Quantcast
Channel: Blog
Viewing all 489 articles
Browse latest View live

Daily Ruleset Update Summary 03/17/2014

$
0
0

[***] Summary: [***]

6 new Open rules, 21 new Pro (6/15). Various Android, BKDR_SLOTH.A, PCRat/Gh0st.

Thanks: @kafeine @EKwatcher

[+++] Added rules: [+++]

2018284 – ET TROJAN Self-Signed Cert Observed in Various Zbot Strains (trojan.rules)
2018285 – ET TROJAN BKDR_SLOTH.A Checkin (trojan.rules)
2018286 – ET CURRENT_EVENTS EMET.DLL in jjencode (current_events.rules)
2018287 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31 (trojan.rules)
2018288 – ET CURRENT_EVENTS Joomla 3.2.1 SQL injection attempt (current_events.rules)
2018289 – ET CURRENT_EVENTS Joomla 3.2.1 SQL injection attempt 2 (current_events.rules)

Pro:

2807835 – ETPRO TROJAN Win32/Small.HK Checkin (trojan.rules)
2807836 – ETPRO TROJAN Backdoor.Win32.Pahador Checkin via Gadu-Gadu (trojan.rules)
2807837 – ETPRO TROJAN Trojan-Spy.Win32.Polyatroj.pej Checkin via Gadu-Gadu (trojan.rules)
2807838 – ETPRO TROJAN Win32/Prosti.L Checkin via Gadu-Gadu (trojan.rules)
2807839 – ETPRO TROJAN Backdoor.Win32.Delf.arb Checkin via Gadu-Gadu (trojan.rules)
2807840 – ETPRO TROJAN Unknown Backdoor Checkin via Gadu-Gadu (trojan.rules)
2807841 – ETPRO TROJAN Trojan-Spy.Win32.KeyLogger.tr via Gadu-Gadu (trojan.rules)
2807842 – ETPRO TROJAN Win32/Jevafus.A Checkin (trojan.rules)
2807843 – ETPRO TROJAN Win32/Shoco.C Checkin (trojan.rules)
2807844 – ETPRO TROJAN Win32/Netins.A Checkin (trojan.rules)
2807846 – ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin (mobile_malware.rules)
2807847 – ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin 2 (mobile_malware.rules)
2807848 – ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin 3 (mobile_malware.rules)
2807849 – ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.AAE Checkin (mobile_malware.rules)
[///] Modified active rules: [///]

2008299 – ET CHAT GaduGadu Chat Server Login OK Packet (chat.rules)
2016251 – ET TROJAN Win32/Emold.C Checkin (trojan.rules)
2017992 – ET TROJAN Win32/OutBrowse.G Variant Checkin (trojan.rules)
2804323 – ETPRO TROJAN Win32/Ransom.EJ checkin (trojan.rules)
2805110 – ETPRO TROJAN Trojan-Downloader.Banload Chekin (trojan.rules)
2805645 – ETPRO TROJAN TROJ_GEN.F47V1005 CnC traffic (trojan.rules)
2806475 – ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Obad.a Checkin (mobile_malware.rules)
2807045 – ETPRO TROJAN Trojan.Win32.Agent.aapnf Report via SMTP (trojan.rules)
2807486 – ETPRO TROJAN Worm.Win32/Mamianune.gen spreading via SMTP (trojan.rules)
2807506 – ETPRO TROJAN Win32.Foreign.jowy 1 (trojan.rules)

 


Daily Ruleset Update Summary 03/18/2014

$
0
0

[***] Summary: [***]

20 new Open rules, 25 new Pro (20/5). Winspy, Zeus, Torlocker, Operation Windigo.

Thanks: @MalwareMustDie and Kevin Ross

Emerging Threats would also like to thank ESET for their excellent write-up on Operation Windigo and allowing us to publish associated rules in our ruleset.

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

[+++] Added rules: [+++]

Open:

2018264 – ET TROJAN Linux/Kimodin SSH backdoor activity (trojan.rules)
2018265 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018266 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018267 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018268 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018269 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018270 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018271 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018272 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018273 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018274 – ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018275 – ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound) (trojan.rules)
2018276 – ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound) (trojan.rules)
2018290 – ET WEB_SERVER WEBSHELL CFM Shell Access (web_server.rules)
2018291 – ET TROJAN MultiThreat/Winspy.RAT Keep-Alive (flowbit set) (trojan.rules)
2018292 – ET TROJAN MultiThreat/Winspy.RAT Keep-Alive Server Response (trojan.rules)
2018293 – ET TROJAN MultiThreat/Winspy.RAT SMTP Data Exfiltration (trojan.rules)
2018294 – ET TROJAN MultiThreat/Winspy.RAT FTP File Download Command (trojan.rules)
2018295 – ET TROJAN Mal/Ransom-CE Connectivity Check (trojan.rules)
2018296 – ET TROJAN Zeus GameOver Checkin (trojan.rules)

Pro:

2807850 – ETPRO TROJAN Trojan/MSIL.bfsx Checkin (trojan.rules)
2807851 – ETPRO MOBILE_MALWARE Android/Nopoc.A Checkin (mobile_malware.rules)
2807852 – ETPRO MALWARE AdWare.Win32.ScreenSaver.ablp Checkin (malware.rules)
2807853 – ETPRO TROJAN TorLocker Downloading Tor (trojan.rules)
2807854 – ETPRO CURRENT_EVENTS SUSPICIOUS Non-SSL Tor Executable Download as (Observed in TorLocker) (current_events.rules)
[///] Modified active rules: [///]

2001306 – ET MALWARE Gator/Clarian Agent (malware.rules)
2013361 – ET CURRENT_EVENTS HTran/SensLiceld.A response to infected host (current_events.rules)
2016794 – ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command (current_events.rules)
2017417 – ET TROJAN Bladabindi/njrat CnC Keep-Alive (INBOUND) (trojan.rules)
2018019 – ET TROJAN Win32.WinSpy.pob Sending Data over SMTP (trojan.rules)
2018020 – ET TROJAN Win32.WinSpy.pob Sending Data over SMTP 2 (trojan.rules)
2807179 – ETPRO TROJAN Trojan.DownLoader10.36780 User-Agent (odin) (trojan.rules)
[///] Modified inactive rules: [///]

2009582 – ET SCAN NMAP -sS window 1024 (scan.rules)
2009583 – ET SCAN NMAP -sS window 3072 (scan.rules)
2009584 – ET SCAN NMAP -sS window 4096 (scan.rules)
[---] Disabled and modified rules: [---]

2807462 – ETPRO TROJAN Net-Worm.Win32.Koobface.ght Ping (trojan.rules)

Daily Ruleset Update Summary 03/20/2014

$
0
0

[***] Summary: [***]

4 new Open rules, 22 new Pro rules. Nbdd.bsj, Onescan, Strictor, GoonEK, DelfInject.

Thanks: Kevin Ross, @kafeine and @EKwatcher

[+++] Added rules: [+++]]

Open:

2018297 – ET CURRENT_EVENTS GoonEK encrypted binary (3) (current_events.rules)
2018298 – ET CURRENT_EVENTS GoonEK Landing Mar 20 2014 (current_events.rules)
2018299 – ET WEB_CLIENT Generic HeapSpray Construct (web_client.rules)
2018300 – ET TROJAN Win32/Stoberox.B (trojan.rules)

Pro:

2807855 – ETPRO TROJAN Variant.Strictor.40297 Checkin (trojan.rules)
2807856 – ETPRO TROJAN Posible Win32/Zbot.AHJ CnC Traffic (trojan.rules)
2807857 – ETPRO MALWARE AdWare.Win32.Yotoon.hs Checkin (malware.rules)
2807858 – ETPRO MALWARE Rogue.Win32/Onescan Checkin 2 (malware.rules)
2807859 – ETPRO TROJAN Variant.Symmi Checkin 3 (trojan.rules)
2807860 – ETPRO TROJAN TrojanDownloader.HTML/Adodb.gen!A Download (trojan.rules)
2807861 – ETPRO TROJAN Backdoor.Win32.Nbdd.bsj Checkin (trojan.rules)
2807862 – ETPRO TROJAN Backdoor.Win32.Nbdd.bsj Checkin 2 (trojan.rules)
2807863 – ETPRO TROJAN Backdoor.Win32.Nbdd.bsj Checkin 3 (trojan.rules)
2807864 – ETPRO MALWARE Win32.Reconyc.wp Checkin (malware.rules)
2807865 – ETPRO TROJAN W32/Agent.EW.gen Checkin 2 (trojan.rules)
2807866 – ETPRO TROJAN Trojan.Win32.Scar.hfot Checkin (trojan.rules)
2807867 – ETPRO TROJAN Win32.WinSpy Checkin (trojan.rules)
2807868 – ETPRO TROJAN Win32.Inject.gynk Checkin (trojan.rules)
2807869 – ETPRO TROJAN Win32/Necurs Checkin 3 (trojan.rules)
2807870 – ETPRO TROJAN W32/DelfInject.R Checkin (trojan.rules)
2807871 – ETPRO TROJAN W32/DelfInject.R Checkin 2 (trojan.rules)
2807872 – ETPRO TROJAN W32/DelfInject.R Checkin 3 (trojan.rules)
[///] Modified active rules: [///]

2017998 – ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download (current_events.rules)
2018184 – ET CURRENT_EVENTS Zeus.Downloader Campaign Second Stage Executable Request (current_events.rules)
2001472 – ET MALWARE Xpire.info Spyware Install Reporting (malware.rules)
2802017 – ETPRO TROJAN Winspy/Fiskos/Fynloski/Gpigeon/Rewdulon/Greybird Backdoor Keepalive (trojan.rules)

[---] Removed rules: [---]

2003519 – ET EXPLOIT MS ANI exploit (exploit.rules)
2403338 – ET CINS Active Threat Intelligence Poor Reputation IP group 39 (ciarmy.rules)
2804319 – ETPRO TROJAN Backdoor.Win32.Rewdulon.A/Win32.Graybird Keepalive (trojan.rules)
2804547 – ETPRO TROJAN Win32/Zdesnado.AD Checkin (trojan.rules)

Daily Ruleset Update Summary 03/21/2014

$
0
0

[***] Summary: [***]

5 new Open rules and 8 new Pro (5/3). Itunes Phish, Amtar.KNB, CrossRider.A.

Thanks: Kevin Ross and Eoin Miller.

[+++] Added rules: [+++]

Open:

2018301 – ET MALWARE Win32/Toolbar.CrossRider.A Checkin (malware.rules)
2018302 – ET CURRENT_EVENTS PHISH Generic – Landing Page – HTTrack comment and form (current_events.rules)
2018303 – ET CURRENT_EVENTS PHISH iTunes – Landing Page – Title over non SSL (current_events.rules)
2018304 – ET CURRENT_EVENTS PHISH iTunes – Creds Phished (current_events.rules)
2018305 – ET CURRENT_EVENTS PHISH iTunes – PII Phished (current_events.rules)

Pro:

2807873 – ETPRO TROJAN TrojWare.Win32.Amtar.KNB Checkin (trojan.rules)
2807874 – ETPRO TROJAN TrojWare.Win32.Amtar.KNB Checkin 2 (trojan.rules)
2807875 – ETPRO MOBILE_MALWARE Monitor.AndroidOS.PhoneSpy.b Checkin (mobile_malware.rules)
[///] Modified active rules: [///]

2001259 – ET CHAT Yahoo IM file transfer request (chat.rules)
2006406 – ET TROJAN Proxy.Win32.Agent.mx (2) (trojan.rules)
2013293 – ET TROJAN Win32/Glupteba CnC Checkin (trojan.rules)
2807592 – ETPRO MALWARE Trojan.Script.BAT.Agent.db!159552 (malware.rules)
[---] Removed rules: [---]

2805523 – ETPRO MALWARE Win32/Toolbar.CrossRider.A Checkin (malware.rules)
2807764 – ETPRO TROJAN Trojan-Downloader.Win32.Adload.dyjd Checkin (trojan.rules)

Daily Ruleset Update Summary 03/24/2014

$
0
0

[***] Summary: [***]

10 new Open rules, 16 new Pro (10/6). CVE-2014-1761 (MS Word 0-day), Fake Flappy Bird, Waledac.

[+++] Added rules: [+++]

Open:

2018306 – ET MOBILE_MALWARE SMSSend Fake flappy bird APK (mobile_malware.rules)
2018307 – ET MALWARE AdWare.Win32.Yotoon.hs Checkin (malware.rules)
2018308 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 2 (current_events.rules)
2018309 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 3 (current_events.rules)
2018310 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 4 (current_events.rules)
2018311 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 5 (current_events.rules)
2018312 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 6 (current_events.rules)
2018313 – ET WEB_CLIENT Possible CVE-2014-1761 HTTP (web_client.rules)
2018314 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 1 (current_events.rules)

Pro:

2807876 – ETPRO TROJAN Backdoor.Win32/Tofsee.F Checkin (trojan.rules)
2807877 – ETPRO TROJAN TrojanDownloader.Win32/Banup.A Checkin (trojan.rules)
2807878 – ETPRO TROJAN Trojan-Dropper.Win32.Dapato.dfmz Checkin (trojan.rules)
2807879 – ETPRO MALWARE Adware.Kraddare Checkin (malware.rules)
2807880 – ETPRO TROJAN Trojan-Downloader.Win32.Vivia.r Checkin (trojan.rules)
2807881 – ETPRO TROJAN TrojanDownloader Win32/Waledac.C .exe download 2 (trojan.rules)
[///] Modified active rules: [///]

2002034 – ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style) (attack_response.rules)
2014728 – ET TROJAN Smoke Loader Checkin r=gate (trojan.rules)
2015904 – ET TROJAN Win32/Kuluoz.B CnC 3 (trojan.rules)
2016460 – ET TROJAN WEBC2-CSON Checkin – APT1 Related (trojan.rules)
2016578 – ET TROJAN Dorkbot Loader Payload Request (trojan.rules)
2016903 – ET USER_AGENTS Suspicious User-Agent (DownloadMR) (user_agents.rules)
2016905 – ET MALWARE AdWare.MSIL.Solimba.b GET (malware.rules)
2016906 – ET MALWARE AdWare.MSIL.Solimba.b POST (malware.rules)
2016915 – ET MALWARE Suspicious User Agent Smart-RTP (malware.rules)
2017465 – ET TROJAN W32/Hesperus.Banker Nlog.php Variant Sending Data To CnC (trojan.rules)
2017627 – ET TROJAN W32/Kegotip CnC Beacon (trojan.rules)
2802952 – ETPRO TROJAN Herpbot.B Checkin (trojan.rules)
2804254 – ETPRO TROJAN Xtrat/Bifrose/VBKrypt CnC Channel Keepalive (trojan.rules)
2804543 – ETPRO TROJAN Backdoor.Win32.Hupigon Checkin (trojan.rules)
2805419 – ETPRO MALWARE Uptodown.com Checkin (malware.rules)
2805646 – ETPRO TROJAN Backdoor.Win32.Bezigate Checkin (trojan.rules)
2806120 – ETPRO TROJAN Unknown Trojan Selfupdate (exe.zip) (trojan.rules)
2806847 – ETPRO TROJAN WIN32/KOVTER.B Checkin (trojan.rules)
2807275 – ETPRO USER_AGENTS Suspicious User Agent UniversalUserAgent(winHTTP) (user_agents.rules)
2807276 – ETPRO MALWARE Adware/GetFaster Checkin (malware.rules)
2807581 – ETPRO TROJAN Backdoor.Win32/PcClient.AA Checkin (trojan.rules)
2807710 – ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3 (trojan.rules)
2807793 – ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin (trojan.rules)
[---] Disabled and modified rules: [---]

2807157 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3845 2 (web_client.rules)
[---] Removed rules: [---]

2012626 – ET TROJAN Unknown Dropper Checkin with NSISDL/1.2 User-Agent (trojan.rules)
2807857 – ETPRO MALWARE AdWare.Win32.Yotoon.hs Checkin (malware.rules)

Daily Ruleset Update Summary 03/25/2014

$
0
0

[***] Summary: [***]

5 new Open rules, 6 new Pro (5/1). Zeus GameOver, NMAP SIP, Tinbanker.

Thanks: Kevin Ross.

[+++] Added rules: [+++]

Open:

2018315 – ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount (web_client.rules)
2018316 – ET CURRENT_EVENTS Zeus GameOver Possible DGA NXDOMAIN Responses (current_events.rules)
2018317 – ET SCAN NMAP SIP Version Detect OPTIONS Scan (scan.rules)
2018318 – ET SCAN NMAP SIP Version Detection Script Activity (scan.rules)
2018319 – ET CURRENT_EVENTS Upatre SSL Compromised site trudeausociety (current_events.rules)

Pro:

2807882 – ETPRO TROJAN TrojanSpy.Win32/Tinbanker.A Checkin (trojan.rules)
[///] Modified active rules: [///]

2018184 – ET CURRENT_EVENTS Zeus.Downloader Campaign Second Stage Executable Request (current_events.rules)
2018314 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 1 (current_events.rules)
2804849 – ETPRO TROJAN Win32/Spy.Bancos.OMJ Checkin (trojan.rules)
2805953 – ETPRO TROJAN Win32/AgentBypass.B CnC – Download exe command (trojan.rules)
2806436 – ETPRO TROJAN TROJ_SASFIS.DA Checkin (trojan.rules)
2806943 – ETPRO TROJAN Win32/Nefyn.A POST (trojan.rules)
2807129 – ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan Fetching DDoS target (trojan.rules)
2807130 – ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan Receiving DDoS (trojan.rules)
2807515 – ETPRO TROJAN Minirem (trojan.rules)
2807864 – ETPRO MALWARE Win32/Nefyn.A GET .exe (malware.rules)
2807865 – ETPRO TROJAN W32/Agent.EW.gen Checkin 2 (trojan.rules)
[---] Removed rules: [---]

2805786 – ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount (web_client.rules)

Daily Ruleset Update Summary 03/26/2014

$
0
0

[***] Summary: [***]

9 new Open rules, 21 new Pro (8/12). Fynloski.A, Zegost, TROJ_PANDDOS, Spy.Zitmo.B.

Thanks: Jake Warren, Kevin Ross, tdzmont

[+++] Added rules: [+++]

Open:

2018320 – ET TROJAN Win32/Sisproc (trojan.rules)
2018321 – ET TROJAN Win32/Zegost UA (trojan.rules)
2018322 – ET CURRENT_EVENTS Captcha Malware C2 SSL Certificate (current_events.rules)
2018323 – ET MALWARE W32/Linkular.Adware Sucessful Install Beacon (2) (malware.rules)
2018324 – ET MALWARE SoundCloud Downloader Install Beacon (malware.rules)
2018325 – ET TROJAN Bozok.RAT checkin (trojan.rules)
2018326 – ET WEB_SPECIFIC_APPS JCE Joomla Extension (web_specific_apps.rules)
2018327 – ET SCAN JCE Joomla Extension User-Agent (BOT) (scan.rules)
2018328 – ET TROJAN Win32/Kryptik.AZER C2 SSL Stolen Cert (trojan.rules)

Pro:

2807883 – ETPRO TROJAN Backdoor.Win32/Fynloski.A CnC command (INBOUND) 1 (trojan.rules)
2807884 – ETPRO TROJAN Backdoor.Win32/Fynloski.A CnC command (INBOUND) 2 (trojan.rules)
2807885 – ETPRO TROJAN Backdoor.Win32/Fynloski.A CnC command (OUTBOUND) 2 (trojan.rules)
2807886 – ETPRO TROJAN TROJ_PANDDOS.DZ Checkin (Intel) (trojan.rules)
2807887 – ETPRO TROJAN TROJ_PANDDOS.DZ Checkin (AMD) (trojan.rules)
2807888 – ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan Fetching DDoS target MALFORMED (trojan.rules)
2807889 – ETPRO TROJAN Win32/Small.CE Checkin (trojan.rules)
2807890 – ETPRO MOBILE_MALWARE Android/Spy.Zitmo.B Checkin 3 (mobile_malware.rules)
2807891 – ETPRO TROJAN TrojanProxy.Wintu.B Checkin (trojan.rules)
2807892 – ETPRO TROJAN Trojan.Win32.IRCbot.ye Checkin (trojan.rules)
2807893 – ETPRO TROJAN Trojan-Dropper.Win32.Danseed.b Checkin (trojan.rules)
[///] Modified active rules: [///]

2014341 – ET POLICY Installshield One Click Install User-Agent Toys File (policy.rules)
2017662 – ET TROJAN Known Sinkhole Response Header (trojan.rules)
2018308 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 2 (current_events.rules)
2018309 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 3 (current_events.rules)
2018314 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 1 (current_events.rules)
2018316 – ET CURRENT_EVENTS Zeus GameOver Possible DGA NXDOMAIN Responses (current_events.rules)
2805735 – ETPRO TROJAN Backdoor Boomie.A Checkin Command 2 (trojan.rules)
2806785 – ETPRO TROJAN Agent.AANC 1 (trojan.rules)
2806786 – ETPRO TROJAN Agent.AANC 2 (trojan.rules)
2807003 – ETPRO TROJAN Loadmoney.A Checkin 5 (trojan.rules)
2807365 – ETPRO TROJAN Zeroaccess Variant 3 (trojan.rules)
2807547 – ETPRO TROJAN Downloader.Win32.Genome.fvmi Checkin (trojan.rules)
[---] Removed rules: [---]

2801343 – ETPRO TROJAN Backdoor.Win32.Paras.B Checkin (trojan.rules)
2803591 – ETPRO TROJAN Win32/Morix.B (trojan.rules)
2806043 – ETPRO TROJAN HackTool.Sniffer.WpePro Checkin (trojan.rules)

Daily Ruleset Update Summary 03/27/2014

$
0
0

[***] Summary: [***]

2 new Open rules, 9 new Pro (2/7). CritX/SafePack/FlashPack, Phrewhid.A, Wintu.

[+++] Added rules: [+++]

Open:

2018329 – ET CURRENT_EVENTS Payload Filename Used in Various 2014-0322 Attacks (current_events.rules)
2018330 – ET CURRENT_EVENTS DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit (current_events.rules)

Pro:

2807894 – ETPRO TROJAN Trojan.DownLoader9.48256 Checkin (trojan.rules)
2807895 – ETPRO TROJAN Trojan.DownLoader9.48256 Checkin 2 (trojan.rules)
2807896 – ETPRO TROJAN Win32/Phrewhid.A Checkin (trojan.rules)
2807897 – ETPRO TROJAN Win32/Phrewhid.A Checkin 2 (trojan.rules)
2807898 – ETPRO TROJAN Trojan-Dropper.Win32.Dapato CnC keep-alive 2 (trojan.rules)
2807899 – ETPRO TROJAN Win32/Spy.KeyLogger.NTB Checkin (trojan.rules)
2807900 – ETPRO TROJAN TrojanProxy.Wintu.B Checkin (trojan.rules)
[///] Modified active rules: [///]

2017813 – ET CURRENT_EVENTS Safe/CritX/FlashPack SilverLight Payload (current_events.rules)
2805006 – ETPRO TROJAN TrojanDownloader.Win32/Banload.ZL Checkin 2 (trojan.rules)
2805075 – ETPRO TROJAN W32/VBKrypt.LYKL!tr Checkin (trojan.rules)
2805284 – ETPRO MALWARE Win32/Pelfpoi.M Checkin (malware.rules)
2805740 – ETPRO TROJAN BanBra Checkin (trojan.rules)
2805840 – ETPRO MOBILE_MALWARE Andr/FakeIns-B / Trojan-SMS.AndroidOS.Agent.a Checkin (mobile_malware.rules)
2806495 – ETPRO TROJAN Trojan-Downloader.Win32.VB.gzui Checkin (trojan.rules)
2806575 – ETPRO MALWARE Adware/MediaGet Checkin (malware.rules)
2807097 – ETPRO TROJAN Unknown CnC keep-alive (trojan.rules)
2807689 – ETPRO TROJAN Win32/Injector.Autoit.ADN Checkin (trojan.rules)
2807690 – ETPRO TROJAN W32/VBCheMan.A!tr Checkin (trojan.rules)
2807695 – ETPRO TROJAN Win32/Tocoomu.A Checkin (trojan.rules)
2807737 – ETPRO TROJAN W32/Farfli.AQK!tr Checkin (trojan.rules)
2807873 – ETPRO TROJAN TrojWare.Win32.Amtar.KNB Checkin (trojan.rules)
2807874 – ETPRO TROJAN TrojWare.Win32.Amtar.KNB Checkin 2 (trojan.rules)
2807891 – ETPRO TROJAN Win32/Spy.KeyLogger.NTB Checkin 2 (trojan.rules)
2807892 – ETPRO TROJAN Trojan.Win32.IRCbot.ye Checkin (trojan.rules)


Daily Ruleset Update Summary 03/28/2014

$
0
0

[***] Summary: [***]

3 new Open rules, 6 new Pro (3/3). SpeedingUpMyPC, PerfectKeylogger.

Thanks: Kevin Ross, Nathan Fowler, and Darren Spruell.

[+++] Added rules: [+++]

Open:

2018331 – ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon (trojan.rules)
2018332 – ET TROJAN W32/SpeedingUpMyPC.Rootkit CnC Beacon (trojan.rules)
2018333 – ET MALWARE W32/Amonetize.Downloader Executable Download Request (malware.rules)

Pro:

2807901 – ETPRO TROJAN RemoteAdmin.Win32.RAdmin Request (trojan.rules)
2807902 – ETPRO TROJAN Win32/PerfectKeylogger Possible Download (trojan.rules)
2807903 – ETPRO TROJAN Win32/Cekar.B CnC activity (trojan.rules)
[///] Modified active rules: [///]

2018053 – ET CURRENT_EVENTS Malicious Redirect 8×8 script tag (current_events.rules)
2018171 – ET CURRENT_EVENTS Angler Landing Page Feb 24 2014 (current_events.rules)
2018314 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 1 (current_events.rules)
2805991 – ETPRO TROJAN Win32.Dapato.bsyi Checkin (trojan.rules)
2807453 – ETPRO MALWARE AdWare.iBryte (malware.rules)
2807884 – ETPRO TROJAN Backdoor.Win32/Fynloski.A CnC command (INBOUND) 2 (trojan.rules)
2807900 – ETPRO TROJAN TrojanProxy.Wintu.B Checkin (trojan.rules)

 

Daily Ruleset Update Summary 03/31/2014

$
0
0

[***] Summary: [***]

5 new Open rules 11 new pro (5/6). Goon/Infinity EK, Various IRC, TrojanDownloader.Agent.

Thanks: Kevin Ross.
[+++] Added rules: [+++]

Open:

2018334 – ET CURRENT_EVENTS PHISH Generic – Landing Page – saved from https comment and form (current_events.rules)
2018336 – ET TROJAN Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6) (trojan.rules)
2018337 – ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Mar 31 2014 (current_events.rules)
2018338 – ET MALWARE W32/DownloadAdmin.Adware CnC Beacon (malware.rules)
2018339 – ET MALWARE W32/DownloadAdmin.Adware Executable Download Request (malware.rules)

Pro:

2807904 – ETPRO TROJAN Backdoor.Win32/Sdbot IRC User (trojan.rules)
2807905 – ETPRO TROJAN Trojan.Win32.Ircbot IRC LOGIN (trojan.rules)
2807906 – ETPRO TROJAN Backdoor.Win32.IRCBot.aerz Checkin (trojan.rules)
2807907 – ETPRO TROJAN Win32.Kespy.b IRC LOGIN (trojan.rules)
2807908 – ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin (trojan.rules)
2807909 – ETPRO TROJAN Win32/TrojanDownloader.Agent.AJX Checkin (trojan.rules)
[///] Modified active rules: [///]

2014778 – ET TROJAN Bebloh connectivity check (trojan.rules)
2016768 – ET TROJAN Backdoor.Win32.Dorkbot.AR Join IRC channel (trojan.rules)
2804962 – ETPRO TROJAN Win32/Viking.GN ICMP Echo Request (trojan.rules)
2805419 – ETPRO MALWARE Uptodown.com Checkin (malware.rules)
2805803 – ETPRO TROJAN Taidoor Checkin 2 (trojan.rules)
2806507 – ETPRO TROJAN Win32/Injector.Autoit.P variant response (trojan.rules)
2806920 – ETPRO TROJAN Trojan.Rontokbro Checkin (trojan.rules)
2807385 – ETPRO TROJAN Win32.Hupigon Variant Payload Delivery (trojan.rules)
[---] Removed rules: [---]

2804544 – ETPRO TROJAN W32/Autorun.worm.aa Checkin (trojan.rules)
2806050 – ETPRO TROJAN W32/Zbot.ANM!tr Checkin (trojan.rules)

Daily Ruleset Update Summary 04/01/2014

$
0
0

[***] Summary: [***]

8 new Open rules, 12 new Pro (8/4). Angler EK, Goon/Infinity EK, Hikvision DVR scan, Deep Panda.

Thanks: Kevin Ross, Jake Warren, Jamie Blasco.

[+++] Added rules: [+++]

Open:

2018340 – ET TROJAN Win32.Sality-GR Checkin (trojan.rules)
2018341 – ET TROJAN Kazy Checkin (trojan.rules)
2018342 – ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Mar 31 2014 (current_events.rules)
2018343 – ET CURRENT_EVENTS Hikvision DVR attempted Synology Recon Scan (current_events.rules)
2018344 – ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin (current_events.rules)
2018345 – ET TROJAN W32/SpeedingUpMyPC.Rootkit Sucessful Install GET Type CnC Beacon (trojan.rules)
2018346 – ET CURRENT_EVENTS DRIVEBY Angler EK Landing Apr 01 2014 (current_events.rules)
2018348 – ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct (current_events.rules)

Pro:

2807910 – ETPRO TROJAN Win32/Injector.BANJ Checkin (trojan.rules)
2807911 – ETPRO TROJAN W32/OnlineGames.HG.gen Checkin (trojan.rules)
2807912 – ETPRO TROJAN Win32/TrojanDownloader.Agent.ALG Checkin (trojan.rules)
2807913 – ETPRO CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (current_events.rules)
[///] Modified active rules: [///]

2008974 – ET MALWARE User-Agent (Mozilla/4.0 (compatible)) (malware.rules)
2016541 – ET CURRENT_EVENTS SofosFO/GrandSoft landing applet plus class Mar 03 2013 (current_events.rules)
2018337 – ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Mar 31 2014 (current_events.rules)
2804541 – ETPRO MALWARE TSPY_ONLING.SMIF Dropper Pull (malware.rules)
2807196 – ETPRO TROJAN Worm.Win32/Netsky.F@mm spreading via SMTP 6 (trojan.rules)
[///] Modified inactive rules: [///]

2002061 – ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound) (exploit.rules)
2002826 – ET POLICY fetch User Agent (policy.rules)
[---] Disabled rules: [---]

2002064 – ET NETBIOS ms05-011 exploit (netbios.rules)

Daily Ruleset Update Summary 04/03/2014

$
0
0

[***] Summary: [***]

8 new Open rules, 20 new Pro (8/12).  Upatre, RBrute, Graftor, Kraddare.

Thanks:  Marcus Cymerman, Nathan Fowler, @MalwareMustDie

[+++] Added rules: [+++]

Open:

2018350 – ET CURRENT_EVENTS Upatre SSL Compromised site potpourriflowers (current_events.rules)
2018351 – ET CURRENT_EVENTS Upatre SSL Compromised site kionic (current_events.rules)
2018352 – ET CURRENT_EVENTS Possible FakeAV binary download (setup) (current_events.rules)
2018353 – ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing) (current_events.rules)
2018354 – ET CURRENT_EVENTS Win32.RBrute Scan (incoming) (current_events.rules)
2018355 – ET CURRENT_EVENTS Win32.RBrute http server request (current_events.rules)
2018356 – ET CURRENT_EVENTS Win32.RBrute http response (current_events.rules)
2018357 – ET CURRENT_EVENTS EvilTDS Redirection (current_events.rules)

Pro:

2806884 – ETPRO TROJAN Worm.AutoIt/Renocide.gen!A Checkin Response (trojan.rules)
2807914 – ETPRO TROJAN Trojan.Win32.Cossta.gns Checkin (trojan.rules)
2807915 – ETPRO TROJAN Trojan-Downloader.Win32.Banload.cqhl Checkin (trojan.rules)
2807916 – ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BL Checkin 2 (mobile_malware.rules)
2807917 – ETPRO TROJAN Variant.Graftor.136459 Checkin (trojan.rules)
2807918 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.avsx Checkin Response (trojan.rules)
2807919 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.avsx Checkin Response 2 (trojan.rules)
2807920 – ETPRO POLICY Win32/InstallIQ.A Checkin (policy.rules)
2807921 – ETPRO MOBILE_MALWARE Android.Monitor.MobileSpy.I Checkin (mobile_malware.rules)
2807922 – ETPRO MALWARE Win32/Adware.Kraddare.HH Checkin (malware.rules)
2807923 – ETPRO TROJAN Win32/Qhost.PGM Checkin (trojan.rules)
2807924 – ETPRO CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Apr 02 2014 (current_events.rules)
[///] Modified active rules: [///]

2001040 – ET MALWARE My Search Bar Install (malware.rules)
2014353 – ET MALWARE W32/MediaGet.Adware Installer Download (malware.rules)
2015723 – ET TROJAN ZeroAccess Checkin (trojan.rules)
2015821 – ET INFO Suspicious Windows NT version 8 User-Agent (info.rules)
2016862 – ET TROJAN Hangover Campaign Keylogger 2 checkin (trojan.rules)
2017992 – ET TROJAN Win32/OutBrowse.G Variant Checkin (trojan.rules)
2018295 – ET TROJAN Mal/Ransom-CE Connectivity Check (trojan.rules)
2018310 – ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 4 (current_events.rules)
2804737 – ETPRO TROJAN Trojan.Win32.Pincav.cemf Checkin (trojan.rules)
2804789 – ETPRO TROJAN Trojan-PSW.Win32.WebMoner.si Checkin (trojan.rules)
2806235 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.avsx Checkin (trojan.rules)
2806883 – ETPRO TROJAN Worm.AutoIt/Renocide.gen!A Checkin (trojan.rules)
2806995 – ETPRO TROJAN Trojan.Win32.Swisyn.behb Checkin (trojan.rules)
[---] Removed rules: [---]

2016358 – ET TROJAN W32/ZeroAccess Counter.img Checkin (trojan.rules)

 

Daily Ruleset Update Summary 04/04/2014

$
0
0

[***] Summary: [***]

9 new Open rules, 12 new Pro (9/3).

Thanks: @EKWatcher and @jaimeblascob

[+++] Added rules: [+++]

Open:

2018358 – ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 (info.rules)
2018359 – ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 (info.rules)
2018360 – ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct (current_events.rules)
2018361 – ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct (current_events.rules)
2018362 – ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)
2018363 – ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF (current_events.rules)
2018364 – ET CURRENT_EVENTS SUPSICOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans) (current_events.rules)
2018365 – ET INFO DYNAMIC_DNS HTTP Request to a *.mrbasic.com Domain (info.rules)
2018366 – ET INFO DYNAMIC_DNS Query to a *.mrbasic.com Domain (info.rules)

Pro:

2807925 – ETPRO POLICY RemoteAdmin.Win32.WinVNC.gc (OUTBOUND) (policy.rules)
2807926 – ETPRO TROJAN Trojan-Ransom.Win32.PornoAsset Checkin (trojan.rules)
2807927 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.cm Checkin (mobile_malware.rules)
[///] Modified active rules: [///]

2001058 – ET EXPLOIT libpng tRNS overflow attempt (exploit.rules)
2002780 – ET TROJAN Goldun Reporting User Activity 2 (trojan.rules)
2017636 – ET CURRENT_EVENTS Nuclear EK PDF URI Struct (current_events.rules)
2017742 – ET TROJAN Solarbot Check-in (trojan.rules)

Daily Ruleset Update Summary 04/07/2014

$
0
0

[***] Summary: [***]

5 new Open signatures, 10 new Pro (5/5). Goon/Infinity, Various Adware, Various WebShells.

Thanks: Ben Koenig and Kevin Ross.

[+++] Added rules: [+++]

Open:

2018367 – ET MALWARE W32/iBryte.Adware Affiliate Campaign Executable Download (malware.rules)
2018368 – ET MALWARE W32/PullUpdate.Adware CnC Beacon (malware.rules)
2018369 – ET WEB_SERVER WEBSHELL K-Shell/ZHC Shell 1.0/Aspx Shell Backdoor NetCat_Listener (web_server.rules)
2018370 – ET WEB_SERVER ATTACKER WebShell – Zehir4.asp (web_server.rules)
2018371 – ET WEB_SERVER ATTACKER WebShell – Zehir4.asp – content (web_server.rules)

Pro:

2807928 – ETPRO MALWARE Adware.Win32/Clickspring.B Checkin (malware.rules)
2807929 – ETPRO TROJAN Backdoor.Win32.Wallop.bz Request (trojan.rules)
2807930 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2807931 – ETPRO MOBILE_MALWARE Android/Badao.A Checkin 2 (mobile_malware.rules)
2807932 – ETPRO CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Apr 07 2014 (current_events.rules)
[///] Modified active rules: [///]

2002932 – ET MALWARE CWS Related Installer (malware.rules)
2003273 – ET MALWARE SOCKSv4 Port 5190 Inbound Request (Linux Source) (malware.rules)
2017183 – ET WEB_SERVER WebShell ASPXShell – Title (web_server.rules)
2018304 – ET CURRENT_EVENTS PHISH iTunes – Creds Phished (current_events.rules)
2018364 – ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans) (current_events.rules)
2802017 – ETPRO TROJAN Winspy/Fiskos/Fynloski/Gpigeon/Rewdulon/Greybird Backdoor Keepalive (trojan.rules)
2802986 – ETPRO TROJAN Win32/Banload.YE Checkin (trojan.rules)
2806188 – ETPRO TROJAN Backdoor.Win32/Netbus reporting via smtp (trojan.rules)
2806244 – ETPRO TROJAN W32/IRCBot-based!Maximus (trojan.rules)
2806305 – ETPRO TROJAN Trojan-PSW.Reedum FTP login (trojan.rules)
2806408 – ETPRO TROJAN Win32/Banload.AHA Sending SPAM (trojan.rules)
2806579 – ETPRO TROJAN DarkComet-RAT init connection 3 (trojan.rules)
2806581 – ETPRO TROJAN DarkComet-RAT init connection 4 (trojan.rules)
2806583 – ETPRO TROJAN DarkComet-RAT init connection 5 (trojan.rules)
2806585 – ETPRO TROJAN DarkComet-RAT init connection 6 (trojan.rules)
2806587 – ETPRO TROJAN DarkComet-RAT init connection 7 (trojan.rules)
2806589 – ETPRO TROJAN DarkComet-RAT init connection 8 (trojan.rules)
2806600 – ETPRO TROJAN Trojan-Banker.Win32.Banker.akf Checkin (trojan.rules)
2806709 – ETPRO MALWARE Server-Web.Win32.NetBox.c Checkin (malware.rules)
2806739 – ETPRO TROJAN Win32/Fabucks.A Checkin (trojan.rules)
2806883 – ETPRO TROJAN Worm.AutoIt/Renocide.gen!A Checkin (trojan.rules)
2807017 – ETPRO TROJAN Backdoor.Win32.GF.13x.A Checkin (trojan.rules)
2807037 – ETPRO TROJAN Trojan.Win32.Swisyn.auua Checkin (trojan.rules)
2807045 – ETPRO TROJAN Trojan.Win32.Agent.aapnf Report via SMTP (trojan.rules)
2807047 – ETPRO TROJAN Backdoor.Win32.GF.13x.A Response (trojan.rules)
2807113 – ETPRO TROJAN Trojan-Banker.Win32.Banz.kpx Checkin via SMTP (trojan.rules)
2807181 – ETPRO TROJAN Win32/IRCbot.gen!AC Reporting via IRC (trojan.rules)
2807279 – ETPRO TROJAN Worm.Mydoom spreading via SMTP 24 (trojan.rules)
2807371 – ETPRO MALWARE AdWare.MSIL.Sancmed.p Checkin (malware.rules)
2807424 – ETPRO TROJAN Trojan-Dropper.Win32.Dorifel.hlu Checkin (trojan.rules)
2807440 – ETPRO TROJAN Win32/Ranbyus Check-in (trojan.rules)
2807605 – ETPRO TROJAN Win32/Agent.UWF Checkin (trojan.rules)
2807668 – ETPRO TROJAN W32/KeyLogger.OFP!tr.spy Response (trojan.rules)
2807671 – ETPRO TROJAN Trojan-Proxy.Win32.Mediana.i Checkin (trojan.rules)
2807870 – ETPRO TROJAN W32/DelfInject.R Checkin (trojan.rules)
2807871 – ETPRO TROJAN W32/DelfInject.R Checkin 2 (trojan.rules)
2807872 – ETPRO TROJAN W32/DelfInject.R Checkin 3 (trojan.rules)
[---] Removed rules: [---]

2802985 – ETPRO TROJAN Win32/Banload.YE Checkin Flowbit SET (trojan.rules)
2804016 – ETPRO CURRENT_EVENTS Trojan.Win32.Jorik.Banker.kx Downloading Host file – SET (current_events.rules)
2804017 – ETPRO CURRENT_EVENTS Trojan.Win32.Jorik.Banker.kx Downloading Host file to map Brazilian banks sites to fraudulant IPs (current_events.rules)
2806252 – ETPRO TROJAN Unknown Keylogger Uploading logs (trojan.rules)
2806884 – ETPRO TROJAN Worm.AutoIt/Renocide.gen!A Checkin Response (trojan.rules)
2807111 – ETPRO TROJAN Win32/Agent.CC Checkin (trojan.rules)
2807139 – ETPRO TROJAN Trojan-PWS.OnlineGames ICMP Echo Request 1 (trojan.rules)
2807140 – ETPRO TROJAN Trojan-PWS.OnlineGames ICMP Echo Request 2 (trojan.rules)
2807437 – ETPRO TROJAN Trojan-Dropper.Win32.Dapato.dgla Checkin (trojan.rules)

Daily Ruleset Update Summary 04/09/2014

$
0
0

[***] Summary: [***]

4 new Open rules, 9 new Pro (4/5). More Heartbleed, Various Android, Win32.Genome.

[+++] Added rules: [+++]

Open:

2018375 – ET CURRENT_EVENTS TLS HeartBeat Request (Server Intiated) fb set (current_events.rules)
2018376 – ET CURRENT_EVENTS TLS HeartBeat Request (Client Intiated) fb set (current_events.rules)
2018377 – ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server) (current_events.rules)
2018378 – ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client) (current_events.rules)

Pro:

2807937 – ETPRO TROJAN Trojan-Downloader.Win32.Genome.fxjh Checkin (trojan.rules)
2807938 – ETPRO MOBILE_MALWARE Android/SmsSpy.X Checkin (mobile_malware.rules)
2807939 – ETPRO MOBILE_MALWARE Android/SmsSpy.X Checkin 2 (mobile_malware.rules)
2807940 – ETPRO TROJAN Backdoor.Win32.Agent.bg Checkin (trojan.rules)
2807941 – ETPRO TROJAN Trojan.Win32.Blocker.ctrojn Checkin (trojan.rules)
[///] Modified active rules: [///]

2003171 – ET SCAN IBM NSA User Agent (scan.rules)
2014726 – ET POLICY Outdated Windows Flash Version IE (policy.rules)
2014727 – ET POLICY Outdated Mac Flash Version (policy.rules)
2018281 – ET TROJAN Possible Netwire RAT Client HeartBeat C1 (no alert) (trojan.rules)
2018282 – ET TROJAN Possible Netwire RAT Client HeartBeat S1 (no alert) (trojan.rules)
2805345 – ETPRO TROJAN Troj/Mdrop-DXT checkin 1 (trojan.rules)
2805378 – ETPRO MALWARE Porn-Dialer.Win32.PluginAccess.gen Checkin (malware.rules)
2805448 – ETPRO TROJAN Win32.Viking.bb Checkin (trojan.rules)
[---] Removed rules: [---]

2403329 – ET CINS Active Threat Intelligence Poor Reputation IP group 30 (ciarmy.rules)
2403330 – ET CINS Active Threat Intelligence Poor Reputation IP group 31 (ciarmy.rules)
2405091 – ET CNC Shadowserver Reported CnC Server Port 53381 Group 1 (botcc.portgrouped.rules)
2405092 – ET CNC Shadowserver Reported CnC Server Port 54321 Group 1 (botcc.portgrouped.rules)
2405093 – ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (botcc.portgrouped.rules)
2805346 – ETPRO TROJAN Troj/Mdrop-DXT checkin 2 (trojan.rules)

 


Daily Ruleset Update Summary 04/10/2014

$
0
0

[***] Summary: [***]

3 new Open, 9 new Pro (3/6).

Thanks: Chris Wakelin.

[+++] Added rules: [+++]

Open:

2018379 – ET TROJAN Backdoor.Win32.Mecklow.A Checkin (trojan.rules)
2018380 – ET TROJAN Backdoor.Win32.Mecklow.A Checkin 2 (trojan.rules)
2018381 – ET TROJAN Suspicious User-Agent (hi) (trojan.rules)

Pro:

2807942 – ETPRO TROJAN Win32/Tearspear.A Checkin (trojan.rules)
2807943 – ETPRO TROJAN Trojan-PSW.Win32.QQDragon.bq Checkin (trojan.rules)
2807944 – ETPRO TROJAN Win32.StartPage.aqin Checkin (trojan.rules)
2807945 – ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Moavt.c Checkin (mobile_malware.rules)
2807946 – ETPRO TROJAN Backdoor.Win32.Rukap Checkin 2 (trojan.rules)
2807947 – ETPRO TROJAN Win32/Chksyn.gen!A Checkin (trojan.rules)
[///] Modified active rules: [///]

2014002 – ET TROJAN Fake Variation of Mozilla 4.0 – Likely Trojan (trojan.rules)
2018375 – ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set (current_events.rules)
2018376 – ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set (current_events.rules)
2804051 – ETPRO TROJAN Win32/Kryptik.UOM User-Agent (USERAGENT) (trojan.rules)
2804583 – ETPRO MALWARE Generic AdClicker.p Install – SET (malware.rules)
2804584 – ETPRO MALWARE Generic AdClicker.p Install (malware.rules)
2804632 – ETPRO TROJAN Proxy.Win32.Agent.bvy Checkin (trojan.rules)
2804901 – ETPRO TROJAN Trojan-Clicker.Win32.VB.alu Checkin (trojan.rules)
2804982 – ETPRO TROJAN Win32/ServStart.A checkin 2 (trojan.rules)
2805009 – ETPRO TROJAN Gen.Win32.SMTP-Mailer.!GW@aG6DWHbc sending info via SMTP (trojan.rules)
2805220 – ETPRO MALWARE Win-Adware/KorAd.138208 Checkin (malware.rules)
2805719 – ETPRO TROJAN Trojan-Proxy.Win32.Small.ai Checkin (trojan.rules)
2806783 – ETPRO TROJAN Win32.Xtrat.A (CnC & Exe Source) (trojan.rules)
[---] Removed rules: [---]

2013218 – ET TROJAN Backdoor.Specfix Checkin (trojan.rules)
2802084 – ETPRO TROJAN Backdoor.Win32.Mecklow.A Checkin (trojan.rules)
2804753 – ETPRO TROJAN Win32/Wadolin.A Checkin (trojan.rules)
2804805 – ETPRO TROJAN Trojan-Downloader.Win32.Homa.exm Checkin (trojan.rules)
2804874 – ETPRO TROJAN W32/Delfloader.B.gen!Eldorado Checkin (trojan.rules)
2805080 – ETPRO TROJAN Backdoor.Win32.Mecklow.A Checkin 2 (port 443) (trojan.rules)
2805081 – ETPRO TROJAN Backdoor.Win32.Mecklow.A Checkin 2 (trojan.rules)
2805082 – ETPRO TROJAN Backdoor.Win32.Mecklow.A Checkin 3 (port 443) (trojan.rules)

 

Daily Ruleset Update Summary 04/14/2014

$
0
0

[***] Summary: [***]

6 new Open rules, 9 new Pro (6/3). Zeus, AndroidOS.FakeInst, HeartBleed.

Thanks: Paul Schmehl, Kevin Ross, @kafeine, @EKWatcher.

[+++] Added rules: [+++]

Open:

2018384 – ET CURRENT_EVENTS Zeus.Downloader Campaign Unknown Initial CnC Beacon 10/4/2014 (current_events.rules)
2018385 – ET CURRENT_EVENTS Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014 (current_events.rules)
2018386 – ET TROJAN Trojan.Win32.Yakes.ehof Checkin (trojan.rules)
2018387 – ET CURRENT_EVENTS Angler EK Landing Apr 14 2014 (current_events.rules)
2018388 – ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port) (current_events.rules)
2018389 – ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port) (current_events.rules)

Pro:

2804753 – ETPRO TROJAN Win32/Wadolin.A Checkin (trojan.rules)
2807948 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ft Checkin (mobile_malware.rules)
2807949 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ft Checkin 2 (mobile_malware.rules)
[///] Modified active rules: [///]

2003335 – ET USER_AGENTS 2search.org User Agent (2search) (user_agents.rules)
2003346 – ET MALWARE Errorsafe.com Fake antispyware User-Agent (ErrorSafe) (malware.rules)
2003626 – ET MALWARE Double User-Agent (User-Agent User-Agent) (malware.rules)
2009971 – ET P2P eMule KAD Network Hello Request (2) (p2p.rules)
2010162 – ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt (web_server.rules)
2011503 – ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt (exploit.rules)
2011800 – ET POLICY Abnormal User-Agent No space after colon – Likely Hostile (policy.rules)
2013195 – ET MALWARE Win32.EZula Adware Reporting Successful Install (malware.rules)
2013199 – ET TROJAN Trojan/Hacktool.Sniffer Successful Install Message (trojan.rules)
2013423 – ET TROJAN User-Agent in Referer Field – Likely Malware (trojan.rules)
2014103 – ET WEB_SERVER Unusually Fast HTTP Requests With Referer Url Matching DoS Tool (web_server.rules)
2014302 – ET TROJAN Suspicious HTTP Referer C Drive Path (trojan.rules)
2014758 – ET TROJAN Trojan.BAT.Qhost – SET (trojan.rules)
2014759 – ET TROJAN Trojan.BAT.Qhost Response from Controller (trojan.rules)
2017031 – ET CURRENT_EVENTS Unknown_InIFRAME – In Referer (current_events.rules)
2017561 – ET MALWARE W32/Wajam.Adware Successful Install (malware.rules)
2017788 – ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement (mobile_malware.rules)
2017880 – ET MALWARE W32/Linkular.Adware Successful Install Beacon (malware.rules)
2017935 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET (trojan.rules)
2017936 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 (trojan.rules)
2018059 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 1 (trojan.rules)
2018060 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 2 (trojan.rules)
2018061 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 3 (trojan.rules)
2018062 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 4 (trojan.rules)
2018063 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 5 (trojan.rules)
2018064 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 6 (trojan.rules)
2018065 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 7 (trojan.rules)
2018066 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 8 (trojan.rules)
2018067 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 9 (trojan.rules)
2018068 – ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 10 (trojan.rules)
2018129 – ET TROJAN W32/Trojan-Gypikon Sending Data (trojan.rules)
2018130 – ET TROJAN W32/Trojan-Gypikon Server Check-in Response (trojan.rules)
2018162 – ET CURRENT_EVENTS Malicious Redirect Evernote Spam Campaign Feb 19 2014 (current_events.rules)
2018283 – ET TROJAN Possible Netwire RAT Client HeartBeat C2 (trojan.rules)
2018323 – ET MALWARE W32/Linkular.Adware Successful Install Beacon (2) (malware.rules)
2018345 – ET TROJAN W32/SpeedingUpMyPC.Rootkit Successful Install GET Type CnC Beacon (trojan.rules)
2804241 – ETPRO TROJAN Unknown Trojan Checkin id= mac= (trojan.rules)
2804446 – ETPRO TROJAN Win32/Votead Checkin (trojan.rules)
2806313 – ETPRO TROJAN Win32/Injector.AEDM Checkin (trojan.rules)
2806880 – ETPRO TROJAN Suspicious HTTP Referer artifact.exe at drive C (trojan.rules)
[///] Modified inactive rules: [///]

2010500 – ET MALWARE Executable purporting to be .txt file with no Referer – Likely Malware (malware.rules)
2010501 – ET MALWARE Executable purporting to be .cfg file with no Referer – Likely Malware (malware.rules)
[---] Removed rules: [---]

2018020 – ET TROJAN Win32.WinSpy.pob Sending Data over SMTP 2 (trojan.rules)
2018251 – ET TROJAN Havex Rat Check-in URI Struct (trojan.rules)
2405089 – ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (botcc.portgrouped.rules)
2806408 – ETPRO TROJAN Win32/Banload.AHA Sending SPAM (trojan.rules)

 

Daily Ruleset Update Summary 04/15/2014

$
0
0

[***] Summary: [***]

2 new Open signatures, 4 new Pro (2/2). Zegost, ProRat.

[+++] Added rules: [+++]

2018390 – ET TROJAN Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND) (trojan.rules)
2018392 – ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system 2 (attack_response.rules)
2807950 – ETPRO TROJAN Backdoor.Win32.ProRat Checkin (trojan.rules)
2807951 – ETPRO TROJAN Win32.Wapomi.AA CnC (OUTBOUND) (trojan.rules)
[///] Modified active rules: [///]

2011582 – ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)
2014297 – ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
2017412 – ET TROJAN Gh0st_Apple Checkin (trojan.rules)
2805345 – ETPRO TROJAN Troj/Mdrop-DXT checkin 1 (trojan.rules)
2805970 – ETPRO TROJAN Backdoor.Win32.MoSucker.23 reporting via ICQ WWW script (trojan.rules)
[---] Removed rules: [---]

2014629 – ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus js.js (current_events.rules)
2015709 – ET CURRENT_EVENTS Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html (current_events.rules)
2804470 – ETPRO TROJAN PWS-Spyeye.eo Checkin (trojan.rules)

Daily Ruleset Update Summary 04/16/2014

$
0
0

[***] Summary: [***]

6 new Open signatures, 16 new Pro (6/10). CryptoDefense, Nuclear EK, InstallBrain, Hupigon.

Thanks: Nathan Fowler, tdzmont, @EKWatcher

[+++] Added rules: [+++]

Open:

2008282 – ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)
2018393 – ET TROJAN plasmabot Checkin (trojan.rules)
2018394 – ET TROJAN Common Upatre Header Structure (trojan.rules)
2018395 – ET TROJAN Possible Kelihos.F EXE Download Common Structure 2 (trojan.rules)
2018396 – ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (current_events.rules)
2018397 – ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)

Pro:

2807952 – ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules)
2807953 – ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)
2807954 – ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules)
2807955 – ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules)
2807956 – ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules)
2807957 – ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin (trojan.rules)
2807958 – ETPRO MALWARE InstallBrain Checkin (malware.rules)
2807959 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin (mobile_malware.rules)
2807960 – ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules)
2807961 – ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014 (current_events.rules)
[///] Modified active rules: [///]

2017598 – ET TROJAN Possible Kelihos.F EXE Download Common Structure (trojan.rules)
2017714 – ET TROJAN PlugX Checkin (trojan.rules)
2018362 – ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)
2018372 – ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules)
2018373 – ET CURRENT_EVENTS Malformed HeartBeat Response (current_events.rules)
2018374 – ET CURRENT_EVENTS Malformed HeartBeat Request method 2 (current_events.rules)
2807273 – ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)
2807950 – ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules)
[---] Removed rules: [---]

2003548 – ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin (malware.rules)
2008282 – ET TROJAN Antispywaremaster.com Fake AV Checkin (trojan.rules)

Daily Ruleset Update Summary 04/17/2014

$
0
0

[***] Summary: [***]

2 new Open signatures, 10 new Pro (2+8). BitCrypt, Various AndroidOS, Destrukor.

[+++] Added rules: [+++]

Open:

2018399 – ET TROJAN BitCrypt site accessed via .onion SSL Proxy (trojan.rules)
2018400 – ET TROJAN BitCrypt Ransomware Domain (trojan.rules)

Pro:

2807962 – ETPRO TROJAN Trojan-PSW.Win32.Tepfer.tlha Checkin (trojan.rules)
2807963 – ETPRO TROJAN Win32.Induc.O Checkin (trojan.rules)
2807964 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.ig Checkin (mobile_malware.rules)
2807965 – ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.ABQ Checkin (mobile_malware.rules)
2807966 – ETPRO TROJAN W32.Tinba/Zusy Checkin 2 (trojan.rules)
2807967 – ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin (trojan.rules)
2807968 – ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin (mobile_malware.rules)
2807969 – ETPRO TROJAN Betabot.3 checkin (trojan.rules)
[///] Modified active rules: [///]

2015576 – ET CURRENT_EVENTS DNS Query to tor2web Domain (.onion proxy) (current_events.rules)
2016806 – ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (current_events.rules)
2016810 – ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2) (current_events.rules)
2018386 – ET TROJAN cryptodefense Checkin (trojan.rules)
2018397 – ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)
2807273 – ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)

 

Viewing all 489 articles
Browse latest View live