[***] Summary: [***]

1 new Open rule today. Win32.Kazy.

[+++] Added rules: [+++]

2018401 – ET TROJAN Win32.Kazy Checkin (trojan.rules)
[///] Modified active rules: [///]

2003603 – ET TROJAN W32.Virut.A joining an IRC Channel (trojan.rules)
2017937 – ET TROJAN Fake/Short Google Search Appliance UA Win32/Ranbyus and Others (trojan.rules)
2804765 – ETPRO TROJAN Dirt Jumper/Russkill v5 Checkin (trojan.rules)
[---] Removed rules: [---]

2000041 – ET POLICY Yahoo Mail Inbox View (policy.rules)
2000042 – ET POLICY Yahoo Mail Message View (policy.rules)
2000043 – ET POLICY Yahoo Mail Message Compose Open (policy.rules)
2016857 – ET TROJAN W32/Pushdo CnC Server Fake JPEG Response (trojan.rules)
2017947 – ET CURRENT_EVENTS Possible Styx Kein Landing URI Struct (current_events.rules)

[***] Summary: [***]

5 new Open, 8 new Pro (5/3). GreenDou, EL8, Upatre.

Thanks, Nathan Folwer, tdzmont, @EKwatcher

[+++] Added rules: [+++]

Open:

2018402 – ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (current_events.rules)
2018403 – ET TROJAN GENERIC Zbot Based Loader (trojan.rules)
2018404 – ET TROJAN GreenDou Downloader User-Agent (hello crazyk) (trojan.rules)
2018405 – ET CURRENT_EVENTS DRIVEBY EL8 EK Landing (current_events.rules)
2018406 – ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup (policy.rules)

Pro:

2807970 – ETPRO TROJAN Win32/Neurevt.A Checkin (trojan.rules)
2807971 – ETPRO CURRENT_EVENTS Possible Upatre SSL Compromised site bellabeachwear (current_events.rules)
2807972 – ETPRO TROJAN Win32/FlyStudio Activity (trojan.rules)
[///] Modified active rules: [///]

2009078 – ET TROJAN Backdoor Lanfiltrator Checkin (trojan.rules)
2009299 – ET TROJAN General Trojan Downloader (trojan.rules)
2009444 – ET TROJAN Virut Family GET (trojan.rules)
2011236 – ET TROJAN Trojan-Downloader Win32.Genome.avan (trojan.rules)
2012100 – ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow (web_client.rules)
2014163 – ET TROJAN Bifrose/Cycbot Checkin 2 (trojan.rules)
2015045 – ET INFO Potential Common Malicious JavaScript Loop (info.rules)
2015808 – ET TROJAN Taidoor Checkin (trojan.rules)
2016498 – ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload (current_events.rules)
2016764 – ET CURRENT_EVENTS SofosFO PDF Payload Download (current_events.rules)
2017261 – ET TROJAN TrojanDownloader.Win32/Dofoil.U Trojan Checkin (trojan.rules)
2800514 – ETPRO WEB_CLIENT IBM Informix Client SDK NFX File Processing Stack Buffer Overflow (web_client.rules)
2800515 – ETPRO WEB_CLIENT IBM Informix Client SDK NFX File Processing Stack Buffer Overflow (web_client.rules)
2804434 – ETPRO TROJAN Likely Bot Nick in IRC ([country|so_version|computername]) (trojan.rules)
2806086 – ETPRO TROJAN QLowZones-6 Checkin (trojan.rules)
2806100 – ETPRO TROJAN Win32/Vkhost.F .dll download (trojan.rules)
2806272 – ETPRO TROJAN Win32/Sality.AM Checkin 2 (trojan.rules)
2806921 – ETPRO TROJAN Win32/Carberp.G Checkin (trojan.rules)
2807358 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.bk Checkin (mobile_malware.rules)
2807425 – ETPRO TROJAN Win32.LockScreen Ransomware checkin (trojan.rules)
2807429 – ETPRO TROJAN Trojan.Win32.Verti.A (trojan.rules)
2807614 – ETPRO TROJAN Backdoor.Win32/Delf.DU IRC Checkin (trojan.rules)
2807656 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0285) (web_client.rules)
2807657 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0286) (web_client.rules)
2807876 – ETPRO TROJAN Backdoor.Win32/Tofsee.F Checkin (trojan.rules)
[---] Removed rules: [---]

2803388 – ETPRO TROJAN Win32/Dynamer!dtc Checkin (trojan.rules)
2804495 – ETPRO TROJAN Virus.Win32/Sality.T Checkin (trojan.rules)

[***] Summary: [***]

5 new open signatures, 11 new Pro (5+6). Fiesta, Destrukor, Swisyn.dcit.

Thanks: Nathan Fowler.

[+++] Added rules: [+++]

Open:

2018407 – ET CURRENT_EVENTS Fiesta URI Struct (current_events.rules)
2018408 – ET CURRENT_EVENTS Fiesta PDF Exploit Download (current_events.rules)
2018409 – ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (current_events.rules)
2018410 – ET CURRENT_EVENTS Fiesta Flash Exploit Download (current_events.rules)
2018411 – ET CURRENT_EVENTS Fiesta Flash Exploit Download (current_events.rules)

Pro:

2807973 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.eemn Checkin (trojan.rules)
2807974 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2807975 – ETPRO TROJAN Trojan.DownLoader9.54232 Checkin (trojan.rules)
2807976 – ETPRO TROJAN Trojan.Win32.Swisyn.dcit Checkin (trojan.rules)
2807977 – ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin 2 (trojan.rules)
2807978 – ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin via SMTP (trojan.rules)
[///] Modified active rules: [///]

2013094 – ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex (current_events.rules)
2018382 – ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server) (current_events.rules)
2018383 – ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client) (current_events.rules)
2800000 – ETPRO WEB_SERVER Microsoft IIS ISAPI Heap Overflow (web_server.rules)
2804426 – ETPRO WEB_CLIENT Microsoft Windows midiOutPlayNextPolyEvent Heap Overflow 1 (web_client.rules)
2804427 – ETPRO WEB_CLIENT Microsoft Windows midiOutPlayNextPolyEvent Heap Overflow 2 (web_client.rules)
2804428 – ETPRO WEB_CLIENT Microsoft Windows midiOutPlayNextPolyEvent Heap Overflow 3 (web_client.rules)
2806920 – ETPRO TROJAN Trojan.Rontokbro Checkin (trojan.rules)
2807970 – ETPRO TROJAN Win32/Neurevt.A Checkin 3 (trojan.rules)
[---] Removed rules: [---]

2802049 – ETPRO TROJAN Backdoor.Win32.Sbtob.A Checkin (trojan.rules)

[***] Summary: [***]

6 new Open signatures, 9 new Pro (6+3). Zeus, Agentb.apga, Tepfer.InfoStealer.

Thanks: Kevin Ross, tdzmont, @EKwatcher.

[+++] Added rules: [+++]

Open:

2018412 – ET TROJAN Trojan-Spy.Win32.Zbot.qgxi Checkin (trojan.rules)
2018413 – ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P) (current_events.rules)
2018414 – ET CURRENT_EVENTS possible OneLouder downloader installing Zeus P2P (current_events.rules)
2018415 – ET TROJAN W32/Tepfer.InfoStealer CnC Beacon (trojan.rules)
2018416 – ET TROJAN ftpchk3.php upload attempted (trojan.rules)
2018417 – ET TROJAN ftpchk3.php possible upload success (trojan.rules)

Pro:

2807979 – ETPRO TROJAN Trojan.Win32.Agentb.apga Checkin (trojan.rules)
2807980 – ETPRO TROJAN Trojan.Win32.Agentb.apga Checkin 2 (trojan.rules)
2807981 – ETPRO MOBILE_MALWARE Android/TrojanSMS.Feejar.D Checkin (mobile_malware.rules)
[///] Modified active rules: [///]

2013346 – ET TROJAN PSW.Win32.Ruftar.lon File Stealer FTP File Upload (trojan.rules)
2013720 – ET TROJAN Win32/Wapomi.AD Variant Checkin (trojan.rules)
2018382 – ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server) (current_events.rules)
2018383 – ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client) (current_events.rules)
2807876 – ETPRO TROJAN Backdoor.Win32/Tofsee.F Checkin (trojan.rules)
[---] Removed rules: [---]

2003542 – ET MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting (malware.rules)
2013344 – ET TROJAN Unknown Trojan Checkin to CnC Server (trojan.rules)
2017658 – ET TROJAN Unknown Trojan Secondary Download (trojan.rules)
2017659 – ET TROJAN Unknown Trojan Download (trojan.rules)
2807160 – ETPRO TROJAN Trojan-Spy.Win32.Zbot.qgxi Checkin (trojan.rules)

[***] Summary: [***]

4 new Open signatures, 7 new Pro (4+3). Zbot.InfoStealer, Spy.Banker, Hacker87.

[+++] Added rules: [+++]

Open:

2018418 – ET CURRENT_EVENTS Possible W32/Zbot.InfoStealer SSL Cert Parallels.com (current_events.rules)
2018419 – ET TROJAN W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA (trojan.rules)
2018420 – ET TROJAN hacker87 checkin (trojan.rules)
2018421 – ET TROJAN Zbot downloader Installing Zeus (trojan.rules)

Pro:

2807982 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.gj Checkin (mobile_malware.rules)
2807983 – ETPRO TROJAN Win32/Spy.Banker.AAQD Checkin (trojan.rules)
2807984 – ETPRO TROJAN Trojan.Win32.Iframer.a Checkin (trojan.rules)
[///] Modified active rules: [///]

2010344 – ET TROJAN Chorns/Poison Ivy related Backdoor Initial Connection (trojan.rules)
2010345 – ET TROJAN Chorns/Poison Ivy related Backdoor Keep Alive (trojan.rules)

[***] Summary: [***]

1 new Pro rule for MS IE 0-day RCE (CVE-2014-1776).

[+++] Added rules: [+++]

2807985 – ETPRO WEB_CLIENT Possible Internet Explorer RCE CVE-2014-1776 (web_client.rules)
[---] Removed rules: [---]
2803914 – ETPRO TROJAN Win32/Cycbot.G Checkin (trojan.rules)

[***] Summary: [***]

7 new open rules, 11 new Pro (7+4). Netwire RAT, Spy.Agent.OIA, Cutwail.

Thanks: Alexandre Dulaunoy and @EKWatcher
[+++] Added rules: [+++]

Open:

2018422 – ET TROJAN Uprate Binary Download April 28 2014 (trojan.rules)
2018423 – ET TROJAN W32/Eclipse.DDOSBot CnC Beacon Response (trojan.rules)
2018424 – ET TROJAN W32/MadnessPro.DDOSBot CnC Beacon (trojan.rules)
2018425 – ET TROJAN Vawtrak/NeverQuest – Post Data Form 01 (trojan.rules)
2018426 – ET TROJAN Netwire RAT Check-in (trojan.rules)
2018427 – ET TROJAN Netwire RAT Check-in (trojan.rules)
2018428 – ET CURRENT_EVENTS SUSPICIOUS Crystalize Filter in Uncompressed Flash (current_events.rules)

Pro:

2807986 – ETPRO TROJAN Win32.Inject.mrep Checkin (trojan.rules)
2807987 – ETPRO TROJAN Win32/Spy.Agent.OIA Checkin (trojan.rules)
2807988 – ETPRO TROJAN Win32/Spy.Agent.OIA Checkin 2 (trojan.rules)
2807989 – ETPRO TROJAN Trojan.Win32.Delf.dmhd Checkin (trojan.rules)
[///] Modified active rules: [///]

2014270 – ET TROJAN Backdoor.Win32.RShot Ping Outbound (trojan.rules)
2014271 – ET TROJAN Win32/Cutwail.BE Checkin 1 (trojan.rules)
2014272 – ET TROJAN Win32/Cutwail.BE Checkin 2 (trojan.rules)
2014726 – ET POLICY Outdated Windows Flash Version IE (policy.rules)
2014727 – ET POLICY Outdated Mac Flash Version (policy.rules)
2017558 – ET TROJAN Mevade Checkin (trojan.rules)
2017598 – ET TROJAN Possible Kelihos.F EXE Download Common Structure (trojan.rules)
2018394 – ET TROJAN Common Upatre Header Structure (trojan.rules)
2018412 – ET TROJAN Trojan-Spy.Win32.Zbot.qgxi Checkin (trojan.rules)
2806114 – ETPRO WEB_CLIENT CVE-2013-0092 GetMarkUpPtr Use After free 3 (web_client.rules)
[///] Modified inactive rules: [///]

2018418 – ET CURRENT_EVENTS Possible W32/Zbot.InfoStealer SSL Cert Parallels.com (current_events.rules)
[---] Disabled and modified rules: [---]

2800751 – ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Opcode 117 Buffer Overflow (exploit.rules)
2800752 – ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Opcode 117 Buffer Overflow (exploit.rules)
2800753 – ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Opcode 117 Buffer Overflow (exploit.rules)
2800754 – ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Opcode 117 Buffer Overflow (exploit.rules)
[---] Removed rules: [---]

2001040 – ET MALWARE My Search Bar Install (malware.rules)
2006384 – ET TROJAN Generic Password Stealer Checkin URL Detected (trojan.rules)
2102710 – GPL SQL dbms_offline_og.begin_load buffer overflow attempt (sql.rules)
2102716 – GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt (sql.rules)
2102787 – GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt (sql.rules)
2102794 – GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt (sql.rules)
2102803 – GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt (sql.rules)

[***] Summary: [***]

6 new Open rules, 16 new Pro (6+10). Hicrazyk.A, Win32.VBNA.b, CVE-2014-0515.

[+++] Added rules: [+++]

Open:

2018430 – ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com) (web_client.rules)
2018431 – ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.msn.com) (web_client.rules)
2018432 – ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.bing.com) (web_client.rules)
2018433 – ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.yahoo.com) (web_client.rules)
2018434 – ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption (web_client.rules)
2018435 – ET TROJAN W32/Hicrazyk.A Downloader Install CnC Beacon (trojan.rules)

Pro:

2807990 – ETPRO MALWARE Win32.AirAdInstaller (malware.rules)
2807991 – ETPRO TROJAN Worm.Win32.VBNA.b Checkin 2 (trojan.rules)
2807992 – ETPRO TROJAN Trojan-Downloader.Win32.INService User-Agent (trojan.rules)
2807993 – ETPRO TROJAN Trojan-Downloader.Win32.Small.gri Checkin (trojan.rules)
2807994 – ETPRO TROJAN Trojan-Downloader.Win32.Zlob.aep Checkin (trojan.rules)
2807995 – ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.BS Checkin (mobile_malware.rules)
2807996 – ETPRO TROJAN Worm.Win32.VBNA.b Checkin 3 (trojan.rules)
2807997 – ETPRO TROJAN Worm.Win32.VBNA.b Checkin 5 (trojan.rules)
2807998 – ETPRO EXPLOIT Possible CVE-2014-0515 Flash Buffer Overflow (exploit.rules)
2807999 – ETPRO TROJAN Worm.Win32.VBNA.b Checkin 4 (trojan.rules)
[///] Modified active rules: [///]

2018418 – ET CURRENT_EVENTS Possible W32/Zbot.InfoStealer SSL Cert Parallels.com (current_events.rules)
2018419 – ET TROJAN W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA (trojan.rules)
2018422 – ET TROJAN Upatre Binary Download April 28 2014 (trojan.rules)
2806651 – ETPRO MOBILE_MALWARE Android/Spy.Agent.I Checkin (mobile_malware.rules)
2807616 – ETPRO TROJAN Win32/Spy.Agent.OIB Checkin (trojan.rules)

LONDON, UK (Infosecurity Europe Booth #K77) – APRIL 30, 2014 – Emerging Threats, a world-leading provider of commercial and open source threat intelligence, today announced that ESG (Enterprise Strategy Group, Inc.) has validated the ETPro™ Ruleset as a cost-effective anti-malware product that provides actionable threat detection that reduces the risk of malware as it increases the operational efficiency of an organization’s security team. Also observed in the report are IQRisk™ Rep List and IQRisk Query that provide comprehensive threat intelligence based on over a decade of malicious threat data.

ESG’s findings concluded that the ETPro Ruleset was highly effective and delivered 4.7x the malware coverage than the open source ETOpen Ruleset over a 7-day test period. ESG tested the ETPro Ruleset on a Suricata v1.4 IDS engine and was validated with no packet loss running at a 9.6 Gbps scan rate. The report concluded that the breadth and depth of the Emerging Threats malware collection, analysis, and countermeasure processes can be used to increase the effectiveness of an IDS/IPS. The ETPro Ruleset is licensed globally to major OEM security appliance vendors as well as end-users, and is deployed in many G2000 organizations.

In addition, ESG also analyzed data from IQRisk Rep List and IQRisk Query. IQRisk Rep List is an actionable IP reputation list based on hundreds of thousands of malicious IP addresses and domains. IQRisk Query is a Web-based threat intelligence portal (also available as an API for integration into the SIEM) that provides easy access to the largest and most comprehensive threat intelligence database with up to 4 years of historical and contextual threat data searchable by IP address, domain, MD5 Hash and ETPro Ruleset SIDs. The report concluded that that the automation and visualization provided by IQRisk Rep List and IQRisk Query can deliver actionable threat intelligence that helps security professionals make quick and informed decisions about their up-to-the-minute risk profile.

“Our testing concluded that Emerging Threats IQRisk Suite provides high levels of actionable threat intelligence that can increase malware detection effectiveness,” said Tony Palmer, Senior Lab Analyst ESG. “The ETPro Ruleset leverages the breadth and depth of the Emerging Threats collection, analysis and countermeasure processes to deliver cost-efficient, highly effective protection for IDS/IPS. We were impressed with Emerging Threats’ professionalism and the in-depth knowledge they have gained gathering data on malicious threats for over a decade to provide a more complete threat intelligence solution to their customers.”

The Emerging Threats product portfolio is highly scalable and designed to meet the exacting needs of customers. The company’s IQRisk Suite combines the ETPro Ruleset, IQRisk Rep List and IQRisk Query to provide a comprehensive actionable threat intelligence solution.

“We were excited to see the results of this independent testing on our threat intelligence products and solutions,” said Matt Jonkman, CTO Emerging Threats. “ESG provided expert third-party validation for our customers, prospects and for us internally so we can continue to concentrate on our core competency and provide the best actionable threat intelligence in the industry.”

The complete ESG Lab Validation report can be viewed on the Emerging Threats Resource Webpage and on the ESG Insights and Publications Webpage.

About Emerging Threats

Emerging Threats is a world-leading provider of commercial and open source threat intelligence. Founded in 2003 as a cyber security research community, Emerging Threats has become the de facto standard in network-based malware threat detection. The company’s ETOpen Ruleset, ETPro™ Ruleset, and IQRisk™ Suite of threat intelligence are platform agnostic for easy integration with Suricata, SNORT®, and other network intrusion protection and detection systems. With ETPro Ruleset, organizations can achieve the highest standards of malicious threat detection with world-class support and research for extended vulnerability coverage. ETPro Ruleset is ideal for enterprises, government agencies, financial institutions, SMBs, higher education, and service providers. For more information, please visit http://www.emergingthreats.net.

About ESG

Enterprise Strategy Group (ESG) is an integrated IT research, analysis, and strategy firm that is world-renowned for providing actionable insight and intelligence to the global IT community. Recognized for its unique blend of capabilities—including market research, hands-on technical product validation, and expert consulting methodologies such as the ESG Strategy Lifecycle—ESG is relied upon by IT professionals, technology vendors, investors, and the media to clarify the complex. For more information visit: www.esg-global.com.

© 2014 Emerging Threats Pro, LLC. All rights reserved. All other names and marks are property of their respective owners. ETPro™, IQRisk™, and the ET design are trademarks of Emerging Threats Pro, LLC.

SNORT® is a registered trademark of Sourcefire, Inc.

[***] Summary: [***]

1 new Open rule and 7 new Pro (1+6). AndroidOS.Uten, Waledac.AJ.

Thanks: Kevin Ross and Jake Warren

[+++] Added rules: [+++]

2018436 – ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2 (web_client.rules)
2808000 – ETPRO CURRENT_EVENTS Common Group Indicators Used in Various Targeted 0-day Attacks (current_events.rules)
2808001 – ETPRO MALWARE Win32.Waledac.AJ binary download 1 (malware.rules)
2808002 – ETPRO MALWARE Win32.Waledac.AJ binary download 2 (malware.rules)
2808003 – ETPRO MOBILE_MALWARE Trojan.AndroidOS.Uten.b Checkin (mobile_malware.rules)
2808004 – ETPRO MALWARE Win32.AdWare.Midia (malware.rules)
2808005 – ETPRO TROJAN Win32.Neshta.A checkin 2 (trojan.rules)

[***] Summary: [***]

2 new Open signatures, 7 new Pro (2+5). Various AndroidOS, vpnoverdns.
[+++] Added rules: [+++]

Open:

2018437 – ET TROJAN Trojan-Spy.Win32.Zbot.hmcm Checkin (trojan.rules)
2018438 – ET DNS DNS Query for vpnoverdns – indicates DNS tunnelling (dns.rules)

Pro:

2808006 – ETPRO MOBILE_MALWARE Android/MobileSpy.C!mfb Checkin (mobile_malware.rules)
2808007 – ETPRO MOBILE_MALWARE Android/DroidRooter.B Checkin (mobile_malware.rules)
2808008 – ETPRO MOBILE_MALWARE Trojan.AndroidOS.Ackposts.a Checkin (mobile_malware.rules)
2808009 – ETPRO MOBILE_MALWARE Monitor.AndroidOS.SmBox.a Checkin (mobile_malware.rules)
2808010 – ETPRO MALWARE Win32.Boaxxe.BL windowsupdate connectivity check (malware.rules)
[///] Modified active rules: [///]

2017598 – ET TROJAN Possible Kelihos.F EXE Download Common Structure (trojan.rules)
2018403 – ET TROJAN GENERIC Zbot Based Loader (trojan.rules)

[---] Removed rules: [---]

2805950 – ETPRO TROJAN Trojan-Spy.Win32.Zbot.hmcm Checkin (trojan.rules)
2808001 – ETPRO MALWARE Win32.Waledac.AJ binary download 1 (malware.rules)
2808002 – ETPRO MALWARE Win32.Waledac.AJ binary download 2 (malware.rules)

[***] Summary: [***]

4 new Open signatures, 9 new Pro (4+5). Goon/Infinity EK, Various Android, Apache Struts RCE.

[+++] Added rules: [+++]

Open:

2018439 – ET CURRENT_EVENTS Common Bad Actor Indicators Used in Various Targeted 0-day Attacks (current_events.rules)
2018440 – ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014 (current_events.rules)
2018441 – ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 (current_events.rules)
2018442 – ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (current_events.rules)

Pro:

2808011 – ETPRO EXPLOIT Apache Struts ClassLoader Remote Code Execution (exploit.rules)
2808012 – ETPRO TROJAN unknown google.com connectivity check (trojan.rules)
2808013 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.o Checkin 3 (mobile_malware.rules)
2808014 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.o Checkin 4 (mobile_malware.rules)
2808015 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.o Checkin 5 (mobile_malware.rules)
[---] Removed rules: [---]

2808000 – ETPRO CURRENT_EVENTS Common Group Indicators Used in Various Targeted 0-day Attacks (current_events.rules)

[***] Summary: [***]

7 new Open signatures, 12 new Pro (7+5). Selfint, various lockers, Nuclear EK.

Thanks: Nathan Fowler and Kevin Ross.

[+++] Added rules: [+++]

Open:

2018443 – ET TROJAN W32/Karagany.Downloader CnC Beacon (trojan.rules)
2018447 – ET WEB_CLIENT Base64 Encoded Java Value (web_client.rules)
2018448 – ET TROJAN selfint Checkin (trojan.rules)
2018449 – ET TROJAN Potential Selfint C2 traffic (from server) (trojan.rules)
2018450 – ET TROJAN Potential Selfint C2 traffic (from client) (trojan.rules)
2018451 – ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 05 2014 (current_events.rules)
2018452 – ET TROJAN CryptoWall Check-in (trojan.rules)

Pro:

2808016 – ETPRO TROJAN Win32/FakeInit.A Checkin (trojan.rules)
2808017 – ETPRO TROJAN Win32/Injector.BBHJ Checkin (trojan.rules)
2808018 – ETPRO TROJAN Win32.LockScreen.BHI checkin (trojan.rules)
2808019 – ETPRO TROJAN Win32.Ransomlock Checkin (trojan.rules)
2808020 – ETPRO TROJAN Agent-AEMM Checkin Response (trojan.rules)
[///] Modified active rules: [///]

2018437 – ET TROJAN Trojan-Spy.Win32.Zbot.hmcm Checkin (trojan.rules)
2807970 – ETPRO TROJAN Win32/Neurevt.A Checkin 3 (trojan.rules)

[***] Summary: [***]

6 new Pro rules. LoadTubes.A, Reconyc, Open Flash Charts.

[+++] Added rules: [+++]

2808021 – ETPRO MALWARE Win32/AnyProtect.B Checkin (malware.rules)
2808022 – ETPRO WEB_SERVER PHP Open Flash Charts File Upload Attempt (web_server.rules)
2808023 – ETPRO WEB_SERVER PHP Possible Open Flash Direct Access to File Upload Directory (web_server.rules)
2808024 – ETPRO MALWARE Win32/LoadTubes.A Checkin (malware.rules)
2808025 – ETPRO MALWARE Win32/LoadTubes.A Checkin 2 (malware.rules)
2808026 – ETPRO TROJAN Trojan.Win32.Reconyc variant Checkin (trojan.rules)
[///] Modified active rules: [///]

2016527 – ET TROJAN W32/Asprox php.dll.crp POST CnC Beacon (trojan.rules)
2016528 – ET TROJAN W32/Asprox CnC Beacon (trojan.rules)
2018414 – ET CURRENT_EVENTS possible OneLouder downloader installing Zeus P2P (current_events.rules)
[---] Removed rules: [---]

2016019 – ET TROJAN Win32.boCheMan-A/Dexter (trojan.rules)

[***] Summary: [***]

2 Open signatures, 7 Pro (2+5). Upatre, Zbot, Ransomware.

Thanks: @malwaresigs
[+++] Added rules: [+++]

Open:

2018453 – ET CURRENT_EVENTS Upatre Downloader 2p (Zeus) May 07 2014 (current_events.rules)
2018454 – ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct (current_events.rules)

Pro:

2808027 – ETPRO TROJAN Win32/Zbot.C Checkin (trojan.rules)
2808028 – ETPRO TROJAN Troj/Zbot-IEL Checkin (trojan.rules)
2808029 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.cgth Checkin (trojan.rules)
2808030 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2808031 – ETPRO TROJAN Trojan-PSW.Win32.QQShou.ch User-Agent (trojan.rules)
[///] Modified active rules: [///]

2015846 – ET CURRENT_EVENTS NeoSploit Jar with three-letter class names (current_events.rules)
2018441 – ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 (current_events.rules)
2807343 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Cova.b Checkin 2 (mobile_malware.rules)

[***] Summary: [***]

2 new Open signatures, 4 new Pro (2+2). Anubis Sinkhole, Zbot, Win32.Banker.

Thanks, Kevin Ross and @MalwareMustDie

[+++] Added rules: [+++]

Open:

2018455 – ET TROJAN DNS Reply Sinkhole – Anubis – 195.22.26.192/26 (trojan.rules)
2018456 – ET TROJAN Unknown *nix Trojan C2 Activity (trojan.rules)

Pro:

2808032 – ETPRO TROJAN Win32/Zbot.BX Checkin (trojan.rules)
2808033 – ETPRO TROJAN Win32.Banker.KMJ Checkin (trojan.rules)
[///] Modified active rules: [///]
2807972 – ETPRO TROJAN Win32/FlyStudio Activity (trojan.rules)

[***] Summary: [***]

7 new Open signatures, 8 new Pro (7+1). Upatre, VBKrypt, Marag.f.

Thanks: Kevin Ross and @MalwareMustDie

[+++] Added rules: [+++]

Open:

2017348 – ET TROJAN Trojan.Win32.VBKrypt.cugq Checkin (trojan.rules)
2018457 – ET TROJAN Possible Upatre Downloader SSL certificate (fake loc) (trojan.rules)
2018458 – ET MALWARE DomainIQ Check-in (malware.rules)
2018459 – ET WEB_SERVER SUSPICIOUS Possible WebShell Login Form (Outbound) (web_server.rules)
2018460 – ET CURRENT_EVENTS Possible Upatre SSL Compromised site iclasshd.net (current_events.rules)
2018461 – ET CURRENT_EVENTS Possible Upatre SSL Compromised site sabzevarsez.com (current_events.rules)
2018462 – ET TROJAN W32/Fsysna.Downloader CnC Beacon (trojan.rules)

Pro:

2808034 – ETPRO TROJAN Worm.Win32.Marag.f Checkin (trojan.rules)
[///] Modified active rules: [///]

2013201 – ET TROJAN Win32/Rodecap CnC Checkin (trojan.rules)
2013723 – ET TROJAN Win32/Daemonize Trojan Proxy Initial Checkin (trojan.rules)
2014356 – ET TROJAN W32/ProxyChanger.InfoStealer Checkin (trojan.rules)
2018005 – ET TROJAN Possible Upatre Downloader SSL certificate (fake org) (trojan.rules)
2018413 – ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P) (current_events.rules)
2018448 – ET TROJAN Selfnit Checkin (trojan.rules)

[---] Removed rules: [---]

2014964 – ET CURRENT_EVENTS Hacked Website Response ‘/*km0ae9gr6m*/’ Jun 25 2012 (current_events.rules)
2014965 – ET CURRENT_EVENTS Hacked Website Response ‘/*qhk6sa6g1c*/’ Jun 25 2012 (current_events.rules)
2017348 – ET USER_AGENTS Trojan.Win32.VBKrypt.cugq Checkin (user_agents.rules)
2803321 – ETPRO TROJAN Win32/Rodecap.A Checkin (trojan.rules)

[***] Summary: [***]

2 new Open signatures, 5 new Pro (2+3). OneLouder, Various Android.

Thanks: @EKWatcher

[+++] Added rules: [+++]

Open:

2018463 – ET CURRENT_EVENTS possible OneLouder header structure (current_events.rules)
2018464 – ET CURRENT_EVENTS OneLouder EXE download possibly installing Zeus P2P (current_events.rules)

Pro:

2808035 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.fe Checkin (mobile_malware.rules)
2808036 – ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.QO Checkin (mobile_malware.rules)
2808037 – ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.cw Checkin 2 (mobile_malware.rules)
[///] Modified active rules: [///]

2018330 – ET CURRENT_EVENTS DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit (current_events.rules)
2018367 – ET MALWARE W32/iBryte.Adware Affiliate Campaign Executable Download (malware.rules)
2018407 – ET CURRENT_EVENTS Fiesta URI Struct (current_events.rules)
[---] Removed rules: [---]

2000016 – ET DOS SSL Bomb DoS Attempt (dos.rules)
2803188 – ETPRO TROJAN Cnaddare.A/Fednu.c/Adware Checkin to Server flowbit set (trojan.rules)
2803189 – ETPRO TROJAN Cnaddare.A/Fednu.c/Adware Response from CnC Server (trojan.rules)

[***] Summary: [***]

4 new Open rules, 8 new Pro (4+4). Patch Tuesday, PandoraRat.

Thanks: Jaime Blasco.

[+++] Added rules: [+++]

Open:

2018465 – ET TROJAN Possible Backdoor.Adwind Download 2 (trojan.rules)
2018466 – ET TROJAN Possible Backdoor.Unrecom Download (trojan.rules)
2018467 – ET TROJAN PandoraRat/Refroso.bsp Activity (trojan.rules)
2018468 – ET TROJAN PandoraRat/Refroso.bsp Directory Listing Sent To Server (trojan.rules)

Pro:

2808038 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0310) (web_client.rules)
2808039 – ETPRO WEB_SERVER Microsoft SharePoint ThemeOverride reflected XSS attempt (2014-1754) (web_server.rules)
2808040 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1815) (web_client.rules)
2808041 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1815) (web_client.rules)

[///] Modified active rules: [///]

2014726 – ET POLICY Outdated Windows Flash Version IE (policy.rules)
2017812 – ET CURRENT_EVENTS Safe/CritX/FlashPack URI with Windows Plugin-Detect Data (current_events.rules)
2018419 – ET TROJAN W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA (trojan.rules)