List Info

Thread: Bleeding Edge Threats Daily Signature Changes
Bleeding Edge Threats Daily Signature Changes
country flaguser name
United States		 2007-10-04 19:00:17 
[***] Results from Oinkmaster started Fri Oct  5 00:00:17
2007 [***]

[+++]          Added rules:          [+++]

 2007620 - BLEEDING-EDGE TROJAN Zlob Updating via HTTP (v2)
(bleeding-virus.rules)
 2007621 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet login
(bleeding-virus.rules)
 2007622 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet Response
(bleeding-virus.rules)
 2007623 - BLEEDING-EDGE TROJAN Kaiten IRCbotnet Commands
(bleeding-virus.rules)
 2007624 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Response
(bleeding-virus.rules)
 2007625 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Commands
(bleeding-virus.rules)
 2007626 - BLEEDING-EDGE TROJAN Pitbull IRCbotnet Fetch
(bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2003302 - BLEEDING-EDGE TROJAN psyBNC IRC Server Connection
(bleeding-virus.rules)
 2007568 - BLEEDING-EDGE TROJAN Zlob Updating via HTTP
(bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (24):
        2003302 || BLEEDING-EDGE TROJAN psyBNC IRC Server
Connection || url,en.wikipedia.org/wiki/PsyBNC
        2007620 || BLEEDING-EDGE TROJAN Zlob Updating via
HTTP (v2)
        2007621 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet
login || url,en.wikipedia.org/wiki/IRC_bot
        2007622 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet
Response || url,en.wikipedia.org/wiki/IRC_bot
        2007623 || BLEEDING-EDGE TROJAN Kaiten IRCbotnet
Commands || url,en.wikipedia.org/wiki/IRC_bot
        2007624 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet
Response || url,en.wikipedia.org/wiki/IRC_bot
        2007625 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet
Commands || url,en.wikipedia.org/wiki/IRC_bot
        2007626 || BLEEDING-EDGE TROJAN Pitbull IRCbotnet
Fetch || url,en.wikipedia.org/wiki/IRC_bot
        2500517 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic (518) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500518 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic (519) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500519 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic (520) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500520 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic (521) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500521 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic (522) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500522 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic (523) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500523 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic (524) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2500524 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic (525) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510517 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic - BLOCKING (518) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510518 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic - BLOCKING (519) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510519 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic - BLOCKING (520) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510520 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic - BLOCKING (521) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510521 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic - BLOCKING (522) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510522 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic - BLOCKING (523) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510523 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic - BLOCKING (524) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts
        2510524 || BLEEDING-EDGE COMPROMISED Known
Compromised or Hostile Host Traffic - BLOCKING (525) ||
url,doc.bleedingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to bleeding-virus.rules (46):
        # by Reg Quinton
        # Kaiten is a compiled code DDOS IRCbotnet for
Unix/Linux systems. You will
        # find the string "Kaiten wagoraku" in the
code ..(or in the strings if you
        # have a compiled version). It's been around since
at least 2006, source can
        # be found at many sites.
        # See also
        # http://is
c.sans.org/diary.html?storyid=1127
        # http://handlers.dshield.org/pbueno/Steve_malware6.pdf
        # http://www.stacksegment.net/wiki/index.php/Linu
x_Malware_Analysis
        # ht
tp://ktp.e-isa.com/Viruses/Linux.DDos-Kaiten.htm
        # Reg Quinton; 2007/08/30
        # Botnet begins by contacting an IRC server (there's
some randomization to
        # pick one) and saying (with short nick,ident,user
strings..):
        #  Send(sock,"NICK %snUSER %s localhost
localhost :%sn",nick,ident,user);
        # various distinctive responses to commmands
implemented by Kaiten client
        # various commmands implemented by Kaiten client,
they don't use a : delimiter
        # as others do, it's "[:<server> ]PRIVMSG
!<clients> <command> <args>". I'm
        # skipping the server part. I wish there were
flowbits that noted that we have
        # an IRC channel going. I don't want to watch
everything.
        # Pitbull is an IRCbot implemented in Perl since
2007/09/13, code seems to have
        # authors who speak spanish or portugese. Small
sample here
        #   http://www.directadmin.com/forum/showthread.php?p=113720

        # Google had a cached version, you might browse
around to find others.
        # Versions I captured are a little different from
one another (s/space/etx/).
        # Code *says* it supports these commands (but
versions differ):
        #!bot portscan <ip>
        #!bot nmap <ip> <beginport>
<endport>
        #!bot back <ip><port>
        #!bot udpflood <ip> <packet size>
<time>
        #!bot tcpflood <ip> <port>
<packet size> <time>
        #!bot httpflood <site> <time>
        #!bot linuxhelp
        #!bot rfi <vuln> <dork>
        #!bot system
        #!bot milw0rm
        #!bot logcleaner
        #!bot sendmail <subject> <sender>
<recipient> <message>
        #!bot join <#channel>
        #!bot part <#channel>
        #!bot help
        #!bot cd tmp for example
        #!bot !eval <code= for example :nickname>
        # Reg Quinton; 26-Sept-2007
        # seems to be a common prefix in responses with the
few I've seen.
        # various commmands implemented by Pitbull client as
provided above
        # distinctive string in page fetch to google, yahoo,
lycos, milw0rm, etc.

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2003302 || BLEEDING-EDGE TROJAN psyBNC IRC Server
Connection

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )