 139
traffic, Potential Scan or Infection (bleeding-scan.rules)
2001580 - BLEEDING-EDGE Behavioral Unusual Port 137
traffic, Potential Scan or Infection (bleeding-scan.rules)
2001581 - BLEEDING-EDGE Behavioral Unusual Port 135
traffic, Potential Scan or Infection (bleeding-scan.rules)
2001582 - BLEEDING-EDGE Behavioral Unusual Port 1434
traffic, Potential Scan or Infection (bleeding-scan.rules)
2001583 - BLEEDING-EDGE Behavioral Unusual Port 1433
traffic, Potential Scan or Infection (bleeding-scan.rules)
2400000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
2400001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
2400002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
2400003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
2400004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound (bleeding-drop.rules)
2401000 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401001 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401002 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401003 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2401004 - BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic
Inbound - BLOCKING SOURCE (bleeding-drop-BLOCK.rules)
2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source
(bleeding-dshield.rules)
2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source -
BLOCKING (bleeding-dshield-BLOCK.rules)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-policy.rules (1):
# This is a commercial product, but we see it very
often used in malware. Send this email on install
-> Added to bleeding-sid-msg.map (11):
2002973 || BLEEDING-EDGE Behavioral Unusual Port
3127 traffic, Potential Scan or Backdoor
2002974 || BLEEDING-EDGE TROJAN Backdoor.Hupigon
Possible Control Connection Being Established ||
url,www.avira.com/en/threats/section/fulldetails/id_vir/1051
/bds_hupigon.bo.html
2002975 || BLEEDING-EDGE TROJAN Backdoor.Hupigon
INFECTION - Reporting Host Type ||
url,www.avira.com/en/threats/section/fulldetails/id_vir/1051
/bds_hupigon.bo.html
2002976 || BLEEDING-EDGE TROJAN Banker.Delf
Infection - Sending Initial Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_
banker.delf.df735649.html
2002977 || BLEEDING-EDGE TROJAN Banload Downloader
Infection - Sending initial email to owner ||
url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586
2002978 || BLEEDING-EDGE TROJAN Banker.Delf
Infection variant 2 - Sending Initial Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_
banker.delf.df735649.html
2002979 || BLEEDING-EDGE POLICY SC-KeyLog Keylogger
Installed - Sending Initial Email Report ||
url,www.soft-central.net/keylog.php
2002980 || BLEEDING-EDGE TROJAN Banker.Delf
Infection variant 3 - Sending Initial Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_
banker.delf.df735649.html
2002981 || BLEEDING-EDGE TROJAN Banker.Delf
Infection variant 4 - Sending Initial Email to Owner ||
url,www.avira.com/en/threats/section/details/id_vir/1836/tr_
banker.delf.df735649.html
2002982 || BLEEDING-EDGE TROJAN GENERAL Possible
Trojan Sending Initial Email to Owner - INFECTADO
2002983 || BLEEDING-EDGE TROJAN GENERAL Possible
Trojan Sending Initial Email to Owner - SUCCESSO
-> Added to bleeding-virus.rules (12):
#Matt Jonkman, analysis from captured binary
# Don't know a lot about this one. But the control
session is apparently opened by a 00 00 00 00
# Then the bot replies with a packet that begins
with the date in form such as 20060622, and
# among other things contains the host OS info.
# Since this is a windos bot, we can assume the
word windows will be in there.
# Hopefully we can update these as more is learned.
This is sorta crude, but should
# be reliable to not false pos at least....
# This thing send out an email to it's owner with
stats and such. This ought to catch it..
#another variant
#Yet another
# Regular downloader, usually grabs a fw swf
exploiting files from brazilian servers. Sends an email on
installl
# General signs of trojan infections....
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|