Quantcast
Channel: Blog
Viewing all 489 articles
Browse latest View live

Daily Ruleset Update Summary 01/20/2014

January 20, 2014, 12:34 pm
$
0
0
 [***] Summary: [***]
 5 new Open rules, 8 new Pro (5/3).  PCRat/Gh0st, Angler EK, Outbrowse, Virut.ce, Zbot.
 Thanks to:  @EKwatcher, Travis Green and Kevin Ross.
 [+++]          Added rules:          [+++]
 Open:
  2017988 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16 (trojan.rules)
  2017989 – ET CURRENT_EVENTS Angler EK encrypted binary (4) (current_events.rules)
  2017990 – ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive (trojan.rules)
  2017991 – ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response (trojan.rules)
  2017992 – ET TROJAN Win32/OutBrowse.G Variant Checkin (trojan.rules)
 Pro:
  2807496 – ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53 (trojan.rules)
  2807497 – ETPRO TROJAN Virus.Win32.Virut.ce Checkin 3 (trojan.rules)
  2807498 – ETPRO TROJAN Virus.Win32.Virut.ce Checkin 4 (trojan.rules)
 [---]         Removed rules:         [---]
  2802015 – ETPRO TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive (trojan.rules)
  2802016 – ETPRO TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response (trojan.rules)
Search

Daily Ruleset Update Summary 01/21/2014

January 21, 2014, 1:52 pm
$
0
0

[***] Summary: [***]

2 new Open and 8 new Pro (2/6). GoonEK, Zbot, Kryptik, GGSmart.

Thanks to: Nathan Fowler and vlintelligence

[+++] Added rules: [+++]

Open:

2017993 – ET TROJAN GoonEK Jan 21 2013 (trojan.rules)
2017994 – ET CURRENT_EVENTS VBSAutorun_VBS_Jenxcus Check-in UA (current_events.rules)

Pro:

2807499 – ETPRO TROJAN Trojan-Spy.Win32.Zbot.rdhf CnC (INBOUND) (trojan.rules)
2807500 – ETPRO TROJAN Trojan-Downloader.Win32.Agent.aah Checkin (trojan.rules)
2807501 – ETPRO TROJAN Win32/Spy.Banker.ZSX Download (trojan.rules)
2807502 – ETPRO TROJAN Win32/Kryptik.BSYO Checkin (trojan.rules)
2807503 – ETPRO MALWARE supicious User-Agent (HttpDown/2.0) (malware.rules)
2807504 – ETPRO MOBILE_MALWARE AndroidOS/GGSmart.A Checkin (mobile_malware.rules)
[///] Modified active rules: [///]

2017983 – ET TROJAN Java/Jacksbot Check-in (trojan.rules)

[---] Removed rules: [---]

2802927 – ETPRO TROJAN Backdoor.Win32.HXWAN.A Checkin (trojan.rules)
2803362 – ETPRO TROJAN Win32/Killav.FI (trojan.rules)

Daily Ruleset Update Summary 01/22/2014

January 22, 2014, 2:06 pm
$
0
0
 [***]          Summary:          [***]
 12 new Open rules. 26 new Pro rules (12/14). GoonEK,HeHe.Spy,Browlock,Updatre,etc. Thanks to @EKwatcher, Kevin Ross, Eoin Miller, all.

There is a new signature set for BOTCC “rulesemerging-botcc.portgrouped.rules” that includes ports along with IP’s. This will reduce FP’s at the cost of performance.

As a reminder we will no longer be updating snort 2.4.x rules as of Feb 10 2014.

[+++]          Added rules:          [+++]
  Open:
  2017995 – ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 1 (current_events.rules)
2017996 – ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 2 (current_events.rules)
2017997 – ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 3 (current_events.rules)
2017998 – ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download (current_events.rules)
2017999 – ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon (mobile_malware.rules)
2018000 – ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon (mobile_malware.rules)
2018001 – ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon (mobile_malware.rules)
2018002 – ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon (mobile_malware.rules)
2018003 – ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon (mobile_malware.rules)
2018004 – ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon (mobile_malware.rules)
2018005 – ET TROJAN Possible Upatre Downloader SSL certificate (fake org) (trojan.rules)
2018006 – ET CURRENT_EVENTS Possible Browlock Hostname Format US (current_events.rules)

Pro:

  2807505 – ETPRO TROJAN Trojan.Win32.Vehidis Checkin (trojan.rules)
2807506 – ETPRO TROJAN Win32.Foreign.jowy 1 (trojan.rules)
2807507 – ETPRO TROJAN Win32.Foreign.jowy 2 (trojan.rules)
2807508 – ETPRO TROJAN Win32/Kryptik.BSYO Checkin 2 (trojan.rules)
2807510 – ETPRO TROJAN MSIL/Injector.BTM Checkin (trojan.rules)
2807511 – ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 1 (web_client.rules)
2807512 – ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 2 (web_client.rules)
2807513 – ETPRO TROJAN Chifrax.akz Checkin (trojan.rules)
2807514 – ETPRO TROJAN win32.Kaliox.A (trojan.rules)
2807515 – ETPRO TROJAN Minirem (trojan.rules)
2807516 – ETPRO TROJAN Ponmocup (newinstall.ru) (trojan.rules)
2807517 – ETPRO MALWARE Win.Adware.Agent-1150 (malware.rules)
2807518 – ETPRO MALWARE AdWare/Sushi.aj (malware.rules)
2807519 – ETPRO MALWARE AdWare/Sushi.aj Suspicious User-Agent (ps 114) (malware.rules)

[///]     Modified active rules:     [///]

2807460 – ETPRO TROJAN DDoS.Win32/Nitol.gen!A Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

2803105 – ETPRO DNS ISC BIND RRSIG RRsets Denial of Service UDP 1 (dns.rules)
2803106 – ETPRO DNS ISC BIND RRSIG RRsets Denial of Service TCP 1 (dns.rules)

[---]         Disabled rules:        [---]

2807193 – ETPRO TROJAN Trojan-Ransom.Win32.Foreign.

jcov Checkin (trojan.rules)

[---]         Removed rules:         [---]

2011863 – ET TROJAN Feodo Banking Trojan Receiving Configuration File (trojan.rules)

Daily Ruleset Update Summary 01/24/2014

January 24, 2014, 10:32 am
$
0
0

[***] Summary: [***]

5 new Open rules, 25 new Pro rules (5/20). Various Android, Various Banker, Delf, PCRat/Gh0st, Fiesta EK.

Thanks to @EKWatcher and Darren Spruell for their contributions.

[+++] Added rules: [+++]

Open:

2018007 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17 (trojan.rules)
2018008 – ET TROJAN DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org (trojan.rules)
2018009 – ET CURRENT_EVENTS SUSPICIOUS HTTP Request to .bit domain (current_events.rules)
2018010 – ET TROJAN Suspicious UA (^IE[\d\s]) (trojan.rules)
2018011 – ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013 (current_events.rules)

Pro:

2807520 – ETPRO TROJAN Win32/Delf.GI Checkin (trojan.rules)
2807521 – ETPRO TROJAN Win32/Qhost.Banker.MU Checkin (trojan.rules)
2807522 – ETPRO MOBILE_MALWARE Android/Spy.Zitmo.B Checkin 2 (mobile_malware.rules)
2807523 – ETPRO TROJAN Win32.Genome.srs Downloader (trojan.rules)
2807524 – ETPRO TROJAN Win32.Blackbeard Downloader (trojan.rules)
2807525 – ETPRO TROJAN Trojan.Win32.Storup Checkin (trojan.rules)
2807526 – ETPRO TROJAN Win32/Delf.OMB Checkin (trojan.rules)
2807527 – ETPRO TROJAN Trojan-Downloader.Win32.Dapato.qio Download (trojan.rules)
2807528 – ETPRO TROJAN DDoS.Win32/Nitol.B Checkin 2 (trojan.rules)
2807529 – ETPRO TROJAN Banker.Win32.Banbra.axea Checkin (trojan.rules)
2807530 – ETPRO TROJAN Win32/Onkods.C User-Agent (g0g) (trojan.rules)
2807531 – ETPRO TROJAN Basine/Outbreak Checkin (trojan.rules)
2807532 – ETPRO TROJAN W32/Banker.YNL!tr.spy sending info about infection via SMTP (trojan.rules)
2807533 – ETPRO MOBILE_MALWARE AndroidOS/Cosha.A / Android/Lovetrap.A Checkin 2 (mobile_malware.rules)
2807534 – ETPRO TROJAN ServStart.E Checkin (trojan.rules)
2807535 – ETPRO TROJAN Win32/Zawat.A User-Agent (trojan.rules)
2807536 – ETPRO MOBILE_MALWARE Android/Spy.Zitmo.A Checkin 2 (mobile_malware.rules)
2807537 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.ahhr Checkin (trojan.rules)
2807538 – ETPRO TROJAN Win32/Swrort.A Checkin 2 (trojan.rules)
2807539 – ETPRO TROJAN Trojan.Win32.VB.bzqf Checkin (trojan.rules)
[///] Modified active rules: [///]

2807110 – ETPRO TROJAN Trojan.Win32.Qadars Checkin (trojan.rules)

 

 

Daily Ruleset Update Summary 01/27/2014

January 27, 2014, 3:35 pm
$
0
0

[***] Summary: [***]

13 new Open rules, 26 new Pro rules (13/13). Various Android, Genome, Limitless Logger, BettrExperience Adware.

Thanks to @EKwatcher and Kevin Ross for their contributions.

[+++] Added rules: [+++]

Open:

2018015 – ET TROJAN Limitless Logger Sending Data over SMTP (trojan.rules)
2018016 – ET TROJAN Limitless Logger Sending Data over SMTP 2 (trojan.rules)
2018017 – ET TROJAN Predator Logger Sending Data over SMTP (trojan.rules)
2018018 – ET TROJAN Win32/Antilam.2_0 Sending Data over SMTP (trojan.rules)
2018019 – ET TROJAN Win32.WinSpy.pob Sending Data over SMTP (trojan.rules)
2018020 – ET TROJAN Win32.WinSpy.pob Sending Data over SMTP 2 (trojan.rules)
2018021 – ET POLICY myip.ru IP lookup (policy.rules)
2018022 – ET TROJAN Possible Win32/Dimegup.A Downloading Image Common URI Struct (trojan.rules)
2018023 – ET TROJAN W32/LockscreenBEI.Scareware Cnc Beacon (trojan.rules)
2018024 – ET MALWARE W32/BettrExperience.Adware Initial Checkin (malware.rules)
2018025 – ET MALWARE W32/BettrExperience.Adware POST Checkin (malware.rules)
2018026 – ET MALWARE W32/BettrExperience.Adware Update Checkin (malware.rules)
2018027 – ET TROJAN Win32/Xtrat C2 Response (trojan.rules)

Pro:

2807540 – ETPRO TROJAN Net-Worm.Win32.Allaple Checkin (trojan.rules)
2807541 – ETPRO TROJAN Trojan.Win32.Kargatroj.a Checkin (trojan.rules)
2807542 – ETPRO MOBILE_MALWARE Trojan.Android/Fakeinst.DD Checkin (mobile_malware.rules)
2807543 – ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Pincer.a Checkin (mobile_malware.rules)
2807544 – ETPRO TROJAN Android.Fakebank.B Checkin (trojan.rules)
2807545 – ETPRO TROJAN Backdoor.Win32.Cmjspy.aw Checkin (trojan.rules)
2807546 – ETPRO TROJAN DDoS.Win32/Nitol.gen!A Checkin 2 (trojan.rules)
2807547 – ETPRO TROJAN Downloader.Win32.Genome.fvmi Checkin (trojan.rules)
2807548 – ETPRO TROJAN Win32.VJadtre.2 Checkin (trojan.rules)
2807549 – ETPRO TROJAN Zeleffo Checkin (trojan.rules)
2807550 – ETPRO TROJAN DDoS.Win32/Nitol.B Checkin 3 (trojan.rules)
2807551 – ETPRO TROJAN Backdoor.PcClient.1 Checkin (trojan.rules)
2807552 – ETPRO MALWARE Win32/Polip.A Checkin (malware.rules)
[///] Modified active rules: [///]

2008034 – ET TROJAN LDPinch SMTP Password Report (trojan.rules)
2016275 – ET TROJAN Win32/Xtrat.A Checkin (trojan.rules)
2803980 – ETPRO TROJAN Backdoor.Win32.Salamdom!IK Checkin 2 (trojan.rules)
2804065 – ETPRO TROJAN Win32/PcClient.CM CnC Traffic (trojan.rules)
2807426 – ETPRO TROJAN Trojan.Win32.Badur.gboh Download (trojan.rules)
[---] Disabled and modified rules: [---]

2017982 – ET MALWARE Suspicious User-Agent 100 non-printable char (malware.rules)
[---] Removed rules: [---]

2018009 – ET CURRENT_EVENTS SUSPICIOUS HTTP Request to .bit domain (current_events.rules)

 

Daily Ruleset Update Summary 01/28/2014

January 27, 2014, 11:00 pm
$
0
0

[***]          Summary:          [***]

4 new rules. Madness DDoS tool, Limitless Logger, ehow/livestrong flash file, etc. Thanks to Nathan Fowler, Jason Jones, all. Suricata Luajit updated as well

https://github.com/EmergingThreats/et-luajit-scripts

[+++]          Added rules:          [+++]

2018028 – ET TROJAN W32/Madness Checkin (trojan.rules)
2018029 – ET CURRENT_EVENTS ehow/livestrong Malicious Flash 10/11 (current_events.rules)
2018030 – ET TROJAN Limitless Logger RAT HTTP Activity (trojan.rules)
2018031 – ET CURRENT_EVENTS Hostile _dsgweed.class JAR exploit (current_events.rules)

[///]     Modified active rules:     [///]

2018021 – ET POLICY myip.ru IP lookup (policy.rules)

Daily Ruleset Update Summary 01/28/2014 Part 2

January 28, 2014, 7:30 pm
$
0
0
 [***]          Summary:          [***]

3 new Rules. 1 Open 2 Pro. Disabled 2807542 due to false positives. Gh0St Rat, DDoS, Styx, Nitol, etc.

[+++]          Added rules:          [+++]

2018032 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19 (trojan.rules)
2807553 – ETPRO TROJAN DDos.Agent.eb Checkin (trojan.rules)
2807554 – ETPRO TROJAN Trojan-DDoS.Win32.Agent.bi Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2016499 – ET CURRENT_EVENTS Styx Exploit Kit Payload Download (current_events.rules)
2807460 – ETPRO TROJAN DDoS.Win32/Nitol.gen!A Checkin (trojan.rules)

[---]         Removed rules:         [---]

2807542 – ETPRO MOBILE_MALWARE Trojan.Android/Fakeinst.DD Checkin (mobile_malware.rules)

Daily Ruleset Update Summary 01/29/2014

January 29, 2014, 2:47 pm
$
0
0

[***] Summary: [***]

9 new Open signatures, 25 new Pro (9/16). Filezilla Stealer, Solarbot, Asprox, CookieBomb 2.0.

Thanks to @MalwareMustDie, Nathan Fowler, Travis Green.

[+++] Added rules: [+++]

Open:

2018033 – ET TROJAN Win32.Genome.boescz Checkin (trojan.rules)
2018034 – ET TROJAN W32/Banker.AALV checkin (trojan.rules)
2018035 – ET CURRENT_EVENTS StyX Landing Jan 29 2014 (current_events.rules)
2018036 – ET TROJAN SolarBot Plugin Download Server Response (trojan.rules)
2018037 – ET CURRENT_EVENTS CookieBomb 2.0 In Server Response Jan 29 2014 (current_events.rules)
2018038 – ET TROJAN SolarBot Plugin Download MessageBox (trojan.rules)
2018039 – ET TROJAN SolarBot Plugin Download ComputerInfo (trojan.rules)
2018040 – ET TROJAN SolarBot Plugin Download WalletSteal (trojan.rules)
2018041 – ET CURRENT_EVENTS Current Asprox Spam Campaign (current_events.rules)

Pro:

2807555 – ETPRO TROJAN Trojan.Win32.Inject.gxdp Checkin (trojan.rules)
2807556 – ETPRO TROJAN Win32/Spy.Banker.ZMS Checkin (trojan.rules)
2807557 – ETPRO TROJAN Win32.Viking.AR payload attempt (trojan.rules)
2807558 – ETPRO TROJAN Trojan-PSW.Win32.VB.dks Checkin (trojan.rules)
2807559 – ETPRO TROJAN Win32/Pincav.B Checkin (trojan.rules)
2807561 – ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53 (trojan.rules)
2807562 – ETPRO MALWARE Win32.VBNA.b Checkin (malware.rules)
2807563 – ETPRO TROJAN Win32/Hanove.E (trojan.rules)
2807564 – ETPRO MALWARE Win32.AdWare.Lollipop.S (malware.rules)
2807565 – ETPRO TROJAN Win32.Dycler Checkin (trojan.rules)
2807566 – ETPRO MALWARE Win32.Filezilla.Stealer Checkin (malware.rules)
2807567 – ETPRO POLICY PJL Printer List Volumes Request (policy.rules)
2807568 – ETPRO POLICY PJL Printer Directory Listing Request (policy.rules)
2807569 – ETPRO POLICY PJL Printer File Download Request (policy.rules)
2807570 – ETPRO TROJAN Win32/Jukbot.B Checkin (trojan.rules)
2807571 – ETPRO TROJAN W32/Agent.EW.gen Checkin (trojan.rules)
[---] Removed rules: [---]

2802046 – ETPRO TROJAN Backdoor.Win32.XDAPR.A Checkin (trojan.rules)
2807540 – ETPRO TROJAN Net-Worm.Win32.Allaple Checkin (trojan.rules)

 

Search

Daily Ruleset Update Summary 01/30/2014

January 30, 2014, 4:38 pm
$
0
0

[***] Summary: [***]

5 new Open rules, 14 new Pro (5/9). Phising campaigns, Bifrose, Hupigon, FireFly.

Thanks to: Eoin Miller and tdzmont for their contributions.

We would also would like to remind everyone that new rules for Snort 2.4 will be ending February 10, 2014.

[+++] Added rules: [+++]

Open:

2018042 – ET CURRENT_EVENTS PHISH Apple – Landing Page (current_events.rules)
2018043 – ET CURRENT_EVENTS PHISH Visa – Landing Page (current_events.rules)
2018044 – ET CURRENT_EVENTS PHISH Visa – Creds Phished (current_events.rules)
2018045 – ET CURRENT_EVENTS PHISH Visa – URI – Landing Page (current_events.rules)
2018046 – ET TROJAN Jadtree Downloader rar (trojan.rules)

Pro:

2807572 – ETPRO TROJAN Backdoor.Win32/Bifrose.FL Checkin (trojan.rules)
2807573 – ETPRO TROJAN Backdoor.Win32/Poison.AT Checkin (trojan.rules)
2807574 – ETPRO TROJAN Trojan.Win32.DDoS-Agent.98304.A Checkin (trojan.rules)
2807575 – ETPRO TROJAN Backdoor/FireFly.a Checkin (trojan.rules)
2807576 – ETPRO TROJAN Trojan.Win32.Vehidis Checkin 2 (trojan.rules)
2807577 – ETPRO TROJAN BackDoor.DOQ.gen.y Checkin 3 (trojan.rules)
2807578 – ETPRO MALWARE Suspicious User Agent dllInstPre (malware.rules)
2807579 – ETPRO TROJAN Backdoor/Win32.Hupigon Checkin (trojan.rules)
2807580 – ETPRO TROJAN Backdoor.Win32/Hupigon.FI Checkin 2 (trojan.rules)
[///] Modified active rules: [///]

2807541 – ETPRO TROJAN Trojan.Win32.Kargatroj.a Checkin (trojan.rules)
[---] Removed rules: [---]

2803557 – ETPRO TROJAN Win32.Palevo.cioz Checkin (trojan.rules)

Daily Ruleset Update Summary 01/31/2014

January 31, 2014, 9:59 pm
$
0
0
 [***]          Summary:          [***]
  7 new Open rules. 13 new Pro rules (7/6). Thanks to Nathan Fowler, Kevin Ross, all. Adload,Zbot,8×8 Malcious JS, etc.
[+++]          Added rules:          [+++]

Open:
2018047 – ET TROJAN W32/Neverquest.InfoStealer Configuration Request CnC Beacon (trojan.rules)
2018048 – ET CURRENT_EVENTS W32/AdLoad.Downloader Download (current_events.rules)
2018049 – ET MALWARE Suspicious User Agent EXE2 (malware.rules)
2018050 – ET MALWARE Win32.Magania (malware.rules)
2018051 – ET MALWARE Suspicious User Agent Mozi11a (malware.rules)
2018052 – ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin (current_events.rules)
2018053 – ET CURRENT_EVENTS Malicious Redirect 8×8 script tag (current_events.rules)

Pro:

  2807581 – ETPRO TROJAN Backdoor.Win32/PcClient.AA Checkin (trojan.rules)
2807582 – ETPRO TROJAN Backdoor.Hupigon.228192 Checkin (trojan.rules)
2807583 – ETPRO TROJAN Win32/SystemHijack.gen!C Checkin (trojan.rules)
2807584 – ETPRO TROJAN Heur.MSIL.Krypt.2 Checkin (trojan.rules)
2807585 – ETPRO TROJAN Win32/TrojanClicker.Agent.NUM Checkin (trojan.rules)
2807586 – ETPRO TROJAN Win32.Magania Response (trojan.rules)

[///]     Modified active rules:     [///]

2807541 – ETPRO TROJAN Trojan.Win32.Kargatroj.a Checkin (trojan.rules)

[---]         Removed rules:         [---]
2803570 – ETPRO TROJAN Win32/ServStart.A Checkin (trojan.rules)

Daily Ruleset Update Summary 02/03/2014

February 3, 2014, 3:48 pm
$
0
0

[***] Summary: [***]

15 new Open rules, 28 new Pro rules (15/13). KAPTOXA, PCRat, Morix, D-Link DIR-100 exploit.

Thanks to: rmkml, @EKWatcher and mex for their contributions.

[+++] Added rules: [+++]

Open:

2018054 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20 (trojan.rules)
2018055 – ET TROJAN Uprate Binary Download Jan 02 2014 (trojan.rules)
2018056 – ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. (web_server.rules)
2018057 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21 (trojan.rules)
2018058 – ET TROJAN Possible KAPTOXA SMB Naming Format (trojan.rules)
2018059 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 1 (trojan.rules)
2018060 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 2 (trojan.rules)
2018061 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 3 (trojan.rules)
2018062 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 4 (trojan.rules)
2018063 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 5 (trojan.rules)
2018064 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 6 (trojan.rules)
2018065 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 7 (trojan.rules)
2018066 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 8 (trojan.rules)
2018067 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 9 (trojan.rules)
2018068 – ET TROJAN Possible KAPTOXA Encoded Data Transfered Over SMB 10 (trojan.rules)

Pro:

2807587 – ETPRO TROJAN Win32/Redosdru.C CnC (OUTBOUND) (trojan.rules)
2807588 – ETPRO TROJAN Trojan.Win32.Staser.unn CnC (OUTBOUND) (trojan.rules)
2807589 – ETPRO TROJAN Win32/ServStart.gen!A Checkin (trojan.rules)
2807590 – ETPRO TROJAN Backdoor.Win32/Morix.B CnC traffic (trojan.rules)
2807591 – ETPRO TROJAN Win32/Beaugrit.gen!AAA Checkin (trojan.rules)
2807592 – ETPRO MALWARE Trojan.Script.BAT.Agent.db!159552 (malware.rules)
2807593 – ETPRO MALWARE Adware.Downware.918 Checkin (malware.rules)
2807594 – ETPRO EXPLOIT D-Link DIR-100 admin password disclosure attempt (exploit.rules)
2807595 – ETPRO EXPLOIT D-Link DIR-100 admin password disclosure success (exploit.rules)
2807596 – ETPRO EXPLOIT D-Link DIR-100 information disclosure attempt (exploit.rules)
2807597 – ETPRO TROJAN Win32/ServStart.gen!A Checkin 2 (trojan.rules)
2807598 – ETPRO TROJAN Trojan-Dropper.Win32.Injector.ijtz Checkin (trojan.rules)
2807599 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
[///] Modified active rules: [///]

2002677 – ET SCAN Nikto Web App Scan in Progress (scan.rules)
2016688 – ET FTP Outbound Java Downloading jar over FTP (ftp.rules)
2017548 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3 (trojan.rules)
2017974 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15 (trojan.rules)

[---] Removed rules: [---]

2804966 – ETPRO TROJAN Backdoor Win32/Morix.B CnC Traffic (trojan.rules)
2807454 – ETPRO TROJAN Rincux Checkin (trojan.rules)

Daily Ruleset Update Summary 02/04/2014

February 4, 2014, 9:51 pm
$
0
0
[***]          Summary:          [***]
5 new Open rules, 14 new Pro rules (5/9) Gh0st Rat, W32/FakeAlert, Win32/StoredBt.A, etc. Thanks to Kevin Ross and Travis Green.
[+++]          Added rules:          [+++]
  Open:
  2018069 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 22 (trojan.rules)
2018071 – ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request (mobile_malware.rules)
2018072 – ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading DLL (trojan.rules)
2018073 – ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading VBS (trojan.rules)
2018074 – ET TROJAN Win32/StoredBt.A Activity (trojan.rules)

Pro:
2807600 – ETPRO TROJAN Trojan.Win32.IRCbot.bam IRC Checkin (trojan.rules)
2807601 – ETPRO TROJAN Trojan.Win32.Agent.adtqf Checkin (trojan.rules)
2807602 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2807603 – ETPRO TROJAN Trojan-Dropper.Win32.Injector.

ijtz Checkin (trojan.rules)
2807604 – ETPRO TROJAN W32/Jiwerks.A Checkin 2 (trojan.rules)
2807605 – ETPRO TROJAN Win32/Agent.UWF Checkin (trojan.rules)
2807607 – ETPRO TROJAN Worm.Win32/Krol.A IRC Checkin (trojan.rules)
2807608 – ETPRO TROJAN Backdoor/Ghost CnC (OUTBOUND) (trojan.rules)
2807609 – ETPRO WEB_CLIENT PDF Malformed Pattern Entry (web_client.rules)

[///]     Modified active rules:     [///]

  Open;
  2014726 – ET POLICY Outdated Windows Flash Version IE (policy.rules)
2014727 – ET POLICY Outdated Mac Flash Version (policy.rules)
2018055 – ET TROJAN Upatre Binary Download Jan 02 2014 (trojan.rules)
  Pro:

2805644 – ETPRO TROJAN Variant.Adware.SMSHoax.72 Checkin (trojan.rules)
2807546 – ETPRO TROJAN DDoS.Win32/Nitol.gen!A Checkin 2 (trojan.rules)

[---]         Removed rules:         [---]

2014373 – ET CURRENT_EVENTS Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response (current_events.rules)
2014374 – ET CURRENT_EVENTS Possible Zeus .info CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response (current_events.rules)
2014375 – ET CURRENT_EVENTS Possible Zeus .biz CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response (current_events.rules)

Daily Ruleset Update Summary 02/06/2014

February 6, 2014, 4:23 pm
$
0
0

[***] Summary: [***]

20 New Open rules, 34 New Pro. PcRat/Gh0st, Zeus, DirtJumper, BeEF.

Thanks to Kevin Ross and @EKwatcher.

[+++] Added rules: [+++]

Open:

2018075 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23 (trojan.rules)
2018076 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24 (trojan.rules)
2018077 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25 (trojan.rules)
2018078 – ET TROJAN W32/Kbot.Backdoor Variant CnC Beacon (trojan.rules)
2018079 – ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon (trojan.rules)
2018080 – ET CURRENT_EVENTS W32/Zeus.InfoStealer Infection Campaign Pdf.exe Request (current_events.rules)
2018081 – ET CURRENT_EVENTS W32/Zeus.InfoStealer Infection Campaign Kia.exe Request (current_events.rules)
2018082 – ET CURRENT_EVENTS W32/Zeus.InfoStealer Infection Campaign Wav.exe Request (current_events.rules)
2018083 – ET CURRENT_EVENTS W32/Zeus.InfoStealer Infection Campaign Heap.exe Request (current_events.rules)
2018084 – ET MALWARE Suspicious User-Agent (gettingAnswer) (malware.rules)
2018085 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26 (trojan.rules)
2018086 – ET CURRENT_EVENTS Possible malicious zipped-executable (current_events.rules)
2018087 – ET INFO Control Panel Applet File Download (info.rules)
2018088 – ET WEB_CLIENT BeEF Cookie Outbound (web_client.rules)
2018089 – ET WEB_CLIENT Possible BeEF Default SSL Cert (web_client.rules)
2018090 – ET WEB_CLIENT Possible BeEF Module in use (web_client.rules)
2018091 – ET CURRENT_EVENTS Possible Flash Exploit CVE-2014-0497 (current_events.rules)
2018092 – ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152 (web_server.rules)
2018093 – ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153 (web_server.rules)
2018094 – ET TROJAN DirtJumper Activity (trojan.rules)

Pro:

2807610 – ETPRO TROJAN DirtJumper DDoS (INBOUND) (trojan.rules)
2807611 – ETPRO TROJAN Trojan.Win32.Staser.ury CnC (OUTBOUND) (trojan.rules)
2807612 – ETPRO TROJAN Backdoor Lanfiltrator Checkin 2 (trojan.rules)
2807613 – ETPRO TROJAN Win32/Unis@mm Download (trojan.rules)
2807614 – ETPRO TROJAN Backdoor.Win32/Delf.DU IRC Checkin (trojan.rules)
2807615 – ETPRO TROJAN Win32/AgentBypass.gen!G Checkin 3 (trojan.rules)
2807616 – ETPRO TROJAN Win32/Spy.Agent.OIB Checkin (trojan.rules)
2807617 – ETPRO TROJAN Trojan.Win32.VBKrypt.ulrm Checkin (trojan.rules)
2807618 – ETPRO TROJAN Win32/TrojanDownloader.Banload.ROP Response (trojan.rules)
2807619 – ETPRO TROJAN Trojan.Win32.Fsysna.jnb Checkin (trojan.rules)
2807620 – ETPRO TROJAN Win32/Meredrop (trojan.rules)
2807621 – ETPRO TROJAN Zegost.Gen CnC (OUTBOUND) (trojan.rules)
2807622 – ETPRO MALWARE Win32.LazyMin.B IRC LOGIN (malware.rules)
2807623 – ETPRO TROJAN Trojan/AVKill.ar Checkin (trojan.rules)
[///] Modified active rules: [///]

2017128 – ET TROJAN Expiro Trojan Check-in (trojan.rules)
2806417 – ETPRO TROJAN Worm.Win32.Fujack.bw Checkin (trojan.rules)

Daily Ruleset Update Summary 02/10/2014

February 10, 2014, 5:02 pm
$
0
0

[***] Summary: [***]

13 New Open rules, 29 new Pro (13/16). Asprox, JoomSocial vuln, TecSystems PE Download.

Thanks to Kevin Ross and Jamie Blasco for their contributions.

Support for snort 2.4.x signatures officially ends tomorrow. We will not be publishing new rules for Snort 2.4 going forward. Today is the last day new Snort 2.4 rules will be published.

[+++] Added rules: [+++]

Open:

2018095 – ET MALWARE Potentially Unwanted Application AirInstaller (malware.rules)
2018096 – ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (trojan.rules)
2018097 – ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (trojan.rules)
2018098 – ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (trojan.rules)
2018099 – ET MALWARE W32/Safekeeper.Adware CnC Beacon (malware.rules)
2018100 – ET TROJAN W32/Rshot.Backdoor File Upload CnC Beacon (trojan.rules)
2018101 – ET TROJAN W32/Dinwod.Dropper CnC Beacon (trojan.rules)
2018102 – ET TROJAN W32/Woai.Dropper Config Request (trojan.rules)
2018103 – ET CURRENT_EVENTS TecSystems (Possible Mask) Signed PE EXE Download (current_events.rules)
2018104 – ET CURRENT_EVENTS EXE Accessing Kapersky System Driver (Possible Mask) (current_events.rules)
2018105 – ET TROJAN Possible Mask C2 Traffic (trojan.rules)
2018106 – ET CURRENT_EVENTS Suspicious Jar name JavaUpdate.jar (current_events.rules)
2018107 – ET WEB_SPECIFIC_APPS JoomSocial AvatarUpload RCE (web_specific_apps.rules)

Pro:

2807624 – ETPRO TROJAN Backdoor.Win32/Banito CnC (OUTBOUND) (trojan.rules)
2807625 – ETPRO TROJAN Win32/Hupigon.ZAH CnC (OUTBOUND) (trojan.rules)
2807626 – ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) (trojan.rules)
2807627 – ETPRO TROJAN Backdoor.Win32.Ceckno CnC (OUTBOUND) (trojan.rules)
2807628 – ETPRO TROJAN Trojan.Win32.Invader Checkin (trojan.rules)
2807629 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2807630 – ETPRO TROJAN TrojanDropper.Agent.cgsc Checkin (trojan.rules)
2807631 – ETPRO TROJAN Trojan-Downloader.Banload Checkin 2 (trojan.rules)
2807632 – ETPRO CURRENT_EVENTS Smarter Mail Domain Admin Priv Escalation (current_events.rules)
2807633 – ETPRO TROJAN Trojan-Downloader.Win32.Genome.dxlw Checkin (trojan.rules)
2807634 – ETPRO MALWARE Trojan-Downloader/Spyware User-Agent (adfsgecoiwnf) (malware.rules)
2807635 – ETPRO TROJAN Trojan/Win32.Qhost Checkin (trojan.rules)
2807636 – ETPRO TROJAN Trojan-Banker.Win32.Agent.ree Checkin (trojan.rules)
2807637 – ETPRO TROJAN Win32.Androm.atfw Checkin (trojan.rules)
2807638 – ETPRO TROJAN Win32.Androm.atfw (trojan.rules)
2807639 – ETPRO TROJAN TrojanClicker.Win32.Hatigh.C (trojan.rules)
[///] Modified active rules: [///]

2017817 – ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013 (current_events.rules)
2018077 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25 (trojan.rules)
2806546 – ETPRO TROJAN W32/Zbot.AOV!tr Checkin (trojan.rules)
2807024 – ETPRO TROJAN Wauchos.la/Andromeda/Balbatun.9713 Checkin (trojan.rules)
2807580 – ETPRO TROJAN Backdoor.Win32/Hupigon.FI Checkin 2 (trojan.rules)
[---] Removed rules: [---]

2807172 – ETPRO MALWARE Potentially Unwanted Application AirInstaller Install (malware.rules)
2807463 – ETPRO MALWARE Potentially Unwanted Application AirInstaller (malware.rules)
2807598 – ETPRO TROJAN Trojan-Dropper.Win32.Injector.ijtz Checkin (trojan.rules)
2807602 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)

Febuary 2013 Microsoft Tuesday Coverage

February 11, 2014, 7:05 pm
$
0
0
Bulletin CVE Title Notes ET Pro Coverage
MS14-005 2014-0266 MSXML Information Disclosure Vulnerability Exploit Code Unlikely 2807640
MS14-006 2014-0254 TCP/IP Version 6 (IPv6) Denial of Service Vulnerability Exploit Code Unlikely Nature of this bug makes it hard to sig reliably
MS14-007 2014-0263 Microsoft Graphics Component Memory Corruption Vulnerability Exploit Code Likely Nature of this bug makes it hard to sig reliably
MS14-008 2014-0269 RCE Vulnerability Exploit Code Likely Continuing Research
MS14-010 2014-0268 Internet Explorer Elevation of Privilege Vulnerability Exploit Code Unlikely Continuing Research
MS14-010 2014-0270 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807641
MS14-010 2014-0271 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807642
MS14-010 2014-0272 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely Continuing Research
MS14-010 2014-0273 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807643
MS14-010 2014-0274 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807644
MS14-010 2014-0275 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807645
MS14-010 2014-0276 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807647
MS14-010 2014-0286 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807657
MS14-010 2014-0287 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807658
MS14-010 2014-0288 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807659
MS14-010 2014-0289 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807660
MS14-010 2014-0290 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807661
MS14-010 2014-0293 Internet Explorer Cross-domain Information Disclosure Vulnerability Exploit Code Unlikely Continuing Research
MS14-011 2014-0271 VBScript Memory Corruption Vulnerability Exploit Code Likely 2807642
MS14-009 2014-0253 POST Request DoS Vulnerability Exploit Code Unlikely Nature of Bug Makes it Hard to Sig
MS14-009 2014-0257 Type Traversal Vulnerability Exploit Code Likely Continuing Research
MS14-009 2014-0259 VSAVB7RT ASLR Vulnerability Security Feature Bypass Local Only
MS14-010 2014-0267 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely Continuing Research
MS14-010 2014-0276 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807647-2807649(disabled by default)
MS14-010 2014-0277 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807650-2807651
MS14-010 2014-0278 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely Continuing Research
MS14-010 2014-0279 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807652
MS14-010 2014-0280 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely Continuing Research
MS14-010 2014-0281 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807653
MS14-010 2014-0283 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807654
MS14-010 2014-0284 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807655
MS14-010 2014-0285 Internet Explorer Memory Corruption Vulnerability Exploit Code Likely 2807656
Search

Daily Ruleset Update Summary 02/11/2014

February 11, 2014, 7:08 pm
$
0
0

[***] Summary: [***]

1 new Open rule, 24 new Pro (1/23). Patch Tuesday and Infostealer.

More details here:

http://www.emergingthreats.net/2014/02/11/febuary-2013-microsoft-tuesday-coverage-2/

[+++] Added rules: [+++]

Open:

2018108 – ET TROJAN Infostealer.Jackpos Checkin (trojan.rules)

Pro:

2807640 – ETPRO WEB_CLIENT Microsoft XML Core Services 3.0 same-origin policy bypass (CVE-2014-0266) (web_client.rules)
2807641 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0270) (web_client.rules)
2807642 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0271) (web_client.rules)
2807643 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0273) (web_client.rules)
2807644 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0274) (web_client.rules)
2807645 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0275) (web_client.rules)
2807647 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 1 (web_client.rules)
2807648 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 2 (web_client.rules)
2807649 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 3 (web_client.rules)
2807650 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0277) 1 (web_client.rules)
2807651 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0277) 2 (web_client.rules)
2807652 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0279) (web_client.rules)
2807653 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0281) (web_client.rules)
2807654 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0283) (web_client.rules)
2807655 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0284) (web_client.rules)
2807656 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0285) (web_client.rules)
2807657 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0286) (web_client.rules)
2807658 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0287) (web_client.rules)
2807659 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0288) (web_client.rules)
2807660 – ETPRO WEB_CLIENT Possible Microsoft Internet Explorer Use After free (CVE-2014-0289) (web_client.rules)
2807661 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free 1 (CVE-2014-0290) (web_client.rules)
2807662 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free 2 (CVE-2014-0290) (web_client.rules)
[///] Modified active rules: [///]
2807273 – ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)
2807626 – ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) (trojan.rules)

Daily Ruleset Update Summary 02/12/2014

February 12, 2014, 4:18 pm
$
0
0

[***] Summary [***]

20 New Open, 27 New Pro (20/7). Virut, Apache Tomcat, BlackPOS.

Thanks: Travis Green, Eoin Miller, Jake Warren, Ryan Moon, vlinteligence, @EKwatcher

[+++] Added rules: [+++]

Open:

2018109 – ET TROJAN Trojan-Dropper.Win32.Dapato.cblv Checkin (trojan.rules)
2018110 – ET TROJAN Win32.Blackbeard Downloader (trojan.rules)
2018111 – ET TROJAN Win32.Sality.bh Checkin (trojan.rules)
2018112 – ET TROJAN Trojan/Win32.FraudPack User-Agent (Downloader MLR 1.0.0) (trojan.rules)
2018113 – ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt (web_server.rules)
2018114 – ET TROJAN DNS Query for Known Chewbacca CnC Server (trojan.rules)
2018115 – ET TROJAN FTP File Upload – BlackPOS Naming Scheme (trojan.rules)
2018116 – ET TROJAN MS Remote Desktop edc User Login Request (trojan.rules)
2018117 – ET TROJAN Possible Cryptolocker Sinkhole banner (trojan.rules)
2018118 – ET WEB_SERVER Recon-ng User-Agent (web_server.rules)
2018119 – ET TROJAN Banking Trojan HTTP Cookie (trojan.rules)
2018120 – ET TROJAN Blackbeard Check-in (trojan.rules)
2018121 – ET TROJAN Onkods.A Downloader Checkin (trojan.rules)
2018122 – ET TROJAN Linkup Ransomware check-in (trojan.rules)
2018123 – ET TROJAN Win32/Almanahe.B Checkin (trojan.rules)
2018124 – ET TROJAN MS Remote Desktop micros User Login Request (trojan.rules)
2018125 – ET CURRENT_EVENTS SUSPICIOUS .PIF File Inside of Zip (current_events.rules)
2018126 – ET CURRENT_EVENTS SUSPICIOUS .CPL File Inside of Zip (current_events.rules)
2018127 – ET CURRENT_EVENTS Goon EK Java JNLP URI Struct Feb 12 2014 (current_events.rules)
2018128 – ET TROJAN Infostealer.Jackpos Checkin 2 (trojan.rules)

Pro:

2807663 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.aqkg Checkin (trojan.rules)
2807664 – ETPRO TROJAN Trojan.Win32.Badur.gqit Checkin (trojan.rules)
2807665 – ETPRO TROJAN Win32/Purplemood.A Checkin via SMTP (trojan.rules)
2807666 – ETPRO TROJAN Virus.Win32.Virut.ce Checkin 5 (trojan.rules)
2807667 – ETPRO TROJAN Virus.Win32.Virut.ce Checkin 6 (trojan.rules)
2807668 – ETPRO TROJAN W32/KeyLogger.OFP!tr.spy Response (trojan.rules)
2807669 – ETPRO TROJAN Infostealer.Jackpos Checkin 2 (trojan.rules)
[///] Modified active rules: [///]

2018041 – ET CURRENT_EVENTS Current Asprox Spam Campaign (current_events.rules)
2018086 – ET CURRENT_EVENTS Possible malicious zipped-executable (current_events.rules)
[---] Removed rules: [---]

2014844 – ET TROJAN Probable Golfhole exploit kit landing page #2 (trojan.rules)
2014845 – ET TROJAN Probable Golfhole exploit kit binary download #2 (trojan.rules)
2804783 – ETPRO TROJAN Win32.Sality.bh Checkin (trojan.rules)
2806103 – ETPRO TROJAN Trojan-Dropper.Win32.Dapato.cblv Checkin (trojan.rules)
2807174 – ETPRO TROJAN Trojan/Win32.FraudPack User-Agent (Downloader MLR 1.0.0) (trojan.rules)
2807524 – ETPRO TROJAN Win32.Blackbeard Downloader (trojan.rules)

 

Daily Ruleset Update Summary 02/13/2014

February 13, 2014, 4:52 pm
$
0
0

[***] Summary: [***]

8 new Open rules, 12 new Pro (8/4). Linksys Vuln, Asprox, Alman Dropper.

Thanks: Antonio Marques, @kafeine, @StopMalvertisin.

[+++] Added rules: [+++]

Open:

2018129 – ET TROJAN W32/Trojan-Gypikon Sending Data (trojan.rules)
2018130 – ET TROJAN W32/Trojan-Gypikon Server Check-in Response (trojan.rules)
2018131 – ET WORM TheMoon.linksys.router 1 (worm.rules)
2018132 – ET WORM TheMoon.linksys.router 2 (worm.rules)
2018133 – ET TROJAN Win32/Tapazom.A (trojan.rules)
2018134 – ET TROJAN Win32/Tapazom.A 2 (trojan.rules)
2018135 – ET CURRENT_EVENTS Current Asprox Spam Campaign 2 (current_events.rules)
2018136 – ET CURRENT_EVENTS Linksys Router Returning Device Settings To External Source (current_events.rules)

Pro:

2807670 – ETPRO TROJAN Trojan.Win32.Badur.gizu Checkin (trojan.rules)
2807671 – ETPRO TROJAN Trojan-Proxy.Win32.Mediana.i Checkin (trojan.rules)
2807672 – ETPRO TROJAN Alman Dropper Checkin 2 (trojan.rules)
2807673 – ETPRO TROJAN Trojan-Downloader.Win32.Boltolog.pfv Checkin (trojan.rules)
[///] Modified active rules: [///]

2009203 – ET TROJAN Alman Dropper Checkin (trojan.rules)
2013360 – ET CURRENT_EVENTS WordPress possible Malicious DNS-Requests – photobucket.com.* (current_events.rules)
2014846 – ET CURRENT_EVENTS WordPress timthumb look-alike domain list RFI (current_events.rules)
2018041 – ET CURRENT_EVENTS Current Asprox Spam Campaign (current_events.rules)
2807550 – ETPRO TROJAN DDoS.Win32/Nitol.B Checkin 3 (trojan.rules)
2807659 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0288) (web_client.rules)
[---] Removed rules: [---]

2803592 – ETPRO TROJAN Win32/Almanahe.A.dll Checkin (trojan.rules)

Daily Ruleset Update Summary 02/14/2014

February 14, 2014, 3:18 pm
$
0
0

[***] Summary: [***]

11 new Open rules, 20 new Pro (11/9). Various Android, IE 10 CVE-2014-0322.

Thanks: Travis Green, @rmkml, Kevin Ross

[+++] Added rules: [+++]

Open:

2018137 – ET TROJAN Android/FakeKakao checkin (trojan.rules)
2018138 – ET TROJAN Android/FakeKakao checkin 1 (trojan.rules)
2018139 – ET TROJAN Android/FakeKakao checkin 2 (trojan.rules)
2018140 – ET TROJAN Android/FakeKakao checkin 3 (trojan.rules)
2018141 – ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz (trojan.rules)
2018142 – ET TROJAN MSIL.Zapchast Checkin (trojan.rules)
2018143 – ET TROJAN GameThief.Win32.WOW!O Checkin (trojan.rules)
2018144 – ET SMTP EXE – ZIP file with .pif filename inside (smtp.rules)
2018145 – ET CURRENT_EVENTS Generic HeapSpray Construct (current_events.rules)
2018146 – ET CURRENT_EVENTS Generic HeapSpray Construct (current_events.rules)
2018147 – ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322 (web_client.rules)

Pro:

2807674 – ETPRO POLICY Primecoin (policy.rules)
2807675 – ETPRO MOBILE_MALWARE Android/MobileTX.A (mobile_malware.rules)
2807676 – ETPRO TROJAN Win32.MSIL/Injector (trojan.rules)
2807677 – ETPRO TROJAN Win32/Miuref.A Checkin (trojan.rules)
2807678 – ETPRO TROJAN Win32/Zacom.A Checkin (trojan.rules)
2807679 – ETPRO TROJAN Win32/Kryptik.BUQO Checkin (trojan.rules)
2807680 – ETPRO TROJAN Trojan.Win32.Agentb.aoig Checkin (trojan.rules)
2807681 – ETPRO TROJAN Worm.Win32.AutoRun.bjxd Checkin (trojan.rules)
2807682 – ETPRO MALWARE Rogue.Win32/Onescan Checkin 2 (malware.rules)
[///] Modified active rules: [///]

2013186 – ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin (current_events.rules)
2018098 – ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (trojan.rules)
2018104 – ET CURRENT_EVENTS EXE Accessing Kaspersky System Driver (Possible Mask) (current_events.rules)
2807327 – ETPRO TROJAN Dexter Variant (trojan.rules)
[---] Disabled and modified rules: [---]

2013869 – ET P2P Torrent Client User-Agent (Solid Core/0.82) (p2p.rules)
[---] Removed rules: [---]

2802212 – ETPRO TROJAN Win32.Renos Checkin 2 (trojan.rules)
2802903 – ETPRO TROJAN Renos Checkin 3 (trojan.rules)
2805335 – ETPRO CURRENT_EVENTS Win32/Renos Checkin 3 (current_events.rules)
2807669 – ETPRO TROJAN Infostealer.Jackpos Checkin 2 (trojan.rules)

 

Daily Ruleset Update Summary 02/17/2014

February 17, 2014, 4:40 pm
$
0
0

[***] Summary: [***]

5 new Open rules, 13 new Pro (5/8). InstallMonetizer, PcClient.bal.

Thanks Kevin Ross for your help.

[+++] Added rules: [+++]

Open:

2018148 – ET MALWARE W32/InstallMonetizer.Adware Beacon 1 (malware.rules)
2018149 – ET MALWARE W32/InstallMonetizer.Adware Beacon 2 (malware.rules)
2018150 – ET TROJAN W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon (trojan.rules)
2018151 – ET TROJAN W32/Azbreg.Backdoor CnC Beacon (trojan.rules)
2018152 – ET WEB_CLIENT EMET Detection Via XMLDOM (web_client.rules)

Pro:

2807683 – ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2 (trojan.rules)
2807684 – ETPRO TROJAN Trojan.Agent.AIXD Checkin (trojan.rules)
2807685 – ETPRO TROJAN Win32/Meredrop CnC (OUTBOUND) (trojan.rules)
2807686 – ETPRO TROJAN Backdoor.Win32/Lostorin.B Checkin (trojan.rules)
2807687 – ETPRO TROJAN Trojan-Dropper.Win32.Dycler.rra Checkin (trojan.rules)
2807688 – ETPRO TROJAN Win32/Stitur.A Checkin (trojan.rules)
2807689 – ETPRO TROJAN Win32/Injector.Autoit.ADN Checkin (trojan.rules)
2807690 – ETPRO TROJAN W32/VBCheMan.A!tr Checkin (trojan.rules)

[///] Modified active rules: [///]

2013186 – ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin (current_events.rules)
2018131 – ET WORM TheMoon.linksys.router 1 (worm.rules)
2807546 – ETPRO TROJAN DDoS.Win32/Nitol.gen!A Checkin 2 (trojan.rules)
2807626 – ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) (trojan.rules)

[---] Disabled and modified rules: [---]

2015526 – ET WEB_SERVER Fake Googlebot UA 1 Inbound (web_server.rules)

[---] Removed rules: [---]

2018148 – ET WEB_CLIENT EMET Detection Via XMLDOM (web_client.rules)

Viewing all 489 articles
Browse latest View live
Search