Most Effective Malware-Related Snort Signatures
Tue Feb 9 08:47:30 2010
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 8015 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 56% | 299913:1 | 09/02 | 02/08 | 4495 of 8015 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 39% | 52123:3 | 09/02 | 02/08 | 3132 of 8015 | snort | outbound scan | registered free attack-responses micros... |
| 34% | 5001684:99 | 09/02 | 02/08 | 2726 of 8015 | bothunter | egg download | bothunter malware windows executable (p... |
| 33% | 2001683:3 | 09/02 | 02/08 | 2718 of 8015 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 33% | 3001441:1 | 09/02 | 02/08 | 2705 of 8015 | snort | egg download | tftp get .exe from external source |
| 33% | 1444:3 | 09/02 | 02/08 | 2705 of 8015 | snort | egg download | tftp get from external source |
| 33% | 2008120:1 | 09/02 | 02/08 | 2705 of 8015 | emerging threats | egg download | policy outbound tftp read request |
| 28% | 22466:7 | 09/02 | 02/08 | 2317 of 8015 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 18% | 2002750:10 | 09/02 | 02/08 | 1456 of 8015 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
| 16% | 292000032:99 | 09/02 | 02/08 | 1308 of 8015 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 16% | 22000032:6 | 09/02 | 02/08 | 1307 of 8015 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 15% | 3000003:99 | 09/02 | 02/08 | 1270 of 8015 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 14% | 3000000:99 | 09/02 | 02/08 | 1172 of 8015 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 08% | 21390:5 | 09/02 | 01/28 | 680 of 8015 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 08% | 299998:1 | 09/02 | 01/17 | 678 of 8015 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 06% | 3000006:99 | 09/02 | 11/13 | 503 of 8015 | bothunter | egg download | bothunter malware executable upload |
| 05% | 2003603:2 | 09/02 | 02/08 | 427 of 8015 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
| 05% | 31000004:99 | 09/02 | 02/08 | 410 of 8015 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 05% | 2003070:4 | 09/02 | 02/08 | 406 of 8015 | emerging threats | c&c channel | worm korgo.u reporting |
| 04% | 2000352:6 | 09/02 | 02/08 | 323 of 8015 | emerging threats | local attack prep | attack response irc - dns request on... |
| 02% | 23003:4 | 09/02 | 11/13 | 218 of 8015 | snort | inbound exploit | netbios smb-ds session setup ntmlssp un... |
| 02% | 2000346:7 | 09/02 | 02/08 | 190 of 8015 | emerging threats | c&c channel | attack response irc - name response ... |
| 02% | 2007726:2 | 09/10 | 12/05 | 190 of 8015 | emerging threats | egg download | attack response unusual ftp server b... |
| 02% | 2000427:9 | 09/02 | 02/08 | 187 of 8015 | emerging threats | egg download | policy pe exe install windows file d... |
| 02% | 2000355:4 | 09/02 | 01/18 | 185 of 8015 | emerging threats | c&c channel | policy irc authorization message |
| 01% | 3000005:99 | 01/03 | 01/17 | 140 of 8015 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2406000:7 | 09/02 | 11/13 | 131 of 8015 | emerging threats | c&c channel | rbn known russian business network t... |
| 01% | 2406019:43 | 09/02 | 11/13 | 131 of 8015 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2000047:4 | 09/02 | 02/08 | 105 of 8015 | emerging threats | egg download | worm sasser transfer _up.exe |
| 01% | 22001056:5 | 09/02 | 02/08 | 103 of 8015 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.b -... |
| 01% | 2001894:5 | 09/03 | 02/07 | 101 of 8015 | snort | outbound | malware toolbarpartner spyware agent partner i... |
| 01% | 299906:1 | 09/02 | 02/04 | 101 of 8015 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 01% | 2003484:5 | 11/21 | 01/06 | 84 of 8015 | snort | outbound | worm allaple unique http request - possibly pa... |
| 01% | 2008124:1 | 09/02 | 01/18 | 67 of 8015 | snort | outbound | trojan likely bot nick in irc (usa +..) |
| 01% | 2001569:12 | 09/03 | 02/02 | 67 of 8015 | emerging threats | outbound scan | scan behavioral unusual port 445 tra... |
| 01% | 2000356:4 | 09/02 | 01/18 | 58 of 8015 | emerging threats | c&c channel | policy irc connection |
| 01% | 100000274:2 | 09/06 | 01/11 | 25 of 8015 | snort | c&c channel | community bot gtbot scan command |
| 01% | 32000004:99 | 09/02 | 10/13 | 22 of 8015 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2002029:7 | 09/06 | 12/23 | 20 of 8015 | emerging threats | c&c channel | trojan bot - channel topic scan/expl... |
| 01% | 2001184:5 | 09/24 | 12/17 | 20 of 8015 | emerging threats | c&c channel | bleeding-edge worm rxbot / rbot vulnera... |
| 01% | 100000273:2 | 01/08 | 02/08 | 14 of 8015 | snort | c&c channel | community bot gtbot info command |
| 01% | 2404011:1142 | 09/02 | 12/28 | 11 of 8015 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2002030:10 | 09/06 | 12/23 | 10 of 8015 | emerging threats | c&c channel | trojan bot - potential scan/exploit ... |
| 01% | 2406022:43 | 11/06 | 01/29 | 10 of 8015 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 3000007:99 | 09/10 | 11/03 | 6 of 8015 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2404013:1142 | 09/02 | 10/16 | 6 of 8015 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2404001:1142 | 10/20 | 12/05 | 6 of 8015 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2002986:2 | 09/09 | 09/29 | 5 of 8015 | emerging threats | egg download | policy icq install direct download -... |
| 01% | 2406021:43 | 09/07 | 12/21 | 5 of 8015 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2003081:3 | 10/07 | 01/12 | 5 of 8015 | emerging threats | inbound exploit | exploit netbios smb dcerpc netrppath... |
| 01% | 2406032:43 | 09/03 | 11/08 | 5 of 8015 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2003082:3 | 09/15 | 12/26 | 4 of 8015 | emerging threats | inbound exploit | exploit netbios smb-ds dcerpc netrpp... |
| 01% | 22475:7 | 11/21 | 12/22 | 3 of 8015 | snort | inbound exploit | netbios smb-ds admin$ unicode share access |
| 01% | 51390:5 | 09/29 | 11/03 | 3 of 8015 | snort | outbound scan | registered free shellcode x86 inc ebx noop |
| 01% | 599998:1 | 09/29 | 11/03 | 3 of 8015 | snort | outbound scan | shellcode x86 inc ebx noop |
| 01% | 2003579:2 | 02/02 | 02/04 | 2 of 8015 | snort | outbound | malware findwhat.com spyware (clickthrough) |
| 01% | 22002903:1 | 09/25 | 12/18 | 2 of 8015 | emerging threats | inbound exploit | bleeding-edge exploit x86 pexfnstenvmov... |
| 01% | 2538:15 | 12/25 | 12/25 | 2 of 8015 | snort | inbound exploit | netbios smb ipc$ unicode share access |
| 01% | 2002031:13 | 11/30 | 12/10 | 2 of 8015 | snort | inbound | trojan bot - potential update/download |
| 01% | 2002751:3 | 10/08 | 11/04 | 2 of 8015 | snort | inbound | policy reserved ip space traffic - bogon nets 3 |
| 01% | 599913:1 | 09/08 | 12/01 | 2 of 8015 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 2002400:12 | 09/29 | 09/29 | 1 of 8015 | snort | outbound | malware suspicious user agent (microsoft inter... |
| 01% | 2404007:1142 | 10/29 | 10/29 | 1 of 8015 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2406006:43 | 09/03 | 09/03 | 1 of 8015 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 52000032:6 | 09/08 | 09/08 | 1 of 8015 | emerging threats | outbound scan | bleeding-edge exploit lsa exploit |
| 01% | 2007632:2 | 10/21 | 10/21 | 1 of 8015 | snort | outbound | trojan possible gozi trojan checkin |
| 01% | 2003636:3 | 10/14 | 10/14 | 1 of 8015 | emerging threats | c&c channel | virus sality virus user agent detect... |
| 01% | 2000537:4 | 11/27 | 11/27 | 1 of 8015 | snort | inbound | scan nmap -ss |
| 01% | 2003088:3 | 10/14 | 10/14 | 1 of 8015 | emerging threats | c&c channel | virus sality trojan user-agent (kuku... |
| 01% | 52466:7 | 09/08 | 09/08 | 1 of 8015 | snort | outbound scan | netbios smb-ds ipc$ unicode share access |
| 01% | 2002911:2 | 11/21 | 11/21 | 1 of 8015 | emerging threats | inbound scan | scan potential vnc scan 5900-5920 |
| 01% | 2001899:8 | 09/09 | 09/09 | 1 of 8015 | snort | outbound | botnet http botnet reg |
| 01% | 2003157:3 | 09/25 | 09/25 | 1 of 8015 | emerging threats | inbound exploit | trojan agobot-sdbot commands |
| 01% | 592000032:99 | 09/08 | 09/08 | 1 of 8015 | bothunter | outbound scan | bothunter exploit lsa exploit |
| 01% | 2002854:2 | 10/21 | 10/21 | 1 of 8015 | snort | outbound | trojan orderjack reporting user activity |
| 01% | 2001901:4 | 09/09 | 09/09 | 1 of 8015 | snort | outbound | trojan possible bobax trojan infection |
| 01% | 2000545:4 | 11/27 | 11/27 | 1 of 8015 | snort | inbound | scan nmap -f -ss |

