Most Effective Malware-Related Snort Signatures
Sun Nov 22 08:50:36 2009
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 4291 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 56% | 299913:1 | 09/01 | 11/21 | 2441 of 4291 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 41% | 5001684:99 | 09/01 | 11/21 | 1799 of 4291 | bothunter | egg download | bothunter malware windows executable (p... |
| 41% | 2001683:3 | 09/01 | 11/21 | 1795 of 4291 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 37% | 52123:3 | 09/01 | 11/21 | 1588 of 4291 | snort | outbound scan | registered free attack-responses micros... |
| 29% | 3001441:1 | 09/01 | 11/21 | 1284 of 4291 | snort | egg download | tftp get .exe from external source |
| 29% | 1444:3 | 09/01 | 11/21 | 1284 of 4291 | snort | egg download | tftp get from external source |
| 29% | 2008120:1 | 09/01 | 11/21 | 1284 of 4291 | emerging threats | egg download | policy outbound tftp read request |
| 28% | 22466:7 | 09/01 | 11/21 | 1232 of 4291 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 18% | 292000032:99 | 09/01 | 11/21 | 813 of 4291 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 18% | 22000032:6 | 09/01 | 11/21 | 812 of 4291 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 18% | 3000003:99 | 09/01 | 11/21 | 780 of 4291 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 17% | 3000000:99 | 09/01 | 11/21 | 747 of 4291 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 15% | 299998:1 | 09/01 | 11/13 | 681 of 4291 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 15% | 21390:5 | 09/01 | 11/13 | 681 of 4291 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 14% | 2002750:10 | 09/01 | 11/21 | 636 of 4291 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
| 14% | 3000006:99 | 09/01 | 11/13 | 615 of 4291 | bothunter | egg download | bothunter malware executable upload |
| 08% | 2000352:6 | 09/01 | 11/21 | 345 of 4291 | emerging threats | local attack prep | attack response irc - dns request on... |
| 06% | 2003070:4 | 09/01 | 11/21 | 290 of 4291 | emerging threats | c&c channel | worm korgo.u reporting |
| 06% | 31000004:99 | 09/01 | 11/21 | 286 of 4291 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 06% | 23003:4 | 09/01 | 11/13 | 265 of 4291 | snort | inbound exploit | netbios smb-ds session setup ntmlssp un... |
| 05% | 2000355:4 | 09/01 | 11/19 | 242 of 4291 | emerging threats | c&c channel | policy irc authorization message |
| 05% | 2406000:7 | 09/01 | 11/13 | 218 of 4291 | emerging threats | c&c channel | rbn known russian business network t... |
| 05% | 2406019:43 | 09/01 | 11/13 | 218 of 4291 | emerging threats | c&c channel | rbn known russian business network m... |
| 04% | 2007726:2 | 09/10 | 11/13 | 189 of 4291 | emerging threats | egg download | attack response unusual ftp server b... |
| 03% | 2003603:2 | 09/01 | 11/21 | 170 of 4291 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
| 03% | 2000346:7 | 09/01 | 11/21 | 129 of 4291 | emerging threats | c&c channel | attack response irc - name response ... |
| 01% | 32000004:99 | 09/01 | 10/13 | 66 of 4291 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2008124:1 | 09/01 | 11/19 | 63 of 4291 | snort | outbound | trojan likely bot nick in irc (usa +..) |
| 01% | 2000047:4 | 09/02 | 11/21 | 63 of 4291 | emerging threats | egg download | worm sasser transfer _up.exe |
| 01% | 22001056:5 | 09/02 | 11/21 | 61 of 4291 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.b -... |
| 01% | 2000356:4 | 09/01 | 11/20 | 59 of 4291 | emerging threats | c&c channel | policy irc connection |
| 01% | 2001894:5 | 09/03 | 11/19 | 44 of 4291 | snort | outbound | malware toolbarpartner spyware agent partner i... |
| 01% | 2000427:9 | 09/01 | 11/13 | 42 of 4291 | emerging threats | egg download | policy pe exe install windows file d... |
| 01% | 299906:1 | 09/01 | 11/20 | 34 of 4291 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 01% | 2001569:12 | 09/03 | 11/21 | 33 of 4291 | emerging threats | outbound scan | scan behavioral unusual port 445 tra... |
| 01% | 3000007:99 | 09/01 | 11/03 | 24 of 4291 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2002029:7 | 09/01 | 11/20 | 24 of 4291 | emerging threats | c&c channel | trojan bot - channel topic scan/expl... |
| 01% | 2003484:5 | 11/21 | 11/21 | 17 of 4291 | snort | outbound | worm allaple unique http request - possibly pa... |
| 01% | 2001184:5 | 09/24 | 11/03 | 15 of 4291 | emerging threats | c&c channel | bleeding-edge worm rxbot / rbot vulnera... |
| 01% | 100000274:2 | 09/06 | 11/19 | 13 of 4291 | snort | c&c channel | community bot gtbot scan command |
| 01% | 2404011:1142 | 09/01 | 10/02 | 10 of 4291 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2404013:1142 | 09/02 | 10/16 | 6 of 4291 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2002986:2 | 09/09 | 09/29 | 5 of 4291 | emerging threats | egg download | policy icq install direct download -... |
| 01% | 2406021:43 | 09/01 | 09/19 | 5 of 4291 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2406032:43 | 09/03 | 11/08 | 5 of 4291 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2002030:10 | 09/06 | 10/04 | 4 of 4291 | emerging threats | c&c channel | trojan bot - potential scan/exploit ... |
| 01% | 2003081:3 | 09/01 | 10/30 | 4 of 4291 | emerging threats | inbound exploit | exploit netbios smb dcerpc netrppath... |
| 01% | 2404001:1142 | 10/20 | 11/10 | 4 of 4291 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 51390:5 | 09/29 | 11/03 | 3 of 4291 | snort | outbound scan | registered free shellcode x86 inc ebx noop |
| 01% | 599998:1 | 09/29 | 11/03 | 3 of 4291 | snort | outbound scan | shellcode x86 inc ebx noop |
| 01% | 52000032:6 | 09/01 | 09/08 | 2 of 4291 | emerging threats | outbound scan | bleeding-edge exploit lsa exploit |
| 01% | 52466:7 | 09/01 | 09/08 | 2 of 4291 | snort | outbound scan | netbios smb-ds ipc$ unicode share access |
| 01% | 2002751:3 | 10/08 | 11/04 | 2 of 4291 | snort | inbound | policy reserved ip space traffic - bogon nets 3 |
| 01% | 599913:1 | 09/01 | 09/08 | 2 of 4291 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 592000032:99 | 09/01 | 09/08 | 2 of 4291 | bothunter | outbound scan | bothunter exploit lsa exploit |
| 01% | 2002400:12 | 09/29 | 09/29 | 1 of 4291 | snort | outbound | malware suspicious user agent (microsoft inter... |
| 01% | 2404007:1142 | 10/29 | 10/29 | 1 of 4291 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2406006:43 | 09/03 | 09/03 | 1 of 4291 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 22475:7 | 11/21 | 11/21 | 1 of 4291 | snort | inbound exploit | netbios smb-ds admin$ unicode share access |
| 01% | 22002903:1 | 09/25 | 09/25 | 1 of 4291 | emerging threats | inbound exploit | bleeding-edge exploit x86 pexfnstenvmov... |
| 01% | 2007632:2 | 10/21 | 10/21 | 1 of 4291 | snort | outbound | trojan possible gozi trojan checkin |
| 01% | 2003082:3 | 09/15 | 09/15 | 1 of 4291 | emerging threats | inbound exploit | exploit netbios smb-ds dcerpc netrpp... |
| 01% | 2003636:3 | 10/14 | 10/14 | 1 of 4291 | emerging threats | c&c channel | virus sality virus user agent detect... |
| 01% | 2003088:3 | 10/14 | 10/14 | 1 of 4291 | emerging threats | c&c channel | virus sality trojan user-agent (kuku... |
| 01% | 2002911:2 | 11/21 | 11/21 | 1 of 4291 | emerging threats | inbound scan | scan potential vnc scan 5900-5920 |
| 01% | 2406022:43 | 11/06 | 11/06 | 1 of 4291 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2001899:8 | 09/09 | 09/09 | 1 of 4291 | snort | outbound | botnet http botnet reg |
| 01% | 2003157:3 | 09/25 | 09/25 | 1 of 4291 | emerging threats | inbound exploit | trojan agobot-sdbot commands |
| 01% | 2002854:2 | 10/21 | 10/21 | 1 of 4291 | snort | outbound | trojan orderjack reporting user activity |
| 01% | 2001901:4 | 09/09 | 09/09 | 1 of 4291 | snort | outbound | trojan possible bobax trojan infection |