Most Effective Malware-Related Snort Signatures
Fri Nov 6 08:34:26 2009
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 3477 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 56% | 299913:1 | 09/01 | 11/05 | 1969 of 3477 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 43% | 5001684:99 | 09/01 | 11/05 | 1529 of 3477 | bothunter | egg download | bothunter malware windows executable (p... |
| 43% | 2001683:3 | 09/01 | 11/05 | 1525 of 3477 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 36% | 52123:3 | 09/01 | 11/05 | 1281 of 3477 | snort | outbound scan | registered free attack-responses micros... |
| 29% | 3001441:1 | 09/01 | 11/05 | 1036 of 3477 | snort | egg download | tftp get .exe from external source |
| 29% | 1444:3 | 09/01 | 11/05 | 1036 of 3477 | snort | egg download | tftp get from external source |
| 29% | 2008120:1 | 09/01 | 11/05 | 1036 of 3477 | emerging threats | egg download | policy outbound tftp read request |
| 28% | 22466:7 | 09/01 | 11/05 | 999 of 3477 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 19% | 292000032:99 | 09/01 | 11/05 | 661 of 3477 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 18% | 22000032:6 | 09/01 | 11/05 | 660 of 3477 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 18% | 299998:1 | 09/01 | 11/03 | 656 of 3477 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 18% | 21390:5 | 09/01 | 11/03 | 656 of 3477 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 18% | 3000003:99 | 09/01 | 11/05 | 648 of 3477 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 17% | 3000000:99 | 09/01 | 11/05 | 604 of 3477 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 16% | 3000006:99 | 09/01 | 11/03 | 590 of 3477 | bothunter | egg download | bothunter malware executable upload |
| 14% | 2002750:10 | 09/01 | 11/05 | 508 of 3477 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
| 09% | 2000352:6 | 09/01 | 11/03 | 315 of 3477 | emerging threats | local attack prep | attack response irc - dns request on... |
| 07% | 23003:4 | 09/01 | 11/03 | 257 of 3477 | snort | inbound exploit | netbios smb-ds session setup ntmlssp un... |
| 06% | 2003070:4 | 09/01 | 11/05 | 239 of 3477 | emerging threats | c&c channel | worm korgo.u reporting |
| 06% | 2000355:4 | 09/01 | 11/03 | 236 of 3477 | emerging threats | c&c channel | policy irc authorization message |
| 06% | 31000004:99 | 09/01 | 11/05 | 226 of 3477 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 06% | 2406000:7 | 09/01 | 11/03 | 215 of 3477 | emerging threats | c&c channel | rbn known russian business network t... |
| 06% | 2406019:43 | 09/01 | 11/03 | 215 of 3477 | emerging threats | c&c channel | rbn known russian business network m... |
| 04% | 2007726:2 | 09/10 | 11/03 | 164 of 3477 | emerging threats | egg download | attack response unusual ftp server b... |
| 03% | 2003603:2 | 09/01 | 11/05 | 137 of 3477 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
| 02% | 2000346:7 | 09/01 | 11/03 | 99 of 3477 | emerging threats | c&c channel | attack response irc - name response ... |
| 01% | 32000004:99 | 09/01 | 10/13 | 66 of 3477 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2008124:1 | 09/01 | 11/03 | 53 of 3477 | snort | outbound | trojan likely bot nick in irc (usa +..) |
| 01% | 2000047:4 | 09/02 | 11/04 | 53 of 3477 | emerging threats | egg download | worm sasser transfer _up.exe |
| 01% | 22001056:5 | 09/02 | 11/04 | 51 of 3477 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.b -... |
| 01% | 2000356:4 | 09/01 | 10/30 | 48 of 3477 | emerging threats | c&c channel | policy irc connection |
| 01% | 2000427:9 | 09/01 | 11/03 | 38 of 3477 | emerging threats | egg download | policy pe exe install windows file d... |
| 01% | 2001894:5 | 09/03 | 11/03 | 36 of 3477 | snort | outbound | malware toolbarpartner spyware agent partner i... |
| 01% | 299906:1 | 09/01 | 11/05 | 28 of 3477 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 01% | 2001569:12 | 09/03 | 10/30 | 26 of 3477 | emerging threats | outbound scan | scan behavioral unusual port 445 tra... |
| 01% | 3000007:99 | 09/01 | 11/03 | 24 of 3477 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2002029:7 | 09/01 | 11/03 | 20 of 3477 | emerging threats | c&c channel | trojan bot - channel topic scan/expl... |
| 01% | 2001184:5 | 09/24 | 11/03 | 15 of 3477 | emerging threats | c&c channel | bleeding-edge worm rxbot / rbot vulnera... |
| 01% | 2404011:1142 | 09/01 | 10/02 | 10 of 3477 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2404013:1142 | 09/02 | 10/16 | 6 of 3477 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 100000274:2 | 09/06 | 10/04 | 6 of 3477 | snort | c&c channel | community bot gtbot scan command |
| 01% | 2002986:2 | 09/09 | 09/29 | 5 of 3477 | emerging threats | egg download | policy icq install direct download -... |
| 01% | 2406021:43 | 09/01 | 09/19 | 5 of 3477 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2002030:10 | 09/06 | 10/04 | 4 of 3477 | emerging threats | c&c channel | trojan bot - potential scan/exploit ... |
| 01% | 2003081:3 | 09/01 | 10/30 | 4 of 3477 | emerging threats | inbound exploit | exploit netbios smb dcerpc netrppath... |
| 01% | 2406032:43 | 09/03 | 10/31 | 4 of 3477 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 51390:5 | 09/29 | 11/03 | 3 of 3477 | snort | outbound scan | registered free shellcode x86 inc ebx noop |
| 01% | 599998:1 | 09/29 | 11/03 | 3 of 3477 | snort | outbound scan | shellcode x86 inc ebx noop |
| 01% | 52000032:6 | 09/01 | 09/08 | 2 of 3477 | emerging threats | outbound scan | bleeding-edge exploit lsa exploit |
| 01% | 52466:7 | 09/01 | 09/08 | 2 of 3477 | snort | outbound scan | netbios smb-ds ipc$ unicode share access |
| 01% | 2404001:1142 | 10/20 | 10/23 | 2 of 3477 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2002751:3 | 10/08 | 11/04 | 2 of 3477 | snort | inbound | policy reserved ip space traffic - bogon nets 3 |
| 01% | 599913:1 | 09/01 | 09/08 | 2 of 3477 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 592000032:99 | 09/01 | 09/08 | 2 of 3477 | bothunter | outbound scan | bothunter exploit lsa exploit |
| 01% | 2002400:12 | 09/29 | 09/29 | 1 of 3477 | snort | outbound | malware suspicious user agent (microsoft inter... |
| 01% | 2404007:1142 | 10/29 | 10/29 | 1 of 3477 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2406006:43 | 09/03 | 09/03 | 1 of 3477 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 22002903:1 | 09/25 | 09/25 | 1 of 3477 | emerging threats | inbound exploit | bleeding-edge exploit x86 pexfnstenvmov... |
| 01% | 2007632:2 | 10/21 | 10/21 | 1 of 3477 | snort | outbound | trojan possible gozi trojan checkin |
| 01% | 2003082:3 | 09/15 | 09/15 | 1 of 3477 | emerging threats | inbound exploit | exploit netbios smb-ds dcerpc netrpp... |
| 01% | 2003636:3 | 10/14 | 10/14 | 1 of 3477 | emerging threats | c&c channel | virus sality virus user agent detect... |
| 01% | 2003088:3 | 10/14 | 10/14 | 1 of 3477 | emerging threats | c&c channel | virus sality trojan user-agent (kuku... |
| 01% | 2001899:8 | 09/09 | 09/09 | 1 of 3477 | snort | outbound | botnet http botnet reg |
| 01% | 2003157:3 | 09/25 | 09/25 | 1 of 3477 | emerging threats | inbound exploit | trojan agobot-sdbot commands |
| 01% | 2002854:2 | 10/21 | 10/21 | 1 of 3477 | snort | outbound | trojan orderjack reporting user activity |
| 01% | 2001901:4 | 09/09 | 09/09 | 1 of 3477 | snort | outbound | trojan possible bobax trojan infection |

