The botcc, dshield, comprised, and drop rules at:

http://www.bleedingthreats.net/rules/

had not been updated since November 15. They were supposed to be updated nightly from various sources, including ShadowServer and DShield. I have re-enabled these automatic updates.

Similarly, the firewall rules at:

http://www.bleedingthreats.net/fwrules/

had not been updated since November 15, either. They were supposed to be updated nightly from Spamhaus, ShadowServer, and DShield. I have re-enabled these automatic updates.

If you encounter any problems, please report them.

David.

After nearly 5 years as the founder and admin of Bleeding Edge Threats I must step out of the project.

Sensory Networks, as many of you know, has very generously provided the financial support that’s made it possible for me to keep Bleeding Threats up and running over the last 12 months. My sincere thanks to them for this time, we’ve made some great things come to be in the open security community!

Unfortunately I must step away from running Bleeding Threats, but wish Sensory Networks all the best for the future. I’m sure that between the community and Sensory the site can continue to grow and be a great resource.

Any questions about the future of Bleeding Threats should be directed to the mailing lists and Sensory will soon post a direct contact. As always for technical issues keep them flowing to the lists.

As for me, I’ll still be in the community, starting something new, please keep an eye out! I’ll be as always at jonkman@jonkmans.com, please stay in touch!

Matt Jonkman

As you all know there’s been a variant of Storm that’s XOR encrypting it’s P2P traffic. I didn’t put up sigs for this one specifically as we expected it to change and we’d see a flood of differently encrypting variants. All I could put up was a few sigs looking for UDP packets of certain size and frequency, which has only been slightly successful.

So far we’re only seeing that one variant encrypt, and in better than a month it hasn’t changed it’s key. So I’m going ahead and putting up sigs specifically for that variant. Seems it’s going to stay for a while longer.

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Worm Encrypted Variant 1 Traffic (1)”; dsize:25; content:”|10 a6
d4 c3|”; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:1;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Worm Encrypted Variant 1 Traffic (2)”; dsize:25; content:”|10 a0
d4 c3|”; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007702; rev:1;)

Please let me know how they go!

Matt

Win98 isn’t a security threat in itself… well mostly. But a LOT of spyware and downloaders still use old static User-Agent strings that identify them as Windows 98.

So the following sig is out, it’s thresholded to keep the numbers down in case you run across Win98 boxes you weren’t aware of.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System”; flow:established,to_server; content:”|0d 0a|User-Agent\: “; content:”Windows 98\;”; within:50; threshold:type limit, count 1, seconds 60, track by_src; classtype:policy-violation; reference:url.doc.bleedingthreats.net/bin/view/Main/Windows98UA; sid:2007695; rev:1;)

Don’t run this sig if you KNOW you have Win98 boxes. If you do, best of luck….

If you Don’t have Win98 boxes then any hits on this sig should be treated as extremely suspicious, likely spyware or a downloader.

Matt

Sent in by Don Jackson from SecureWorks. Good set of sigs.

The tool isn’t all that well written, there are existing toolkits and code that are much better suited, but this is what we’re seeing. No significant activity, but it’s in the press…

Current signatures available here:
http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_E-Jihad?view=markup

Please report any issues.

matt