The botcc, dshield, comprised, and drop rules at:

http://www.bleedingthreats.net/rules/

had not been updated since November 15. They were supposed to be updated nightly from various sources, including ShadowServer and DShield. I have re-enabled these automatic updates.

Similarly, the firewall rules at:

http://www.bleedingthreats.net/fwrules/

had not been updated since November 15, either. They were supposed to be updated nightly from Spamhaus, ShadowServer, and DShield. I have re-enabled these automatic updates.

If you encounter any problems, please report them.

David.

A large number of trojans report an infection by sending a blank email to a gmail or other free provider. They’re pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique

# This sig should catch them outbound
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:”BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body”; flow:established,to_server; content:”|0d 0a|X-Priority: 1|0d 0a|X-Library: Indy “; content:”|0d 0a 0d 0a 2e 0d 0a|”; within:22; classtype:trojan-activity; sid:2007611; rev:1;)

Some more detail here:
http://docs.bleedingthreats.net/bin/view/Main/2007611

Please report and falses on it.

Matt

#by Mat Jonkman, from sandnet analysis
# some kind of c&c, needs more research, but these sigs are reliable
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case1)”; flow:established; dsize:>1000; content:”|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007578; rev:1;)
alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case2)”; flow:established; dsize:>1000; content:”|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007579; rev:1;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Inbound (case1)”; flow:established; dsize:>1000; content:”|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007580; rev:1;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Inbound (case2)”; flow:established; dsize:>1000; content:”|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007581; rev:1;)

The C&C channel is interesting, please report any hits, or let me know if you notice something else unique in samples.

Matt

CCProxy is a legitimate program, but has been seen in use by malware to proxy remote http. It’s a product designed for internal network use. Run this sig externally to detect it in use remotely.

# This would likely be hostile activity
#by Matt Jonkman from sandnet analysis
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE POLICY CCProxy in use remotely - Possibly Hostile/Malware”; flow:established,from_server; content:”HTTP/1.0 200 Connection established|0d 0a|Proxy-agent\: CCProxy “; offset:0; depth:58; classtype:trojan-activity; reference:url,www.youngzsoft.net; sid:2007576; rev:1;)

In the sandnet I’ve got a couple samples that are connecting to a remote web server that turns out to be a ccproxy instance. Interesting…

Matt

One last new ruleset to add this week. I promise no more for a bit.

http://docs.bleedingthreats.net/bin/view/Main/CompromisedHost

This is a compilation of several very reliable sources of hosts that are compromised. Not your everyday compromised spewing a little spam kind of hosts. These are significantly hostile.

These are updated daily or better, so be sure you’re updating as well.

If you have an intelligence source to add to the list please let me know.

http://www.bleedingthreats.net/rules/bleeding-compromised.rules
http://www.bleedingthreats.net/rules/bleeding-compromised-BLOCK.rules

Matt