Most Effective Malware-Related Snort Signatures
Sun Sep 7 08:36:28 2008
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 20807 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 46% | 299913:1 | 03/31 | 08/12 | 9694 of 20807 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 45% | 5001684:99 | 03/31 | 08/12 | 9432 of 20807 | bothunter | egg download | bothunter malware windows executable (p... |
| 41% | 22466:7 | 03/31 | 08/12 | 8620 of 20807 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 36% | 52123:3 | 03/31 | 08/12 | 7563 of 20807 | snort | outbound scan | registered free attack-responses micros... |
| 35% | 292000032:99 | 03/31 | 08/12 | 7422 of 20807 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 35% | 22000032:6 | 03/31 | 08/12 | 7398 of 20807 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 32% | 2001683:3 | 03/31 | 08/12 | 6747 of 20807 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 25% | 299998:1 | 03/31 | 08/12 | 5239 of 20807 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 25% | 21390:5 | 03/31 | 08/12 | 5239 of 20807 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 18% | 3000006:99 | 04/02 | 08/12 | 3865 of 20807 | bothunter | egg download | bothunter malware executable upload |
| 16% | 3001441:1 | 03/31 | 08/12 | 3406 of 20807 | snort | egg download | tftp get .exe from external source |
| 16% | 1444:3 | 03/31 | 08/12 | 3406 of 20807 | snort | egg download | tftp get from external source |
| 16% | 2008120:1 | 03/31 | 08/12 | 3406 of 20807 | emerging threats | egg download | policy outbound tftp read request |
| 16% | 3000003:99 | 03/31 | 08/12 | 3398 of 20807 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 14% | 2000427:9 | 04/03 | 08/11 | 3016 of 20807 | emerging threats | egg download | policy pe exe install windows file d... |
| 13% | 3000000:99 | 03/31 | 08/12 | 2765 of 20807 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 12% | 299906:1 | 03/31 | 08/12 | 2595 of 20807 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 11% | 31000004:99 | 03/31 | 08/12 | 2493 of 20807 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 09% | 2000352:6 | 03/31 | 08/12 | 1984 of 20807 | emerging threats | local attack prep | attack response irc - dns request on... |
| 07% | 2404005:1142 | 04/27 | 05/12 | 1657 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 06% | 23003:4 | 03/31 | 08/12 | 1359 of 20807 | snort | inbound exploit | netbios smb-ds session setup ntmlssp un... |
| 04% | 2002029:7 | 03/31 | 08/12 | 987 of 20807 | emerging threats | c&c channel | trojan bot - channel topic scan/expl... |
| 02% | 3000007:99 | 03/31 | 08/11 | 611 of 20807 | bothunter | egg download | bothunter malware executable upload |
| 02% | 2000047:4 | 03/31 | 08/12 | 609 of 20807 | emerging threats | egg download | worm sasser transfer _up.exe |
| 02% | 22001056:5 | 03/31 | 08/12 | 604 of 20807 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.b -... |
| 02% | 2000355:4 | 03/31 | 08/11 | 563 of 20807 | emerging threats | c&c channel | policy irc authorization message |
| 02% | 2000356:4 | 03/31 | 08/12 | 556 of 20807 | emerging threats | c&c channel | policy irc connection |
| 02% | 2404012:1142 | 03/31 | 08/11 | 497 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 02% | 32000004:99 | 05/06 | 08/02 | 483 of 20807 | bothunter | egg download | bothunter malware executable upload |
| 02% | 2003603:2 | 03/31 | 08/12 | 417 of 20807 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
| 01% | 2404017:1142 | 04/01 | 06/03 | 389 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2007726:2 | 04/02 | 08/11 | 380 of 20807 | emerging threats | egg download | attack response unusual ftp server b... |
| 01% | 2003070:4 | 04/01 | 08/12 | 379 of 20807 | emerging threats | c&c channel | worm korgo.u reporting |
| 01% | 2000346:7 | 04/01 | 08/12 | 306 of 20807 | emerging threats | c&c channel | attack response irc - name response ... |
| 01% | 2001569:12 | 04/01 | 08/12 | 247 of 20807 | emerging threats | outbound scan | scan behavioral unusual port 445 tra... |
| 01% | 2001184:5 | 03/31 | 07/26 | 224 of 20807 | emerging threats | c&c channel | bleeding-edge worm rxbot / rbot vulnera... |
| 01% | 3000005:99 | 04/21 | 08/03 | 166 of 20807 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2001584:6 | 06/27 | 08/12 | 161 of 20807 | emerging threats | c&c channel | bleeding-edge virus bot reporting scan/... |
| 01% | 2404008:1142 | 06/25 | 08/03 | 155 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2006357:2 | 05/30 | 08/12 | 152 of 20807 | snort | outbound | malware suspicious user agent - likely webhanc... |
| 01% | 2404013:1142 | 03/31 | 08/12 | 118 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2007577:2 | 04/03 | 08/12 | 113 of 20807 | emerging threats | egg download | trojan general downloader checkin ur... |
| 01% | 2008124:1 | 07/06 | 08/12 | 86 of 20807 | snort | outbound | trojan likely bot nick in irc (usa +..) |
| 01% | 2404011:1142 | 04/06 | 08/10 | 73 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2406021:43 | 04/12 | 08/11 | 37 of 20807 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2008146:1 | 06/28 | 08/12 | 31 of 20807 | snort | outbound | malware speed-runner.com fake speed test user-... |
| 01% | 2003294:5 | 04/07 | 05/23 | 30 of 20807 | emerging threats | inbound scan | worm allaple icmp sweep ping inbound |
| 01% | 2002750:10 | 07/23 | 08/11 | 22 of 20807 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
| 01% | 2002911:2 | 04/07 | 05/01 | 19 of 20807 | emerging threats | inbound scan | scan potential vnc scan 5900-5920 |
| 01% | 2002809:3 | 04/22 | 07/19 | 16 of 20807 | emerging threats | c&c channel | attack response hostile ftp server b... |
| 01% | 2003081:3 | 05/21 | 07/29 | 15 of 20807 | emerging threats | inbound exploit | exploit netbios smb dcerpc netrppath... |
| 01% | 2007587:2 | 05/30 | 08/08 | 15 of 20807 | snort | outbound | trojan general downloader or virut c&c ack |
| 01% | 2006778:2 | 05/02 | 08/04 | 14 of 20807 | emerging threats | c&c channel | malware debelizombi.com spyware user... |
| 01% | 52466:7 | 04/12 | 08/12 | 14 of 20807 | snort | outbound scan | netbios smb-ds ipc$ unicode share access |
| 01% | 2406032:43 | 04/12 | 06/14 | 14 of 20807 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 599913:1 | 04/12 | 08/12 | 13 of 20807 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 592000032:99 | 04/12 | 08/12 | 13 of 20807 | bothunter | outbound scan | bothunter exploit lsa exploit |
| 01% | 52000032:6 | 04/12 | 08/12 | 12 of 20807 | emerging threats | outbound scan | bleeding-edge exploit lsa exploit |
| 01% | 2002930:1 | 06/14 | 08/05 | 10 of 20807 | emerging threats | c&c channel | bleeding-edge worm perlb0t bot reportin... |
| 01% | 22002903:1 | 06/26 | 08/04 | 10 of 20807 | emerging threats | inbound exploit | bleeding-edge exploit x86 pexfnstenvmov... |
| 01% | 2404015:1142 | 04/12 | 05/23 | 9 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2003082:3 | 04/15 | 07/21 | 9 of 20807 | emerging threats | inbound exploit | exploit netbios smb-ds dcerpc netrpp... |
| 01% | 2002986:2 | 05/20 | 07/23 | 8 of 20807 | emerging threats | egg download | policy icq install direct download -... |
| 01% | 2001871:17 | 06/28 | 08/08 | 8 of 20807 | snort | outbound | malware target saver spyware user agent |
| 01% | 2406000:7 | 04/17 | 08/12 | 7 of 20807 | emerging threats | c&c channel | rbn known russian business network t... |
| 01% | 2000562:10 | 04/18 | 07/16 | 7 of 20807 | emerging threats | outbound scan | virus outbound suspicious email atta... |
| 01% | 51390:5 | 04/30 | 07/29 | 6 of 20807 | snort | outbound scan | registered free shellcode x86 inc ebx noop |
| 01% | 599998:1 | 04/30 | 07/29 | 6 of 20807 | snort | outbound scan | shellcode x86 inc ebx noop |
| 01% | 2008145:1 | 06/28 | 08/12 | 6 of 20807 | snort | outbound | malware speed-runner.com fake speed test user-... |
| 01% | 2002030:10 | 04/05 | 08/07 | 4 of 20807 | emerging threats | c&c channel | trojan bot - potential scan/exploit ... |
| 01% | 2003282:3 | 05/09 | 05/13 | 4 of 20807 | snort | inbound | malware socksv4 inbound connect request (windo... |
| 01% | 2404001:1142 | 07/06 | 08/03 | 4 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2003614:3 | 04/30 | 08/10 | 4 of 20807 | emerging threats | inbound exploit | virus winupack modified pe header in... |
| 01% | 100000274:2 | 06/07 | 08/07 | 4 of 20807 | snort | c&c channel | community bot gtbot scan command |
| 01% | 2002739:4 | 07/01 | 08/08 | 4 of 20807 | snort | outbound | malware idownloadagent spyware user agent |
| 01% | 2406024:43 | 05/08 | 05/09 | 3 of 20807 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2404000:1142 | 07/13 | 08/03 | 3 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2007773:4 | 05/02 | 07/28 | 3 of 20807 | emerging threats | c&c channel | trojan pakes/cutwall/kobcka update u... |
| 01% | 2002033:12 | 04/05 | 07/13 | 3 of 20807 | emerging threats | c&c channel | trojan bot - potential response |
| 01% | 2406019:43 | 05/16 | 06/14 | 3 of 20807 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2406009:43 | 04/17 | 08/12 | 3 of 20807 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2406033:43 | 05/05 | 05/07 | 3 of 20807 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2404004:1142 | 07/29 | 07/29 | 2 of 20807 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 22001057:5 | 06/27 | 07/26 | 2 of 20807 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.a -... |
| 01% | 2002959:3 | 08/11 | 08/11 | 2 of 20807 | snort | outbound | trojan tibs checkin |
| 01% | 2002895:3 | 04/18 | 05/03 | 2 of 20807 | emerging threats | outbound scan | virus w32.nugache smtp outbound |
| 01% | 2001057:6 | 06/27 | 07/26 | 2 of 20807 | emerging threats | inbound exploit | worm w32/sasser.worm.a |
| 01% | 2406023:43 | 08/11 | 08/11 | 1 of 20807 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2007688:4 | 08/12 | 08/12 | 1 of 20807 | snort | outbound | trojan prg trojan http post v1 |
| 01% | 2406025:43 | 05/01 | 05/01 | 1 of 20807 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2007712:3 | 08/12 | 08/12 | 1 of 20807 | snort | inbound | trojan srizbi requesting template |
| 01% | 2003022:3 | 08/02 | 08/02 | 1 of 20807 | snort | outbound | policy skype bootstrap node (udp) |
| 01% | 100000273:2 | 07/29 | 07/29 | 1 of 20807 | snort | c&c channel | community bot gtbot info command |
| 01% | 2003636:3 | 06/11 | 06/11 | 1 of 20807 | emerging threats | c&c channel | virus sality virus user agent detect... |
| 01% | 2538:15 | 06/20 | 06/20 | 1 of 20807 | snort | inbound exploit | netbios smb ipc$ unicode share access |
| 01% | 2003088:3 | 06/11 | 06/11 | 1 of 20807 | emerging threats | c&c channel | virus sality trojan user-agent (kuku... |
| 01% | 2402000:1121 | 08/04 | 08/04 | 1 of 20807 | snort | inbound | drop dshield block listed source |
| 01% | 2001219:15 | 05/12 | 05/12 | 1 of 20807 | snort | inbound | scan potential ssh scan |
| 01% | 2002031:13 | 06/08 | 06/08 | 1 of 20807 | snort | inbound | trojan bot - potential update/download |
| 01% | 2000343:10 | 07/16 | 07/16 | 1 of 20807 | snort | outbound | worm possible evaman worm outbound |
| 01% | 2007711:2 | 08/12 | 08/12 | 1 of 20807 | snort | inbound | trojan srizbi registering with controller |
| 01% | 2003157:3 | 06/08 | 06/08 | 1 of 20807 | emerging threats | inbound exploit | trojan agobot-sdbot commands |
| 01% | 2002385:9 | 06/08 | 06/08 | 1 of 20807 | snort | inbound | trojan bot - channel topic reptile commands |
| 01% | 2002728:2 | 07/08 | 07/08 | 1 of 20807 | snort | outbound | trojan ransky or variant backdoor communicatio... |
| 01% | 2003183:2 | 08/12 | 08/12 | 1 of 20807 | snort | inbound | trojan prg trojan server reply |
| 01% | 2007142:2 | 08/04 | 08/04 | 1 of 20807 | snort | outbound | trojan virtumonde variant reporting to control... |
| 01% | 2007724:5 | 08/12 | 08/12 | 1 of 20807 | snort | outbound | trojan prg trojan http post version 2 |