Emerging Threats

As mentioned a few weeks ago, we've been working to bring out tool to anonymously report IDS/IPS hits. Similar to DShield's firewall log reporting, we believe we can make some incredible data inferences with this information, as well as help improve the quality of our signatures while giving us all feedback to tune our rulesets.

But that's just the start. As with DShield's data, I think we'll run into benefits to the community that we can't even imagine until we start to look at the data.

Our tool to do that event collection and reporting is ready to beta test. We're looking for a few brave souls to run the tool and give us some feedback on the install and setup process. We'll migrate this tool directly into production within a week or so we expect.

SidReporter works by accessing your snort database directly and extracting events. NO PAYLOADS or other sensitive data are accessed or reported. Just SID, Rev, Time and IP. You can choose to obfuscate local IP addresses if you choose, and then it's all packed up into a pgp encrypted email and sent directly to Emerging Threats.

Once we have this data flowing we'll look at what reports are going to be most useful to you as the information provider. Comparisons like how your events compare to other sites, what you're seeing that others aren't, and what others are seeing that you might not be. We believe this will be a great tool to help you not only understand what trends are coming in attacks globally, but also to tune your own ruleset based on what you're not seeing, or seeing enough of, that other sites are reporting.

We'll also have some publicly available analysis showing trends in signatures, ip correlation of bots and the like, the possibilities are endless. But to get the most value you'll have to contribute events completely anonymously. If you choose to log in to see your hits correlated with others you'll get the greatest benefit, but you'll just be a number there. You will remain anonymous.

So please, take a few minutes to run the SidReporter and send us some data. Obfuscate if you're worried about privacy, but know that we're committed to protecting your data! This tool was written by Victor Julien, he's done a great job of building in obfuscation tools.

You can download SidReporter here:
http://www.emergingthreats.net/sidreporter/
http://www.emergingthreats.net/sidreporter/sidreporter-beta1.tar.gz

Docs available here:

http://doc.emergingthreats.net/bin/view/Main/SidReporter

http://doc.emergingthreats.net/bin/view/Main/SidReporterIf you'd like to beta test you can just download and try it out, or contact me off list to arrange a test. All data collected during this initial beta will be destroyed before we go live.

Thanks!

Matt

A new release from the BASE team. This one including direct links to our Docs database for rules (http://docs.emergingthreats.net). Thanks guys:

Hello,

The BASE project team is proud to announce the immediate release of BASE 1.4.1 (lara) This release has fixed a large number of bugs and issues that were found in previous versions. These fixes include a number of problems with graphing and set up of the adodb libraries. Querying the database has also been improved.

Please download the latest version from
http://sourceforge.net/projects/secureideas

Thank you,
Kevin Johnson and the BASE project team

2008477 - ET TROJAN Banload POST Checkin (dados) (emerging-virus.rules)
2008481 - ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin (emerging-virus.rules)
2008482 - ET TROJAN thespybot.com installation download detected (emerging-virus.rules)
2008483 - ET TROJAN Win32/Antivirus2008 (emerging-virus.rules)
2008484 - ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate) (emerging-malware.rules)
2008485 - ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup) (emerging-malware.rules)
2008486 - CURRENT_EVENTS Fake Airline E-ticket Email Inbound (emerging.rules)
2008487 - ET TROJAN Trojan-Downloader.Win32.Delf.bsy Checkin (emerging-virus.rules)
2008488 - ET MALWARE Suspicious User-Agent (NULL) (emerging-malware.rules)
2008489 - ET MALWARE Suspicious User-Agent (dwplayer) (emerging-malware.rules)
2008490 - ET TROJAN Dialer.Win32.E-Group.n Checkin (emerging-virus.rules)


[///] Modified active rules: [///]

2001810 - ET EXPLOIT WEB PHP remote file include exploit attempt (emerging-web_sql_injection.rules)

2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (fbi_facebook.exe) (emerging.rules)

From Andre Ludwig:

All,

We need a few people to help us test out a freshly developed Snort DNS pre-processor that is targeted at the recent cache poisoning vulnerabilities. We are looking for individuals or groups who are willing o run test code in an environment that will provide various types (and flows) of DNS traffic. These individuals or groups should also possess the ability to actively induce attacks to verify the processor functions effectively (not required, but helpful). We would also like to zero in on any performance related issues that arise (memory utilization, cpu, etc),  hopefully you will have had some past experience with snorts performance monitoring pre-processor as well. Right now we want to keep the test group bit smaller to keep the management of feedback to workable levels. This is NOT a commercial endeavor and of course the results will be released to he community as soon as things are "acceptable".

Feel free to ping me directly for a copy of the source code that needs to be tested. We are looking for 5-10 people at this time to beat up on this code and provide feedback.

I would like to publicly thank Scott Campbell for all his hard work theselast few days (he deserves ALL the credit in this endeavor!).

You can check out some of Scott's previous work at the below link.

http://www.nersc.gov/~scottc/software/snort/index.html

Again, this is intended to detect cache poisoning attempts, so should be very useful!

Andre Ludwig

[***] Results from Oinkmaster started Sat Jul 26 18:00:08 2008 [***]

[+++] Added rules: [+++]

2008446 - ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt (emerging.rules)
2008447 - ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt (emerging.rules)
2008450 - ET TROJAN Buzus.lyz Connect to CnC (emerging-virus.rules)
2008451 - ET TROJAN Buzus.lyz Report to CnC (emerging-virus.rules)
2008452 - ET TROJAN Downloader.uxk checkin (emerging-virus.rules)
2008453 - ET SCAN Tomcat Auth Brute Force attempt (admin) (emerging-scan.rules)
2008454 - ET SCAN Tomcat Auth Brute Force attempt (tomcat) (emerging-scan.rules)
2008455 - ET SCAN Tomcat Auth Brute Force attempt (manager) (emerging-scan.rules)
2008456 - ET MALWARE PCPrivacyCleaner Rougue Secuirty App GET Checkin (emerging-malware.rules)
2008457 - ET MALWARE Deepdo Toolbar User-Agent (FavUpdate) (emerging-malware.rules)
2008458 - ET TROJAN Downloader UserAgent(AutoDL\/1.0) (emerging-virus.rules)
2008460 - ET MALWARE Suspicious User-Agent (hacker) (emerging-malware.rules)
2008461 - ET TROJAN Rouge Security Software Win32.BHO.egw (emerging-virus.rules)
2008462 - ET TROJAN Downloader.Agent.ZHO CnC Commands (emerging-virus.rules)
2008463 - ET MALWARE Suspicious User-Agent (ieguideupdate) (emerging-malware.rules)
2008464 - ET MALWARE Suspicious User-Agent (adsntD) (emerging-malware.rules)
2008465 - ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic (emerging-virus.rules)
2008467 - ET WEB Possible SQL Injection Attempt Danmec related (declare) (emerging-web.rules)
2008468 - ET TROJAN LDPinch Checkin Flowbit set (emerging-virus.rules)
2008469 - ET TROJAN LDPinch Checkin v2 (emerging-virus.rules)
2008470 - ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter (emerging.rules)
2008471 - ET TROJAN HotLan.C Spambot C&C download command (emerging-virus.rules)
2008472 - ET POLICY Netviewer.com Remote Control Proxy Test (emerging-policy.rules)
2008473 - ET TROJAN HotLan.C Spambot Trojan Activity (emerging-virus.rules)
2008474 - ET MALWARE Adware.Look2Me Activity (emerging-malware.rules)
2008475 - ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt (emerging.rules)
2008476 - ET EXPLOIT Foofus.net Password dumping, dll injection (emerging-exploit.rules)


[///] Modified active rules: [///]

2001852 - ET MALWARE 404Search Spyware User Agent (emerging-malware.rules)
2001853 - ET MALWARE Easy Search Bar Spyware User Agent (emerging-malware.rules)
2001854 - ET MALWARE EZULA Spyware User Agent (emerging-malware.rules)
2001869 - ET MALWARE Sidesearch Spyware User Agent (emerging-malware.rules)
2002776 - ET TROJAN SickleBot Reporting User Activity (emerging-virus.rules)
2008034 - ET TROJAN LDPinch SMTP Password Report (emerging-virus.rules)
2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe) (emerging.rules)
2008175 - ET WEB Possible SQL Injection (varchar) (emerging-web.rules)
2008176 - ET WEB Possible SQL Injection (exec) (emerging-web.rules)
2008371 - ET MALWARE Likely Ad-ware installation phoning home (success and NSISDL User-Agent) (emerging-malware.rules)
2008372 - ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2) (emerging-malware.rules)
2008374 - ET MALWARE Suspicious User-Agent (InetURL) (emerging-malware.rules)
2008378 - ET MALWARE Suspicious User-Agent (ErrCode) (emerging-malware.rules)
2008387 - ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) (emerging.rules)
2008388 - ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) (emerging.rules)
2008391 - ET MALWARE Suspicious User-Agent (svchost) (emerging-malware.rules)
2008400 - ET MALWARE Suspicious User-Agent (ReadFileURL) (emerging-malware.rules)
2008411 - ET TROJAN LDPinch SMTP Password Report with mail client The Bat! (emerging-virus.rules)
2008413 - ET MALWARE Suspicious User-Agent (PcPcUpdater) (emerging-malware.rules)
2008422 - ET MALWARE Suspicious User-Agent (Inet_read) (emerging-malware.rules)
2008423 - ET MALWARE Suspicious User-Agent (CFS Agent) (emerging-malware.rules)
2008424 - ET MALWARE Suspicious User-Agent (CFS_DOWNLOAD) (emerging-malware.rules)
2008427 - ET MALWARE Suspicious User-Agent (AdiseExplorer) (emerging-malware.rules)
2008428 - ET MALWARE Suspicious User-Agent (HTTP Downloader) (emerging-malware.rules)
2008429 - ET MALWARE Suspicious User-Agent (HttpDownload) (emerging-malware.rules)

2008440 - ET MALWARE Suspicious User-Agent (Download App) (emerging-malware.rules)

Cyber-TA (http://www.cyber-ta.org ) and their Malware Threat Center (http://mtc.sri.com ) are great places to keep up on malware and new threats. They're among our most important sources of information, and a group of researchers we rely on very often for great innovations.

They've perfected their Highly Predictive Blacklists in conjunction with ISC and DShield. A paper has been released here:

http://www.cyber-ta.org/pubs/hpb.pdf

Essentially this is using the data submitted to DShield via firewall logs and other sources, massaging that and producing a blacklist for individual sites that is most highly relevant to their exposure and likely sources of attack. 

Great stuff, helps keep firewall rulesets and other tools under control. We can't all afford to block every IP that's done anything bad lately, this makes blocking the most important stuff much more possible. 

"Our experiments demonstrate that our Highly Predictive Blacklist algorithm consistently creates firewall filters that are exercised at much higher rates than those from conventional blacklist methods," says Phil Porras, a researcher at SRI. I highly recommend taking a look at and using the tools available. Great stuff!!

Matt