Most Effective Malware-Related Snort Signatures
Sat Jul 5 10:15:25 2008
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 15363 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 56% | 5001684:99 | 01/27 | 07/04 | 8645 of 15363 | bothunter | egg download | bothunter malware windows executable (p... |
| 49% | 22466:7 | 01/27 | 07/04 | 7595 of 15363 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 46% | 2001683:3 | 01/27 | 07/04 | 7196 of 15363 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 44% | 299913:1 | 01/27 | 07/04 | 6822 of 15363 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 42% | 292000032:99 | 01/27 | 07/04 | 6559 of 15363 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 42% | 22000032:6 | 01/27 | 07/04 | 6538 of 15363 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 40% | 299998:1 | 01/27 | 07/03 | 6232 of 15363 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 40% | 21390:5 | 01/27 | 07/03 | 6232 of 15363 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 30% | 3000006:99 | 01/27 | 06/28 | 4644 of 15363 | bothunter | egg download | bothunter malware executable upload |
| 19% | 52123:3 | 01/28 | 07/04 | 3060 of 15363 | snort | outbound scan | registered free attack-responses micros... |
| 19% | 2000427:9 | 01/27 | 06/30 | 2967 of 15363 | emerging threats | egg download | policy pe exe install windows file d... |
| 18% | 31000004:99 | 01/27 | 07/04 | 2776 of 15363 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 17% | 3000000:99 | 01/27 | 07/04 | 2764 of 15363 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 17% | 3000003:99 | 01/27 | 07/04 | 2677 of 15363 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 14% | 299906:1 | 01/29 | 07/04 | 2200 of 15363 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 10% | 2404005:1142 | 04/27 | 05/12 | 1657 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 09% | 23003:4 | 01/27 | 07/03 | 1388 of 15363 | snort | inbound exploit | netbios smb-ds session setup ntmlssp un... |
| 09% | 2000352:6 | 01/27 | 07/04 | 1388 of 15363 | emerging threats | local attack prep | attack response irc - dns request on... |
| 08% | 3001441:1 | 01/27 | 07/04 | 1326 of 15363 | snort | egg download | tftp get .exe from external source |
| 08% | 1444:3 | 01/27 | 07/04 | 1326 of 15363 | snort | egg download | tftp get from external source |
| 08% | 2008120:1 | 01/27 | 07/04 | 1326 of 15363 | emerging threats | egg download | policy outbound tftp read request |
| 04% | 3000005:99 | 02/09 | 05/07 | 684 of 15363 | bothunter | egg download | bothunter malware executable upload |
| 04% | 2000047:4 | 01/27 | 07/04 | 626 of 15363 | emerging threats | egg download | worm sasser transfer _up.exe |
| 04% | 22001056:5 | 01/27 | 07/04 | 621 of 15363 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.b -... |
| 04% | 2000355:4 | 01/29 | 07/04 | 615 of 15363 | emerging threats | c&c channel | policy irc authorization message |
| 03% | 2000356:4 | 01/27 | 07/04 | 549 of 15363 | emerging threats | c&c channel | policy irc connection |
| 02% | 3000007:99 | 03/31 | 07/03 | 431 of 15363 | bothunter | egg download | bothunter malware executable upload |
| 02% | 2404012:1142 | 01/29 | 07/03 | 409 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 02% | 2404017:1142 | 02/17 | 06/03 | 409 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 02% | 2002029:7 | 01/27 | 07/04 | 398 of 15363 | emerging threats | c&c channel | trojan bot - channel topic scan/expl... |
| 02% | 32000004:99 | 01/29 | 06/15 | 357 of 15363 | bothunter | egg download | bothunter malware executable upload |
| 02% | 2404008:1142 | 02/09 | 06/25 | 319 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 02% | 2404002:1142 | 02/09 | 03/22 | 318 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2001184:5 | 01/29 | 07/04 | 272 of 15363 | emerging threats | c&c channel | bleeding-edge worm rxbot / rbot vulnera... |
| 01% | 2000346:7 | 01/27 | 07/04 | 264 of 15363 | emerging threats | c&c channel | attack response irc - name response ... |
| 01% | 2003603:2 | 01/27 | 07/04 | 234 of 15363 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
| 01% | 2001569:12 | 01/27 | 07/04 | 203 of 15363 | emerging threats | outbound scan | scan behavioral unusual port 445 tra... |
| 01% | 2007726:2 | 01/29 | 06/08 | 140 of 15363 | emerging threats | egg download | attack response unusual ftp server b... |
| 01% | 2003070:4 | 01/27 | 07/03 | 136 of 15363 | emerging threats | c&c channel | worm korgo.u reporting |
| 01% | 2404011:1142 | 01/27 | 06/29 | 112 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2404013:1142 | 01/30 | 07/02 | 106 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2006357:2 | 05/30 | 07/01 | 53 of 15363 | snort | outbound | malware suspicious user agent - likely webhanc... |
| 01% | 2007577:2 | 04/03 | 07/01 | 41 of 15363 | emerging threats | egg download | trojan general downloader checkin ur... |
| 01% | 2001584:6 | 06/27 | 07/01 | 37 of 15363 | emerging threats | c&c channel | bleeding-edge virus bot reporting scan/... |
| 01% | 2003294:5 | 01/30 | 05/23 | 37 of 15363 | emerging threats | inbound scan | worm allaple icmp sweep ping inbound |
| 01% | 2406032:43 | 02/14 | 06/14 | 29 of 15363 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2002911:2 | 02/09 | 05/01 | 24 of 15363 | emerging threats | inbound scan | scan potential vnc scan 5900-5920 |
| 01% | 2406021:43 | 01/30 | 07/02 | 23 of 15363 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2002809:3 | 02/24 | 07/03 | 13 of 15363 | emerging threats | c&c channel | attack response hostile ftp server b... |
| 01% | 2006778:2 | 05/02 | 06/20 | 12 of 15363 | emerging threats | c&c channel | malware debelizombi.com spyware user... |
| 01% | 2404003:1142 | 02/14 | 02/21 | 12 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2003082:3 | 02/05 | 07/02 | 10 of 15363 | emerging threats | inbound exploit | exploit netbios smb-ds dcerpc netrpp... |
| 01% | 2404015:1142 | 04/12 | 05/23 | 9 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2002986:2 | 01/31 | 07/01 | 8 of 15363 | emerging threats | egg download | policy icq install direct download -... |
| 01% | 2538:15 | 02/21 | 06/20 | 7 of 15363 | snort | inbound exploit | netbios smb ipc$ unicode share access |
| 01% | 2007587:2 | 05/30 | 07/01 | 7 of 15363 | snort | outbound | trojan general downloader or virut c&c ack |
| 01% | 52466:7 | 03/25 | 06/29 | 6 of 15363 | snort | outbound scan | netbios smb-ds ipc$ unicode share access |
| 01% | 2406000:7 | 04/17 | 06/14 | 5 of 15363 | emerging threats | c&c channel | rbn known russian business network t... |
| 01% | 52000032:6 | 03/25 | 06/29 | 5 of 15363 | emerging threats | outbound scan | bleeding-edge exploit lsa exploit |
| 01% | 2000562:10 | 04/18 | 06/21 | 5 of 15363 | emerging threats | outbound scan | virus outbound suspicious email atta... |
| 01% | 2003081:3 | 02/12 | 06/26 | 5 of 15363 | emerging threats | inbound exploit | exploit netbios smb dcerpc netrppath... |
| 01% | 100000274:2 | 03/04 | 06/30 | 5 of 15363 | snort | c&c channel | community bot gtbot scan command |
| 01% | 51390:5 | 04/30 | 05/21 | 5 of 15363 | snort | outbound scan | registered free shellcode x86 inc ebx noop |
| 01% | 599998:1 | 04/30 | 05/21 | 5 of 15363 | snort | outbound scan | shellcode x86 inc ebx noop |
| 01% | 599913:1 | 03/25 | 06/29 | 5 of 15363 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 592000032:99 | 03/25 | 06/29 | 5 of 15363 | bothunter | outbound scan | bothunter exploit lsa exploit |
| 01% | 2404004:1142 | 02/21 | 02/29 | 4 of 15363 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2003282:3 | 05/09 | 05/13 | 4 of 15363 | snort | inbound | malware socksv4 inbound connect request (windo... |
| 01% | 2406024:43 | 05/08 | 05/09 | 3 of 15363 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2002030:10 | 03/04 | 06/30 | 3 of 15363 | emerging threats | c&c channel | trojan bot - potential scan/exploit ... |
| 01% | 2001871:17 | 06/28 | 07/01 | 3 of 15363 | snort | outbound | malware target saver spyware user agent |
| 01% | 2002033:12 | 03/04 | 04/19 | 3 of 15363 | emerging threats | c&c channel | trojan bot - potential response |
| 01% | 2406019:43 | 05/16 | 06/14 | 3 of 15363 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2406033:43 | 05/05 | 05/07 | 3 of 15363 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2002930:1 | 02/03 | 06/14 | 2 of 15363 | emerging threats | c&c channel | bleeding-edge worm perlb0t bot reportin... |
| 01% | 22002903:1 | 02/12 | 06/26 | 2 of 15363 | emerging threats | inbound exploit | bleeding-edge exploit x86 pexfnstenvmov... |
| 01% | 2003636:3 | 02/12 | 06/11 | 2 of 15363 | emerging threats | c&c channel | virus sality virus user agent detect... |
| 01% | 2003088:3 | 02/12 | 06/11 | 2 of 15363 | emerging threats | c&c channel | virus sality trojan user-agent (kuku... |
| 01% | 2406009:43 | 04/17 | 04/17 | 2 of 15363 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2002895:3 | 04/18 | 05/03 | 2 of 15363 | emerging threats | outbound scan | virus w32.nugache smtp outbound |
| 01% | 2003492:5 | 02/09 | 03/14 | 2 of 15363 | emerging threats | c&c channel | malware suspicious mozilla user-agen... |
| 01% | 2003157:3 | 03/04 | 06/08 | 2 of 15363 | emerging threats | inbound exploit | trojan agobot-sdbot commands |
| 01% | 2008145:1 | 06/28 | 06/29 | 2 of 15363 | snort | outbound | malware speed-runner.com fake speed test user-... |
| 01% | 2406025:43 | 05/01 | 05/01 | 1 of 15363 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 3000002:99 | 03/12 | 03/12 | 1 of 15363 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 01% | 2007773:4 | 05/02 | 05/02 | 1 of 15363 | emerging threats | c&c channel | trojan pakes/cutwall/kobcka update u... |
| 01% | 2008146:1 | 06/28 | 06/28 | 1 of 15363 | snort | outbound | malware speed-runner.com fake speed test user-... |
| 01% | 22001057:5 | 06/27 | 06/27 | 1 of 15363 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.a -... |
| 01% | 2003614:3 | 04/30 | 04/30 | 1 of 15363 | emerging threats | inbound exploit | virus winupack modified pe header in... |
| 01% | 2002739:4 | 07/01 | 07/01 | 1 of 15363 | snort | outbound | malware idownloadagent spyware user agent |
| 01% | 2001219:15 | 05/12 | 05/12 | 1 of 15363 | snort | inbound | scan potential ssh scan |
| 01% | 2002031:13 | 06/08 | 06/08 | 1 of 15363 | snort | inbound | trojan bot - potential update/download |
| 01% | 2001057:6 | 06/27 | 06/27 | 1 of 15363 | emerging threats | inbound exploit | worm w32/sasser.worm.a |
| 01% | 2002385:9 | 06/08 | 06/08 | 1 of 15363 | snort | inbound | trojan bot - channel topic reptile commands |