Quantcast
Channel: Blog
Viewing all 489 articles
Browse latest View live

Daily Ruleset Update Summary 05/14/2014

$
0
0

[***] Summary: [***]

10 new Open signatures, 16 new Pro (10+6), Various Android, Flashpack, Alina.

Thanks: vlintelligence, Kevin Ross and Nathan Fowler.

[+++] Added rules: [+++]

Open:

2018138 – ET MOBILE_MALWARE Android/FakeKakao checkin 1 (mobile_malware.rules)
2018139 – ET MOBILE_MALWARE Android/FakeKakao checkin 2 (mobile_malware.rules)
2018140 – ET MOBILE_MALWARE Android/FakeKakao checkin 3 (mobile_malware.rules)
2018469 – ET CURRENT_EVENTS DRIVEBY FlashPack 2013-2551 May 13 2014 (current_events.rules)
2018470 – ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash2013.php (current_events.rules)
2018471 – ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash2014.php (current_events.rules)
2018472 – ET CURRENT_EVENTS DRIVEBY FlashPack Plugin-Detect May 13 2014 (current_events.rules)
2018473 – ET TROJAN W32/Alina.POS-Trojan CnC Beacon (trojan.rules)
2018474 – ET TROJAN W32/HelloBridge.Backdoor Register CnC Beacon (trojan.rules)
2018475 – ET TROJAN W32/HelloBridge.Backdoor Login CnC Beacon (trojan.rules)

Pro:

2808042 – ETPRO TROJAN MSIL/PSW.Agent.NUM Checkin (trojan.rules)
2808043 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ao / Cardbuyer Checkin (mobile_malware.rules)
2808044 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ao / Cardbuyer Checkin 2 (mobile_malware.rules)
2808045 – ETPRO MOBILE_MALWARE Android/AdDisplay.BatteryDoctor.A Checkin (mobile_malware.rules)
2808046 – ETPRO MOBILE_MALWARE Android/AdDisplay.BatteryDoctor.A Checkin 2 (mobile_malware.rules)
2808047 – ETPRO TROJAN Trojan.Win32.Agent.afaxi Checkin (trojan.rules)

[///] Modified active rules: [///]

2011588 – ET TROJAN Zeus Bot Request to CnC (trojan.rules)
2017813 – ET CURRENT_EVENTS Safe/CritX/FlashPack Payload (current_events.rules)
2017895 – ET CURRENT_EVENTS Kuluoz/Asprox Activity Dec 23 2013 (current_events.rules)
2018440 – ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014 (current_events.rules)

[---] Removed rules: [---]

2018138 – ET TROJAN Android/FakeKakao checkin 1 (trojan.rules)
2018139 – ET TROJAN Android/FakeKakao checkin 2 (trojan.rules)
2018140 – ET TROJAN Android/FakeKakao checkin 3 (trojan.rules)


Daily Ruleset Update Summary 05/15/2014

$
0
0

[***] Summary: [***]

5 new Open rules, 8 new Pro (5+3). Win32.Tesch.A, Reconyc.bicp, Wysotot.A.

[+++] Added rules: [+++]

Open:

2018195 – ET MALWARE BetterInstaller (malware.rules)
2018476 – ET TROJAN Downloader.Win32.Tesch.A Client CnC Checkin (trojan.rules)
2018477 – ET TROJAN Downloader.Win32.Tesch.A Server CnC Checkin Reply (trojan.rules)
2018478 – ET TROJAN Downloader.Win32.Tesch.A Client File Download Command (trojan.rules)
2018479 – ET TROJAN Downloader.Win32.Tesch.A Server CnC Sending Executable (trojan.rules)

Pro:

2807412 – ETPRO MALWARE Win32/Wysotot.A Checkin (malware.rules)
2808048 – ETPRO MALWARE Adware.Downware.3180 Installer Request (malware.rules)
2808049 – ETPRO TROJAN Trojan.Win32.Reconyc.bicp Checkin (trojan.rules)

[///] Modified active rules: [///]

2803851 – ETPRO WEB_CLIENT Microsoft Internet Explorer remote code execution via option element (web_client.rules)
2806847 – ETPRO TROJAN WIN32/KOVTER.B Checkin (trojan.rules)

[---] Removed rules: [---]

2008036 – ET MALWARE 360safe.com related Fake Security Product Update (malware.rules)
2018195 – ET TROJAN Win32.Sefnit (trojan.rules)
2807412 – ETPRO TROJAN Win32/Wysotot.A Checkin (trojan.rules)

Daily Ruleset Update Summary 05/16/2014

$
0
0
 [***]          Summary:          [***]
 2 new Open. 6 new Pro (2/4). Upatre, Webprefix, etc. Thanks @EKWatcher.
[+++]          Added rules:          [+++]

Open:

  2018480 – ET CURRENT_EVENTS Possible Upatre SSL Compromised site dfsdirect.ca (current_events.rules)
2018481 – ET TROJAN Trojan.Win32.Webprefix checkin (trojan.rules)

Pro:
2808050 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.jgb Checkin (trojan.rules)

  2808051 – ETPRO MALWARE Besttoolbars checkin (malware.rules)
2808052 – ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin (mobile_malware.rules)
2808053 – ETPRO MOBILE_MALWARE Android/SmsSend.ET Checkin (mobile_malware.rules)

[///]     Modified active rules:     [///]

2015969 – ET TROJAN WORM_VOBFUS Requesting exe (trojan.rules)
2018435 – ET TROJAN W32/Hicrazyk.A Downloader Install CnC Beacon (trojan.rules)

Daily Ruleset Update Summary 05/19/2014

$
0
0

[***] Summary: [***]

7 new Open signatures, 11 new Pro (7+4). ELF IRCBot, PCRat/Gh0st, RapidStealer.A.

Thanks: @MalwareMustDie

[+++] Added rules: [+++]

Open:

2018482 – ET TROJAN Possible Zendran ELF IRCBot Joining Channel (trojan.rules)
2018483 – ET TROJAN Possible Zendran ELF IRCBot Joining Channel 2 (trojan.rules)
2018484 – ET TROJAN Possible Zendran ELF IRCBot Server Banner (trojan.rules)
2018485 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32 (trojan.rules)
2018486 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33 (trojan.rules)
2018487 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34 (trojan.rules)
2018488 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35 (trojan.rules)

Pro:

2808054 – ETPRO TROJAN MSIL/RapidStealer.A FTP Activity 1 (set) (trojan.rules)
2808055 – ETPRO TROJAN MSIL/RapidStealer.A FTP Activity 1 (trojan.rules)
2808056 – ETPRO TROJAN MSIL/RapidStealer.A FTP Activity 2 (set) (trojan.rules)
2808057 – ETPRO TROJAN MSIL/RapidStealer.A FTP Activity 2 (trojan.rules)

[///] Modified active rules: [///]

2018117 – ET TROJAN Possible Sinkhole banner (trojan.rules)
2018407 – ET CURRENT_EVENTS Fiesta URI Struct (current_events.rules)

[---] Removed rules: [---]

2016112 – ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (1) (current_events.rules)
2016143 – ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (2) (current_events.rules)
2807885 – ETPRO TROJAN Backdoor.Win32/Fynloski.A CnC command (OUTBOUND) 2 (trojan.rules)
2807953 – ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)

Daily Ruleset Update Summary 05/19/2014 – Part 2

$
0
0

[***] Summary: [***]

7 new Pro signatures. Various AndroidOS, Cueisfry, DownWare.

[+++] Added rules: [+++]

2808058 – ETPRO MALWARE Win32/DownWare.L Checkin (malware.rules)
2808059 – ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.de Checkin 3 (mobile_malware.rules)
2808060 – ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.de Checkin 4 (mobile_malware.rules)
2808061 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.ks Checkin (mobile_malware.rules)
2808062 – ET TROJAN Win32/Cueisfry.A Checkin (trojan.rules)
2808063 – ETPRO TROJAN Win32/Spy.Banker.AAVM Checkin (trojan.rules)
2808064 – ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.du Checkin (mobile_malware.rules)

[///] Modified active rules: [///]

2008512 – ET TROJAN Suspicious User-Agent (C slash) (trojan.rules)
2806847 – ETPRO TROJAN WIN32/KOVTER.B Checkin (trojan.rules)

Daily Ruleset Update Summary 05/20/2014

$
0
0

[***] Summary: [***]

5 Open signatures, 8 Pro (5+3). MiniDuke, Upatre, Sweet Orange, Various AndroidOS.

[+++] Added rules: [+++]

Open:

2018489 – ET SCAN NMAP OS Detection Probe (scan.rules)
2018490 – ET CURRENT_EVENTS .gadget Email Attachment – Possible Upatre (current_events.rules)
2018491 – ET TROJAN MiniDuke Checkin (trojan.rules)
2018492 – ET TROJAN Upatre SSL Cert May 20 2014 (trojan.rules)
2018493 – ET CURRENT_EVENTS Sweet Orange WxH redirection (current_events.rules)

Pro:

2808065 – ETPRO TROJAN Downloader.Win32/Small.gen!Z exe Download (trojan.rules)
2808066 – ETPRO MOBILE_MALWARE Android/SMSreg.GQ Checkin (mobile_malware.rules)
2808067 – ETPRO MOBILE_MALWARE Trojan.AndroidOS.Koler.a Checkin (mobile_malware.rules)

[///] Modified active rules: [///]

2807071 – ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.PS Checkin (mobile_malware.rules)

[///] Modified inactive rules: [///]

2000545 – ET SCAN NMAP -f -sV (scan.rules)
2001191 – ET EXPLOIT libPNG – Width exceeds limit (exploit.rules)

Daily Ruleset Update Summary 05/21/2014

$
0
0

[***] Summary: [***]

5 new Open signatures, 8 new Pro (5+3). OneLouder, Upatre, CVE-2014-3120, Zeus.

Thanks: Jake Warren, Nathan Fowler, @EKwatcher.

[+++] Added rules: [+++]

Open:

2018463 – ET TROJAN possible OneLouder header structure (trojan.rules)
2018464 – ET TROJAN OneLouder EXE download possibly installing Zeus P2P (trojan.rules)
2018494 – ET CURRENT_EVENTS Possible Upatre SSL Compromised site bloggershop.co.vu (current_events.rules)
2018495 – ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt (web_server.rules)
2018496 – ET TROJAN Win32/Necurs Checkin (trojan.rules)

Pro:

2808068 – ETPRO TROJAN Win32/Nadeomi.A Checkin (trojan.rules)
2808069 – ETPRO MALWARE Adware.iBryte.Z Checkin (malware.rules)
2808070 – ETPRO TROJAN Downloader (P2P Zeus dropper UA) (trojan.rules)

[+++] Enabled and modified rules: [+++]

2018489 – ET SCAN NMAP OS Detection Probe (scan.rules)

[///] Modified active rules: [///]

2018394 – ET TROJAN Common Upatre Header Structure (trojan.rules)
2018454 – ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct (current_events.rules)

[///] Modified inactive rules: [///]

2001407 – ET POLICY hidden zip extension .pif (policy.rules)
2001408 – ET POLICY hidden zip extension .scr (policy.rules)

[---] Removed rules: [---]

2001424 – ET POLICY Gmail Inbox Access (policy.rules)
2001425 – ET POLICY Gmail File Send (policy.rules)
2001426 – ET POLICY Gmail Message Send (policy.rules)

Daily Ruleset Update Summary 05/22/2014

$
0
0

[***] Summary: [***]

6 new Pro signatures. Various AndroidOS, Angler EK.

[+++] Added rules: [+++]

2808071 – ETPRO MALWARE Win32/AnyProtect.B Checkin 2 (malware.rules)
2808072 – ETPRO MALWARE Win32/SquareNet.A Checkin (malware.rules)
2808073 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.bo Checkin 4 (mobile_malware.rules)
2808074 – ETPRO MALWARE AdWare.Win32.MMag.d Checkin (malware.rules)
2808075 – ETPRO MOBILE_MALWARE Android.Adware.KyView.A Checkin (mobile_malware.rules)
2808076 – ETPRO CURRENT_EVENTS DRIVEBY Angler EK Landing May 22 2014 (current_events.rules)

[///] Modified active rules: [///]

2018496 – ET TROJAN Win32/Necurs Checkin (trojan.rules)
2808021 – ETPRO MALWARE Win32/AnyProtect.B Checkin (malware.rules)

[---] Removed rules: [---]

2001523 – ET MALWARE Statblaster Receiving New configuration (allfiles) (malware.rules)
2014369 – ET CURRENT_EVENTS Blackhole Landing with prototype catch (current_events.rules)


Daily Ruleset Update Summary 05/23/2014

$
0
0

[***] Summary: [***]

3 new Open rules, 5 new Pro (3+2). Angler EK, Styx, Urausy.

Thanks, Jake Warren, Ryan Moon, @kafeine

[+++] Added rules: [+++]

Open:

2018497 – ET CURRENT_EVENTS Angler EK SilverLight Payload Request – May 2014 (current_events.rules)
2018498 – ET CURRENT_EVENTS Possible Styx/Angler SilverLight Exploit 2 (current_events.rules)
2018499 – ET TROJAN Win32/Urausy.C response (trojan.rules)

Pro:

2808077 – ETPRO TROJAN Trojan-Dropper.Win32.Dorifel.akod Checkin (trojan.rules)
2808078 – ETPRO TROJAN Win32/Webprefix.B Checkin (trojan.rules)

[///] Modified active rules: [///]

2001990 – ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt (exploit.rules)
2007616 – ET USER_AGENTS klm123.com Spyware User Agent (user_agents.rules)
2017903 – ET TROJAN Win32/Urausy.C Checkin 4 (trojan.rules)

[---] Removed rules: [---]

2807349 – ETPRO TROJAN W32.Rontokbro variant (trojan.rules)

Daily Ruleset Update Summary 05/27/2014

$
0
0

[***] Summary: [***]

4 new Open rules, 8 new Pro (4+4). Gongda EK, Acrobat Reader Vulnerabilities.

Thanks: @MalwareSigs

[+++] Added rules: [+++]

Open:

2018500 – ET CURRENT_EVENTS Metasploit Various Java Exploit Common Class name (current_events.rules)
2018501 – ET CURRENT_EVENTS Gongda EK Secondary Landing (current_events.rules)
2018502 – ET CURRENT_EVENTS Gongda EK Landing 1 (current_events.rules)
2018503 – ET CURRENT_EVENTS Gongda EK Landing 2 (current_events.rules)

Pro:

2808079 – ETPRO EXPLOIT Advantech WebAccess SQL Injection (exploit.rules)
2808080 – ETPRO EXPLOIT Symantec Workspace Streaming Arbitrary File Upload (exploit.rules)
2808081 – ETPRO WEB_CLIENT Acrobat Reader Possible CVE-2014-0527 Use After Free (web_client.rules)
2808082 – ETPRO WEB_CLIENT Acrobat Reader Possible CVE-2014-0527 Use After Free (web_client.rules)

[///] Modified active rules: [///]

2017584 – ET TROJAN CryptoLocker Ransomware check-in (trojan.rules)

Daily Ruleset Update Summary 05/28/2014

$
0
0

[***] Summary: [***]

3 new Open signatures, 13 new Pro (3+10). Zeus.BitcoinMiner, Various AndroidOS, Necurs, OneLouder.

Thanks: Nathan Fowler, Kevin Ross, and Ryan Moon.

[+++] Added rules: [+++]

Open:

2018504 – ET TROJAN W32/Zeus.BitcoinMiner Variant CnC Beacon (trojan.rules)
2018505 – ET CURRENT_EVENTS food.com compromise hostile JavaScript gate (current_events.rules)
2018506 – ET TROJAN Upatre Compromised Site hot-buys (trojan.rules)

Pro:

2808083 – ETPRO SNMP R7-2014-01 Brocade load balancer credential stealing attempt (snmp.rules)
2808084 – ETPRO SNMP R7-2014-02 Ubee cable modem credential stealing attempt 1 (snmp.rules)
2808085 – ETPRO SNMP R7-2014-02 Ubee cable modem credential stealing attempt 2 (snmp.rules)
2808086 – ETPRO SNMP R7-2014-03 Netopia/Motorola cable modem credential stealing attempt (snmp.rules)
2808087 – ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Cynos.b Checkin (mobile_malware.rules)
2808088 – ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Cynos.b Checkin 2 (mobile_malware.rules)
2808089 – ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Cynos.b Checkin 3 (mobile_malware.rules)
2808090 – ETPRO TROJAN Win32/Necurs Checkin 4 (trojan.rules)
2808091 – ETPRO MALWARE Win32/AdWare.SmartApps Checkin (malware.rules)
2808092 – ETPRO TROJAN Win32/Tandfuy.B Checkin (trojan.rules)

[+++] Enabled and modified rules: [+++]

2018463 – ET TROJAN possible OneLouder header structure (trojan.rules)
2018464 – ET TROJAN OneLouder EXE download possibly installing Zeus P2P (trojan.rules)

[///] Modified active rules: [///]

2018496 – ET TROJAN Win32/Necurs Checkin (trojan.rules)

Daily Ruleset Update Summary 05/29/2014

$
0
0

[***] Summary: [***]

1 new Open rule, 5 new Pro (1+4). Win32.Genome, Win32.SquareNet, Win32.KRBanker.

[+++] Added rules: [+++]

Open:

2018507 – ET TROJAN Trojan-Dropper.Win32.Agent.ksja (trojan.rules)

Pro:

2808093 – ETPRO TROJAN Trojan-Downloader.Win32.Genome.gxkt Checkin (trojan.rules)
2808094 – ETPRO MALWARE Win32/SquareNet.A Checkin 2 (malware.rules)
2808095 – ETPRO TROJAN Trojan/W32.KRBanker.60928.C Checkin (trojan.rules)
2808096 – ETPRO MALWARE Win32/Bundlore.D Checkin (malware.rules)

[///] Modified active rules: [///]

2002019 – ET MALWARE jmnad1.com Spyware Install (1) (malware.rules)
2003337 – ET MALWARE Suspicious User Agent (Autoupdate) (malware.rules)
2014337 – ET CURRENT_EVENTS RogueAV WordPress Injection Campaign Compromised Page Served to Local Client (current_events.rules)
2017588 – ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon (mobile_malware.rules)
2018424 – ET TROJAN W32/MadnessPro.DDOSBot CnC Beacon (trojan.rules)
2018505 – ET CURRENT_EVENTS food.com compromise hostile JavaScript gate (current_events.rules)
2806842 – ETPRO TROJAN Win32/Agent.UZD/Socks5systemz Checkin (trojan.rules)

[---] Removed rules: [---]

2003637 – ET TROJAN Inject.BV Trojan User Agent Detected (faserx) (trojan.rules)
2007286 – ET TROJAN Feral Checkin via HTTP (trojan.rules)
2008532 – ET TROJAN Bifrose Connect to Controller (variant 2) (trojan.rules)
2008664 – ET TROJAN Generic Dropper HTTP Bot grabbing config (trojan.rules)
2009814 – ET TROJAN Downloader (Win32.Doneltart) Checkin – HTTP GET (trojan.rules)
2013191 – ET CURRENT_EVENTS Client Visiting cssminibar.js Injected Website Malware Related (current_events.rules)
2013424 – ET TROJAN W32/UFR POST to CnC (trojan.rules)
2015833 – ET TROJAN Citadel API Access Video Controller (Outbound) (trojan.rules)
2805832 – ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.FA / Trojan-SMS.AndroidOS.Opfake.a Checkin (mobile_malware.rules)
2806126 – ETPRO CURRENT_EVENTS Request to malicious land.php mobile drive-by landing (current_events.rules)
2806140 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 4 (mobile_malware.rules)
2807746 – ETPRO TROJAN Trojan-Spy.Win32.Zbot.rptb Checkin (trojan.rules)

Daily Ruleset Update Summary 05/30/2014

$
0
0
 [***] Summary: [***]
4 new Open rule, 12 new Pro (4+8). Angler, Sality, etc. Thanks to tdzmont, @EKwatcher.

[+++]          Added rules:          [+++]

Open:
2018508 – ET TROJAN Sality gtalk connectivity check (trojan.rules)
2018509 – ET CURRENT_EVENTS Angler EK encrypted binary (5) (current_events.rules)
2018510 – ET CURRENT_EVENTS Angler EK encrypted binary (6) (current_events.rules)
2018511 – ET CURRENT_EVENTS Angler EK encrypted binary (7) (current_events.rules)

Pro:
2808097 – ETPRO MALWARE Win32/Bundlore.D Checkin 2 (malware.rules)
2808098 – ETPRO TROJAN Trojan-Downloader.Win32.Small.

ago Checkin (trojan.rules)
2808099 – ETPRO TROJAN qq.com C2 – SET (trojan.rules)
2808100 – ETPRO TROJAN qq.com C2 response (trojan.rules)
2808101 – ETPRO MOBILE_MALWARE Android/UUPAY.B Checkin (mobile_malware.rules)
2808102 – ETPRO MOBILE_MALWARE Android/Uten.A Checkin (mobile_malware.rules)
2808103 – ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Vsas.a Checkin (mobile_malware.rules)
2808104 – ETPRO TROJAN Win32/HiddenStart.B Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2018403 – ET TROJAN GENERIC Zbot Based Loader (trojan.rules)
2018497 – ET CURRENT_EVENTS Angler EK SilverLight Payload Request – May 2014 (current_events.rules)

[---]         Removed rules:         [---]

2018424 – ET TROJAN W32/MadnessPro.DDOSBot CnC Beacon (trojan.rules)
2018437 – ET TROJAN Trojan-Spy.Win32.Zbot.hmcm Checkin (trojan.rules)

Daily Ruleset Update Summary 06/02/2014

$
0
0

[***] Summary: [***]

3 new Open signatures, 18 new Pro (3+15). Jukbot.B, Zusy variant, Reconyc, DownloadGuide.A.

[+++] Added rules: [+++]

Open:

2018512 – ET MALWARE Adware.MultiInstaller (malware.rules)
2018513 – ET MALWARE PUP Win32/DownloadGuide.A (malware.rules)
2018514 – ET CURRENT_EVENTS Possible Malicious Injected Redirect June 02 2014 (current_events.rules)

Pro:

2808105 – ETPRO TROJAN Win32/Jukbot.B Checkin 2 (trojan.rules)
2808106 – ETPRO TROJAN Win32/Jukbot.B Checkin 3 (trojan.rules)
2808107 – ETPRO TROJAN Win32/Jukbot.B Checkin 4 (trojan.rules)
2808108 – ETPRO TROJAN Win32/Jukbot.B Checkin 5 (trojan.rules)
2808109 – ETPRO TROJAN Win32/Jukbot.B Checkin 6 (trojan.rules)
2808110 – ETPRO TROJAN Win32/Jukbot.B Checkin 7 (trojan.rules)
2808111 – ETPRO TROJAN Win32/Jukbot.B Checkin 8 (trojan.rules)
2808112 – ETPRO TROJAN Win32/Jukbot.B Checkin 9 (trojan.rules)
2808113 – ETPRO TROJAN Win32/Jukbot.B Checkin 10 (trojan.rules)
2808114 – ETPRO TROJAN Win32/Jukbot.B Checkin 11 (trojan.rules)
2808115 – ETPRO TROJAN Win32/Jukbot.B Checkin 12 (trojan.rules)
2808116 – ETPRO TROJAN Win32/Jukbot.B Checkin 13 (trojan.rules)
2808117 – ETPRO TROJAN Win32.Reconyc.bqcf Checkin (trojan.rules)
2808118 – ETPRO TROJAN Variant.Zusy.84374 Checkin (trojan.rules)
2808120 – ETPRO TROJAN Trojan-PSW.Win32.Tepfer.tlha Checkin (trojan.rules)

[///] Modified active rules: [///]

2018507 – ET TROJAN Trojan-Dropper.Win32.Agent.ksja (trojan.rules)
2806155 – ETPRO TROJAN Worm.Win32.Vobfus Checkin 3 (trojan.rules)
2807163 – ETPRO MALWARE Adware/AccesMembre Checkin (malware.rules)
2807553 – ETPRO TROJAN Win32/Jukbot.B Checkin 14 (trojan.rules)
2807570 – ETPRO TROJAN Win32/Jukbot.B Checkin (trojan.rules)
2807970 – ETPRO TROJAN Win32/Neurevt.A Checkin 3 (trojan.rules)

[///] Modified inactive rules: [///]

2007962 – ET TROJAN Vipdataend C&C Traffic Checkin (trojan.rules)

[---] Removed rules: [---]

2803232 – ETPRO TROJAN Variant.Downloader.119 Checkin (trojan.rules)
2803361 – ETPRO TROJAN W32.Swisyn.86016.V Checkin (trojan.rules)
2808065 – ETPRO TROJAN Downloader.Win32/Small.gen!Z exe Download (trojan.rules)
2808092 – ETPRO TROJAN Win32/Tandfuy.B Checkin (trojan.rules)

Daily Ruleset Update Summary 06/03/2014

$
0
0

[***] Summary: [***]

3 new Open signatures, 8 new Pro (3+5). Various Android, iBryte, FBI sinkhole.

Thanks: @kafeine and @jaimeblascob

[+++] Added rules: [+++]

Open:

2018515 – ET TROJAN SSL Cert Observed with Unkown Trojan (statswas) (trojan.rules)
2018516 – ET TROJAN Win32/Spy.Banker.AAQD Checkin (trojan.rules)
2018517 – ET DNS Reply Sinkhole FBI Zeus P2P 1 – 142.0.36.234

Pro:

2808121 – ETPRO TROJAN Trojan.DownLoader9.62529 Checkin (trojan.rules)
2808122 – ETPRO MALWARE Win32.AdWare.iBryte Install (malware.rules)
2808123 – ETPRO MOBILE_MALWARE Android/SmsSend.AL Checkin (mobile_malware.rules)
2808124 – ETPRO MOBILE_MALWARE Android.Adware.Wapsx.J Checkin (mobile_malware.rules)
2808125 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.gy Checkin (mobile_malware.rules)

[///] Modified active rules: [///]

2017813 – ET CURRENT_EVENTS Safe/CritX/FlashPack Payload (current_events.rules)
2807245 – ETPRO TROJAN Variant.Zusy.71154 Checkin (trojan.rules)

[---] Disabled and modified rules: [---]

2018330 – ET CURRENT_EVENTS DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit (current_events.rules)

[---] Removed rules: [---]

2807983 – ETPRO TROJAN Win32/Spy.Banker.AAQD Checkin (trojan.rules)


Daily Ruleset Update Summary 06/04/2014

$
0
0

[***] Summary: [***]

12 new Open rules, 19 new Pro (12+7). Soraya, Various Android.

Thanks: Jake Warren and @jaimeblascob.

[+++] Added rules: [+++]

Pro:

2018518 – ET TROJAN Trojan.Win32.VBKrypt.cugq Checkin (trojan.rules)
2018519 – ET TROJAN Soraya C2 User-Agent (trojan.rules)
2018520 – ET MOBILE_MALWARE AndroidOS/Lotoor.Q (mobile_malware.rules)
2018522 – ET TROJAN Soraya C2 User-Agent (default) (trojan.rules)
2018523 – ET TROJAN Soraya C2 User-Agent (rhyno321) (trojan.rules)
2018524 – ET TROJAN Soraya C2 User-Agent (SBTCM) (trojan.rules)
2018525 – ET TROJAN Soraya C2 User-Agent (slayer) (trojan.rules)
2018526 – ET TROJAN Soraya C2 User-Agent (Vulture) (trojan.rules)
2018527 – ET TROJAN Soraya C2 User-Agent (VHIbot/1.0) (trojan.rules)
2018528 – ET TROJAN Soraya C2 User-Agent (xehanort321) (trojan.rules)
2018529 – ET TROJAN Soraya C2 User-Agent (x09) (trojan.rules)
2018530 – ET TROJAN Win32.Trojan.Agent.U3D7V0 Checkin (trojan.rules)

Pro:

2808127 – ETPRO MOBILE_MALWARE Android/AndroBack.A Checkin (mobile_malware.rules)
2808128 – ETPRO MOBILE_MALWARE Android/AndroBack.A Checkin 2 (mobile_malware.rules)
2808129 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.gl Checkin (mobile_malware.rules)
2808130 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.gl Checkin 2 (mobile_malware.rules)
2808131 – ETPRO MOBILE_MALWARE Android.Trojan.FakeBank.K Checkin (mobile_malware.rules)
2808132 – ETPRO CURRENT_EVENTS DRIVEBY Malicious Plugin Detect URI struct (current_events.rules)
2808133 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.fv Checkin (mobile_malware.rules)

[///] Modified active rules: [///]

2003480 – ET POLICY Radmin Remote Control Session Setup Response (policy.rules)
2003482 – ET POLICY Radmin Remote Control Session Authentication Response (policy.rules)
2008567 – ET TROJAN Win32.Crypt.nc Checkin (trojan.rules)
2806155 – ETPRO TROJAN Worm.Win32.Vobfus Checkin 3 (trojan.rules)
2806881 – ETPRO TROJAN TrojanProxy.Win32/Hioles.B CnC (trojan.rules)

[---] Removed rules: [---]

2017348 – ET TROJAN Trojan.Win32.VBKrypt.cugq Checkin (trojan.rules)
2802092 – ETPRO TROJAN Trojan.Win32.VBKrypt.cugq Checkin (trojan.rules)
2807910 – ETPRO TROJAN Win32/Injector.BANJ Checkin (trojan.rules)

Daily Ruleset Update Summary 06/05/2014

$
0
0

[***] Summary: [***]

5 new Open, 9 new Pro (5+4). Various Android, CottonCastle EK, Win32.Ammyy.z.

Thanks: @rmkml and @kafeine.

[+++] Added rules: [+++]

Open:

2018532 – ET P2P zzima_loader (p2p.rules)
2018533 – ET MOBILE_MALWARE Android.Adware.Wapsx.A (mobile_malware.rules)
2018534 – ET CURRENT_EVENTS CottonCastle EK URI Struct (current_events.rules)
2018535 – ET CURRENT_EVENTS CottonCastle EK Landing June 05 2014 (current_events.rules)
2018536 – ET CURRENT_EVENTS CottonCastle EK Landing EK Struct (current_events.rules)

Pro:

2806289 – ETPRO POLICY RemoteAdmin Win32.Ammyy.z Checkin (policy.rules)
2808134 – ETPRO MOBILE_MALWARE Android.Trojan.Dplug.A Checkin (mobile_malware.rules)
2808135 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh Checkin (mobile_malware.rules)
2808136 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh Response (mobile_malware.rules)

[///] Modified active rules: [///]

2017467 – ET CURRENT_EVENTS CottonCastle EK Java Jar (current_events.rules)
2017945 – ET TROJAN Adware.PUQD Checkin (trojan.rules)
2018530 – ET TROJAN Win32.Trojan.Agent.U3D7V0 Checkin (trojan.rules)
2805446 – ETPRO TROJAN Win32/Recslurp.A Checkin (trojan.rules)
2808122 – ETPRO MALWARE Win32.AdWare.iBryte Install (malware.rules)

[---] Removed rules: [---]

2806289 – ETPRO TROJAN RemoteAdmin Win32.Ammyy.z Checkin (trojan.rules)

Daily Ruleset Update Summary 06/06/2014

$
0
0

[***] Summary: [***]

7 new Open signatures, 9 new Pro (7+2). GnuTLS vuln, Upatre, PirritSuggestor, Neverquest.

Thanks: tdzmont, Kevin Ross, Alexandre Dulaunoy

[+++] Added rules: [+++]

Open:

2018537 – ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466 (web_client.rules)
2018538 – ET CURRENT_EVENTS tor2www .onion Proxy SSL cert (current_events.rules)
2018539 – ET CURRENT_EVENTS TorExplorer Certificate – Potentially Linked To W32/Cryptowall.Ransomware (current_events.rules)
2018540 – ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash0515.php (current_events.rules)
2018541 – ET CURRENT_EVENTS PlugX/Destory HTTP traffic (current_events.rules)
2018542 – ET CURRENT_EVENTS Possible Upatre SSL Cert (current_events.rules)
2018543 – ET CURRENT_EVENTS Neverquest/Wawtrak Posting Data (current_events.rules)

Pro:

2808137 – ETPRO MALWARE Spyware PirritSuggestor.A (malware.rules)
2808138 – ETPRO MOBILE_MALWARE Android/Battpatch.A Checkin (mobile_malware.rules)

[///] Modified active rules: [///]

2017813 – ET CURRENT_EVENTS Safe/CritX/FlashPack Payload (current_events.rules)
2806053 – ETPRO MALWARE ADWARE/InstallCore.Gen Checkin (malware.rules)

Daily Ruleset Update Summary 06/09/2014

$
0
0

[+++] Summary: [+++]

9 new Open. 13 new Pro (9/4). CottonCastle, Etumbot.B, etc. Special thanks to Jason Jones and Arbor Networks for allowing us to put the EtumBot signatures into the Open ruleset. See their excellent write-up here.

http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/

[+++] Added rules: [+++]

Open:
2018544 – ET CURRENT_EVENTS CottonCastle EK Landing June 05 2014 2 (current_events.rules)
2018545 – ET CURRENT_EVENTS CottonCastle EK Jar Download Method 2 (current_events.rules)
2018546 – ET TROJAN EtumBot Registration Request (trojan.rules)
2018547 – ET TROJAN EtumBot Ping (trojan.rules)
2018548 – ET TROJAN EtumBot Command Status Message (trojan.rules)
2018549 – ET TROJAN EtumBot PUT File Response (trojan.rules)
2018550 – ET TROJAN EtumBot GET File Initial Response (trojan.rules)
2018551 – ET TROJAN EtumBot GET File Data Upload (trojan.rules)
2018552 – ET TROJAN Backdoor.Win32/Etumbot.B Requesting RC4 Key (trojan.rules)

Pro:
2808139 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Tramp.a Checkin (mobile_malware.rules)
2808140 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Tramp.a Checkin 2 (mobile_malware.rules)
2808141 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.u Checkin 3 (mobile_malware.rules)
2808142 – ETPRO TROJAN W32/Simda.BC Checkin (trojan.rules)

[///] Modified active rules: [///]

2018508 – ET TROJAN Win32/Enosch.A gtalk connectivity check (trojan.rules)
2807145 – ETPRO TROJAN Backdoor.Win32.Simda.abpn Checkin (trojan.rules)

June 2014 Microsoft Patch Tuesday Coverage

$
0
0
BulletinCVETitleNotesET Pro Coverage
MS14-0352014-0282Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808142
MS14-0352014-1762Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808143
MS14-0352014-1766Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808144
MS14-0352014-1785Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808145,2808146
MS14-0352014-1789Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808147
MS14-0352014-1791Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808148
MS14-0352014-1795Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808149
MS14-0352014-1797Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808150
MS14-0352014-1800Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808151
MS14-0352014-1802Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808152
MS14-0352014-1804Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808153,2808154
MS14-0352014-1805Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808156
MS14-0352014-1823Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808155(disbled by default FP’s)
Viewing all 489 articles
Browse latest View live