Quantcast
Channel: Blog
Viewing all 489 articles
Browse latest View live

Daily Ruleset Update Summary 08/27/2014

August 27, 2014, 3:03 pm
$
0
0

[***] Summary: [***]

54 new Open signatures, 77 new Pro (54+23). Lots of Upatre SSL, NullHole EK, Various Android.

Thanks: Nathan Fowler and @kafeine

[+++] Added rules: [+++]

2019025 – ET CURRENT_EVENTS Possible Upatre SSL Cert freeb4u.com (current_events.rules)
2019026 – ET CURRENT_EVENTS Possible Upatre SSL Cert developmentinn.com (current_events.rules)
2019027 – ET CURRENT_EVENTS Possible Upatre SSL Cert directory92.com (current_events.rules)
2019028 – ET CURRENT_EVENTS Possible Upatre SSL Cert epr-co.ch (current_events.rules)
2019029 – ET CURRENT_EVENTS Possible Upatre SSL Cert pouyasazan.org (current_events.rules)
2019030 – ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net (current_events.rules)
2019031 – ET CURRENT_EVENTS Possible Upatre SSL Cert tecktalk.com (current_events.rules)
2019032 – ET CURRENT_EVENTS Possible Upatre SSL Cert cyclivate.com (current_events.rules)
2019033 – ET CURRENT_EVENTS Possible Upatre SSL Cert mentoringgroup.com (current_events.rules)
2019034 – ET CURRENT_EVENTS Possible Upatre SSL Cert dineshuthayakumar.in (current_events.rules)
2019035 – ET CURRENT_EVENTS Possible Upatre SSL Cert ssshosting.net (current_events.rules)
2019036 – ET CURRENT_EVENTS Possible Upatre SSL Cert erotikturk.com (current_events.rules)
2019037 – ET CURRENT_EVENTS Possible Upatre SSL Cert mtnoutfitters.com (current_events.rules)
2019038 – ET CURRENT_EVENTS Possible Upatre SSL Cert jojik-international.com (current_events.rules)
2019039 – ET CURRENT_EVENTS Possible Upatre SSL Cert abarsolutions.com (current_events.rules)
2019040 – ET CURRENT_EVENTS Possible Upatre SSL Cert eastwoodvalley.com (current_events.rules)
2019041 – ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net (current_events.rules)
2019042 – ET CURRENT_EVENTS Possible Upatre SSL Cert pejlain.se (current_events.rules)
2019043 – ET CURRENT_EVENTS Possible Upatre SSL Cert dominionthe.com (current_events.rules)
2019044 – ET CURRENT_EVENTS Possible Upatre SSL Cert delanecanada.ca (current_events.rules)
2019045 – ET CURRENT_EVENTS Possible Upatre SSL Cert hebergement-solutions.com (current_events.rules)
2019046 – ET CURRENT_EVENTS Possible Upatre SSL Cert sportofteniq.com (current_events.rules)
2019047 – ET CURRENT_EVENTS Possible Upatre SSL Cert adoraacc.com (current_events.rules)
2019048 – ET CURRENT_EVENTS Possible Upatre SSL Cert tristacey.com (current_events.rules)
2019049 – ET CURRENT_EVENTS Possible Upatre SSL Cert nbc-mail.com (current_events.rules)
2019050 – ET CURRENT_EVENTS Possible Upatre SSL Cert tridayacipta.com (current_events.rules)
2019051 – ET CURRENT_EVENTS Possible Upatre SSL Cert trainthetrainerinternational.com (current_events.rules)
2019052 – ET CURRENT_EVENTS Possible Upatre SSL Cert lingayasuniversity.edu.in (current_events.rules)
2019053 – ET CURRENT_EVENTS Possible Upatre SSL Cert uleideargan.com (current_events.rules)
2019054 – ET CURRENT_EVENTS Possible Upatre SSL Cert picklingtank.com (current_events.rules)
2019055 – ET CURRENT_EVENTS Possible Upatre SSL Cert vcomdesign.com (current_events.rules)
2019056 – ET CURRENT_EVENTS Possible Upatre SSL Cert technosysuk.com (current_events.rules)
2019057 – ET CURRENT_EVENTS Possible Upatre SSL Cert slmp-550-105.slc.westdc.net (current_events.rules)
2019058 – ET CURRENT_EVENTS Possible Upatre SSL Cert itiltrainingcertworkshop.com (current_events.rules)
2019059 – ET CURRENT_EVENTS Possible Upatre SSL Cert udderperfection.com (current_events.rules)
2019060 – ET CURRENT_EVENTS Possible Upatre SSL Cert efind.co.il (current_events.rules)
2019061 – ET CURRENT_EVENTS Possible Upatre SSL Cert bloodsoft.com (current_events.rules)
2019062 – ET CURRENT_EVENTS Possible Upatre SSL Cert walletmix.com (current_events.rules)
2019063 – ET CURRENT_EVENTS Possible Upatre SSL Cert turnaliinsaat.com (current_events.rules)
2019064 – ET CURRENT_EVENTS Possible Upatre SSL Cert mdus-pp-wb12.webhostbox.net (current_events.rules)
2019065 – ET CURRENT_EVENTS Possible Upatre SSL Cert plastics-technology.com (current_events.rules)
2019066 – ET CURRENT_EVENTS Possible Upatre SSL Cert slmp-550-105.slc.westdc.net (current_events.rules)
2019067 – ET CURRENT_EVENTS Possible Upatre SSL Cert deserve.org.uk (current_events.rules)
2019068 – ET CURRENT_EVENTS Possible Upatre SSL Cert worldbuy.biz (current_events.rules)
2019069 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019070 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019071 – ET CURRENT_EVENTS NullHole EK Landing Aug 27 2014 (current_events.rules)
2019072 – ET CURRENT_EVENTS RIG EK Landing URI Struct (current_events.rules)
2019073 – ET CURRENT_EVENTS NullHole EK Landing Redirect Aug 27 2014 (current_events.rules)
2019074 – ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
2019075 – ET CURRENT_EVENTS Possible Upatre SSL Cert paydaypedro.co.uk (current_events.rules)
2019076 – ET CURRENT_EVENTS Possible Upatre SSL Cert chatso.com (current_events.rules)
2019077 – ET CURRENT_EVENTS Possible Upatre SSL Cert ventureonsite.com (current_events.rules)
2019078 – ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014 (current_events.rules)

Pro:

2808649 – ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin 3 (trojan.rules)
2808661 – ETPRO MALWARE Adware.Win32.Midia.A Checkin (malware.rules)
2808662 – ETPRO TROJAN Win32.Boaxxe Variant Callback (trojan.rules)
2808663 – ETPRO MOBILE_MALWARE Android/Adware.MobWin.A Checkin (mobile_malware.rules)
2808664 – ETPRO MALWARE Win32/ExpressDownloader Callback (malware.rules)
2808665 – ETPRO MALWARE KopHack Checkin (malware.rules)
2808666 – ETPRO MALWARE Adware.Winner Uploading Host Info (malware.rules)
2808667 – ETPRO TROJAN Win32/ProxyChanger.RD Checkin (trojan.rules)
2808668 – ETPRO TROJAN TROJAN.WIN32.DIZTAKUN.ATK Checkin FTP (trojan.rules)
2808669 – ETPRO TROJAN TROJANSPY.MSIL/GOLROTED.A Checkin FTP (trojan.rules)
2808670 – ETPRO TROJAN POSCARDSTEALER.Q Checkin (trojan.rules)
2808671 – ETPRO TROJAN MONITOR.MSIL.KEYLOGGER Checkin (trojan.rules)
2808672 – ETPRO TROJAN Win32/Spy.Agent.OKH Checkin (trojan.rules)
2808673 – ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin (mobile_malware.rules)
2808674 – ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin 2 (mobile_malware.rules)
2808675 – ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin 3 (mobile_malware.rules)
2808676 – ETPRO MALWARE Win32/GameHack.CSO Checkin (malware.rules)
2808677 – ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin (mobile_malware.rules)
2808678 – ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin 2 (mobile_malware.rules)
2808679 – ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.BK Checkin (mobile_malware.rules)
2808680 – ETPRO MOBILE_MALWARE Adware.Youmi.A Checkin (mobile_malware.rules)
2808681 – ETPRO MALWARE Win32/InstallRex.Adware Checkin (malware.rules)
2808682 – ETPRO MOBILE_MALWARE AndroidOS/UUPay.B Checkin 2 (mobile_malware.rules)
[+++] Enabled and modified rules: [+++]

2010463 – ET WEB_SERVER RFI Scanner Success (Fx29ID) (web_server.rules)
[///] Modified active rules: [///]

2001616 – ET ATTACK_RESPONSE Zone-H.org defacement notification (attack_response.rules)
2009029 – ET WEB_SERVER SQL Injection Attempt (Agent NV32ts) (web_server.rules)
2009038 – ET SCAN SQLNinja MSSQL Version Scan (scan.rules)
2009039 – ET SCAN SQLNinja MSSQL XPCmdShell Scan (scan.rules)
2009158 – ET SCAN WebShag Web Application Scan Detected (scan.rules)
2009359 – ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE) (scan.rules)
2009480 – ET SCAN Grendel Web Scan – Default User Agent Detected (scan.rules)
2009799 – ET WEB_SERVER PHP Attack Tool Morfeus F Scanner – M (web_server.rules)
2009827 – ET SCAN Pavuk User Agent Detected – Website Mirroring Tool for Off-line Analysis (scan.rules)
2009833 – ET SCAN WITOOL SQL Injection Scan (scan.rules)
2009882 – ET SCAN Default Mysqloit User Agent Detected – Mysql Injection Takover Tool (scan.rules)
2009883 – ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected (scan.rules)
2010004 – ET WEB_SERVER SQL sp_start_job attempt (web_server.rules)
2010037 – ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt (web_server.rules)
2010215 – ET SCAN SQL Injection Attempt (Agent uil2pn) (scan.rules)
2010267 – ET TROJAN Sinowal/Torpig Checkin (trojan.rules)
2010268 – ET TROJAN W32.SillyFDC Checkin (trojan.rules)
2806067 – ETPRO MALWARE Casino.E Install (malware.rules)
[///] Modified inactive rules: [///]

2010231 – ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1 (current_events.rules)
2010281 – ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt (web_server.rules)
2010343 – ET SCAN pangolin SQL injection tool (scan.rules)
[---] Removed rules: [---]

2009036 – ET TROJAN Armitage Loader Check-in (trojan.rules)
2009797 – ET TROJAN Bifrose Response from victim (trojan.rules)
2010289 – ET TROJAN Clod/Sereki Communication with C&C (trojan.rules)
2010290 – ET TROJAN Clod/Sereki Checkin with C&C (noalert) (trojan.rules)
2010291 – ET TROJAN Clod/Sereki Checkin Response (trojan.rules)
2101377 – GPL FTP wu-ftp bad file completion attempt (ftp.rules)
2101378 – GPL FTP wu-ftp bad file completion attempt with brace (ftp.rules)

The post Daily Ruleset Update Summary 08/27/2014 appeared first on Emerging Threats.

Search

Daily Ruleset Update Summary 08/28/2014

August 28, 2014, 3:33 pm
$
0
0

[***] Summary: [***]

5 new Open signatures, 18 new Pro (5+13). ABUSE.CH SSL Blacklist, PCRat/Gh0st, Various Android.

Thanks: @rmkml and @abuse_ch

[+++] Added rules: [+++]

Open:

2019079 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019080 – ET TROJAN Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND (trojan.rules)
2019081 – ET TROJAN Windows set Microsoft Windows DOS prompt command exit OUTBOUND (trojan.rules)
2019082 – ET TROJAN Windows route Microsoft Windows DOS prompt command exit OUTBOUND (trojan.rules)
2019083 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41 (trojan.rules)

Pro:

2808683 – ETPRO TROJAN Win32/VB.VX Checkin (trojan.rules)
2808684 – ETPRO MOBILE_MALWARE Trojan.AndroidOS.Talp.a Checkin (mobile_malware.rules)
2808685 – ETPRO TROJAN Carbon FormGrabber/Retgate.A Checkin (trojan.rules)
2808686 – ETPRO TROJAN WIN32.AGENT.ADRNK Checkin FTP (trojan.rules)
2808687 – ETPRO TROJAN Trojan.Win32.Jorik.IRCbot USER command (trojan.rules)
2808688 – ETPRO TROJAN Win32/Dynamer Checkin (trojan.rules)
2808689 – ETPRO TROJAN Win32/Kaaneut.A Callback (trojan.rules)
2808690 – ETPRO MOBILE_MALWARE DroidKungFu Checkin 4 (mobile_malware.rules)
2808691 – ETPRO POLICY Showmypc.com remote access (SSH Futty) (policy.rules)
2808692 – ETPRO TROJAN Win32.Hyteod Checkin (trojan.rules)
2808693 – ETPRO TROJAN Win32.Rogue Checkin (trojan.rules)
2808694 – ETPRO TROJAN Win32.Hyteod Checkin Response (trojan.rules)
2808695 – ETPRO MOBILE_MALWARE Backdoor.AndroidOS.SpamSold.a Checkin (mobile_malware.rules)
[+++] Enabled rules: [+++]

2010909 – ET TROJAN Arucer Command Execution (trojan.rules)
2010910 – ET TROJAN Arucer DIR Listing (trojan.rules)
2010911 – ET TROJAN Arucer WRITE FILE command (trojan.rules)
2010912 – ET TROJAN Arucer READ FILE Command (trojan.rules)
2010914 – ET TROJAN Arucer FIND FILE Command (trojan.rules)
2010915 – ET TROJAN Arucer YES Command (trojan.rules)
2010916 – ET TROJAN Arucer ADD RUN ONCE Command (trojan.rules)
2010917 – ET TROJAN Arucer DEL FILE Command (trojan.rules)
[+++] Enabled and modified rules: [+++]

2012045 – ET EXPLOIT VMware Tools Update OS Command Injection Attempt (exploit.rules)
2014153 – ET CURRENT_EVENTS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA (current_events.rules)
[///] Modified active rules: [///]

2008052 – ET MALWARE User-Agent (Internet Explorer) (malware.rules)
2010621 – ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts) (web_server.rules)
2010667 – ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit (web_server.rules)
2010698 – ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt (web_server.rules)
2010720 – ET WEB_SERVER PHP Scan Precursor (web_server.rules)
2010872 – ET TROJAN Pragma hack Detected Outbound – Likely Infected Source (trojan.rules)
2010954 – ET SCAN crimscanner User-Agent detected (scan.rules)
2010956 – ET SCAN Skipfish Web Application Scan Detected (2) (scan.rules)
2011028 – ET SCAN HZZP Scan in Progress calc in Headers (scan.rules)
2011088 – ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected (scan.rules)
2011124 – ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced) (malware.rules)
2011174 – ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s) (web_server.rules)
2011175 – ET WEB_SERVER Casper Bot Search RFI Scan (web_server.rules)
2011243 – ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like, planetwork) (web_server.rules)
2011285 – ET WEB_SERVER Bot Search RFI Scan (Casper-Like, Jcomers Bot scan) (web_server.rules)
2011389 – ET SCAN w3af Scan Remote File Include Retrieval (scan.rules)
2011390 – ET SCAN Nikto Scan Remote File Include Retrieval (scan.rules)
2011720 – ET SCAN Possible WafWoof Web Application Firewall Detection Scan (scan.rules)
2011767 – ET TROJAN Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected (trojan.rules)
2011821 – ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected outbound (current_events.rules)
2011822 – ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected inbound (current_events.rules)
2011823 – ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected outbound 2 (current_events.rules)
2011824 – ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected inbound 2 (current_events.rules)
2011887 – ET SCAN Medusa User-Agent (scan.rules)
2011915 – ET SCAN DotDotPwn User-Agent (scan.rules)
2011966 – ET CURRENT_EVENTS Trojan downloader (AS8514) (current_events.rules)
2011968 – ET CURRENT_EVENTS Trojan Banker (AS33182) (current_events.rules)
2011980 – ET CURRENT_EVENTS Suspicious executable download possible Ircbrute Trojan (current_events.rules)
2011981 – ET CURRENT_EVENTS Suspicious executable download possible Eleonore Exploit Pack / Trojan Brebolab (current_events.rules)
2011982 – ET CURRENT_EVENTS Suspicious executable download possible Trojan Ransom.AM (current_events.rules)
2011983 – ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Trojan (current_events.rules)
2011984 – ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus MalvRem (current_events.rules)
2011985 – ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus avdistr (current_events.rules)
2011986 – ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus RunAV (current_events.rules)
2011990 – ET CURRENT_EVENTS Suspicious executable download possible Rogue AV (installer.xxxx.exe) (current_events.rules)
2011995 – ET CURRENT_EVENTS invoice.scr download most likely a TROJAN (current_events.rules)
2011999 – ET TROJAN Trojan.Spy.YEK MAC and IP POST (trojan.rules)
2012101 – ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt (exploit.rules)
2012116 – ET WEB_SERVER DD-WRT Information Disclosure Attempt (web_server.rules)
2012117 – ET WEB_SERVER Successful DD-WRT Information Disclosure (web_server.rules)
2012150 – ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI (web_server.rules)
2012286 – ET WEB_SERVER Automated Site Scanning for backupdata (web_server.rules)
2012287 – ET WEB_SERVER Automated Site Scanning for backup_data (web_server.rules)
2012586 – ET TROJAN Suspicious User-Agent Im Luo (trojan.rules)
2013170 – ET CURRENT_EVENTS HTTP Request to a *.cu.cc domain (current_events.rules)
2804240 – ETPRO TROJAN TrojanDownloader.Win32/Delf.NK (trojan.rules)
2804288 – ETPRO TROJAN Win32/OnLineGames.NM Install (trojan.rules)
2804301 – ETPRO TROJAN Win32/TrojanDownloader.Banload.QOM Checkin (trojan.rules)
2804317 – ETPRO TROJAN TrojanDownloader.Win32/Banload.ACI Checkin (trojan.rules)
2804400 – ETPRO TROJAN Win32/DelpBanc.A Checkin (trojan.rules)
2804414 – ETPRO TROJAN TrojanDropper.Win32/Agent.KA Checkin (trojan.rules)
2804423 – ETPRO TROJAN TrojanDownloader.Win32/Banload.ACK receiving config (trojan.rules)
2804457 – ETPRO TROJAN TrojanSpy.Win32/Bancos.gen!A sending info via smtp (trojan.rules)
2804460 – ETPRO TROJAN Infostealer.Onlinegame Checkin (trojan.rules)
2804565 – ETPRO TROJAN TrojanDropper.Win32/Buzus.B Checkin (trojan.rules)
2804642 – ETPRO TROJAN Trojan.Win32.Buzus.jytd Checkin (trojan.rules)
2804678 – ETPRO MALWARE Spyware.Known_Bad_Sites Install (malware.rules)
2804752 – ETPRO TROJAN Trojan-Banker.Win32.Banker2.bwv Checkin (trojan.rules)
2804881 – ETPRO TROJAN Trojan.Agent-275138 Checkin (trojan.rules)
2804885 – ETPRO TROJAN Win32/TrojanDownloader.Banload.QYJ Checkin (trojan.rules)
2808624 – ETPRO TROJAN Password Stealer PWS.Y!B2F Checkin 1 (trojan.rules)
[///] Modified inactive rules: [///]

2010721 – ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound (user_agents.rules)
2010722 – ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound (user_agents.rules)
[---] Disabled and modified rules: [---]

2011759 – ET WEB_SERVER TIEHTTP User-Agent (web_server.rules)
[---] Disabled rules: [---]

2010913 – ET TROJAN Arucer NOP Command (trojan.rules)
[---] Removed rules: [---]

2000900 – ET P2P JoltID Agent Probing or Announcing UDP (p2p.rules)
2000901 – ET P2P JoltID Agent Communicating TCP (p2p.rules)
2001015 – ET P2P JoltID Agent Keep-Alive (p2p.rules)
2001654 – ET P2P JoltID Agent Requesting File (p2p.rules)
2010706 – ET USER_AGENTS Internet Explorer 6 in use – Significant Security Risk (user_agents.rules)
2010797 – ET POLICY Twitter Status Update (policy.rules)
2010815 – ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud (policy.rules)
2011233 – ET TROJAN Troxen GetSpeed Request (trojan.rules)
2011416 – ET TROJAN General Trojan FakeAV Downloader (trojan.rules)
2011897 – ET CURRENT_EVENTS vb exploits / trojan vietshow (current_events.rules)
2011899 – ET CURRENT_EVENTS Trojan perflogger ~duydati/inst_PCvw.exe (current_events.rules)
2011901 – ET CURRENT_EVENTS Hacked server to exploits ~rio1/admin/login.php (current_events.rules)
2011902 – ET CURRENT_EVENTS Phishing ~mbscom/moneybookers/app/login/login.html (current_events.rules)
2011903 – ET CURRENT_EVENTS iframe Phoenix Exploit & ZBot vt073pd/photo.exe (current_events.rules)
2011904 – ET CURRENT_EVENTS fast flux rogue antivirus download.php?id=2004 (current_events.rules)
2011905 – ET CURRENT_EVENTS exploit kit x/index.php?s=dexc (current_events.rules)
2011907 – ET CURRENT_EVENTS exploit kit x/l.php?s=dexc (current_events.rules)
2011908 – ET CURRENT_EVENTS exploit kit x/exe.php?x=mdac (current_events.rules)
2011909 – ET CURRENT_EVENTS trojan renos Flash.HD.exe (current_events.rules)
2011916 – ET CURRENT_EVENTS SEO/Malvertising Executable Landing exe2.php (current_events.rules)
2011919 – ET CURRENT_EVENTS FAKEAV Gemini – packupdate*.exe download (current_events.rules)
2011951 – ET CURRENT_EVENTS DRIVEBY SEO Client Exploited By SMB/JavaWebStart (current_events.rules)
2011952 – ET CURRENT_EVENTS DRIVEBY SEO Client Exploited By PDF (current_events.rules)
2011953 – ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious jjar.jar (current_events.rules)
2011954 – ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious loadjjar.php (current_events.rules)
2011955 – ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious lib.pdf (current_events.rules)
2011956 – ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious loadpeers.php (current_events.rules)
2011958 – ET CURRENT_EVENTS DRIVEBY SEO Obfuscated JavaScript desttable (current_events.rules)
2011959 – ET CURRENT_EVENTS DRIVEBY SEO Obfuscated JavaScript srctable (current_events.rules)
2011993 – ET CURRENT_EVENTS ProFTPD Backdoor outbound Request Sent (current_events.rules)
2012156 – ET WEB_CLIENT Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt (web_client.rules)
2012275 – ET CURRENT_EVENTS Post Express Inbound SPAM (possible Spyeye) (current_events.rules)
2012301 – ET TROJAN Potential Trojan dropper Wlock.A (AS1680) (trojan.rules)
2012332 – ET CURRENT_EVENTS Possible Fast Flux Trojan Rogue Antivirus (current_events.rules)
2012410 – ET MOBILE_MALWARE DroidDream Android Trojan info upload (mobile_malware.rules)
2012447 – ET TROJAN Possible Fast Flux Rogue Antivirus (trojan.rules)
2012450 – ET MOBILE_MALWARE Android Trojan HongTouTou Command and Control Communication (mobile_malware.rules)
2012538 – ET CURRENT_EVENTS Possible Zbot Trojan (current_events.rules)
2012539 – ET CURRENT_EVENTS Possible Rogue Antivirus (current_events.rules)
2012540 – ET CURRENT_EVENTS Possible Win32 Backdoor Poison (current_events.rules)
2012685 – ET CURRENT_EVENTS Win32/CazinoSilver Download VegasVIP_setup.exe (current_events.rules)
2012688 – ET CURRENT_EVENTS Potential Blackhole Exploit Pack landing (current_events.rules)
2012802 – ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup (malware.rules)
2013406 – ET POLICY SSL MiTM Vulnerable or EOL iOS 3.x device (policy.rules)
2013407 – ET POLICY SSL MiTM Vulnerable or EOL iOS 4.x device (policy.rules)
2013753 – ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2 (trojan.rules)
2013754 – ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2 (trojan.rules)
2014041 – ET WORM AirOS .css Worm Outbound Propagation Sweep (worm.rules)
2014042 – ET WORM AirOS admin.cgi/css Exploit Attempt (worm.rules)
2019041 – ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net (current_events.rules)
2019066 – ET CURRENT_EVENTS Possible Upatre SSL Cert slmp-550-105.slc.westdc.net (current_events.rules)
2800490 – ETPRO WEB_CLIENT Mozilla Network Security Services Regexp Heap Overflow (web_client.rules)
2808625 – ETPRO TROJAN Password Stealer PWS.Y!B2F Checkin 2 (trojan.rules)

The post Daily Ruleset Update Summary 08/28/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 08/29/2014

August 29, 2014, 2:48 pm
$
0
0

[***] Summary: [***]

15 new Open signatures, 30 new Pro (15+15). ScanBox, iBryte, BIG-IP rsync vuln, Archie EK.

Thanks: @jaimeblascob and @kafeine

[+++] Added rules: [+++]

2019084 – ET TROJAN Syrian Malware Checkin (trojan.rules)
2019085 – ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection (exploit.rules)
2019086 – ET CURRENT_EVENTS Unknown Trojan Dropped by Angler Aug 29 2014 (current_events.rules)
2019087 – ET TROJAN F5 BIG-IP rsync cmi access attempt (trojan.rules)
2019088 – ET TROJAN F5 BIG-IP rsync cmi authorized_keys access attempt (trojan.rules)
2019089 – ET TROJAN F5 BIG-IP rsync cmi authorized_keys successful exfiltration (trojan.rules)
2019090 – ET TROJAN F5 BIG-IP rsync cmi authorized_keys successful upload (trojan.rules)
2019091 – ET EXPLOIT Metasploit Random Base CharCode JS Encoded String (exploit.rules)
2019093 – ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (current_events.rules)
2019094 – ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks Intial (POST) (current_events.rules)
2019095 – ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData (current_events.rules)
2019096 – ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive (current_events.rules)
2019097 – ET CURRENT_EVENTS Archie EK SilverLight URI Struct (current_events.rules)
2019098 – ET CURRENT_EVENTS Archie EK Sending Plugin-Detect Data (current_events.rules)
2019099 – ET CURRENT_EVENTS Possible Archie/Metasploit SilverLight Exploit (current_events.rules)

Pro:

2808696 – ETPRO MALWARE W32/iBryte.Adware Installer Download (malware.rules)
2808697 – ETPRO MOBILE_MALWARE Android/AndroRAT.B Checkin (mobile_malware.rules)
2808698 – ETPRO TROJAN Win32/Paskod.B Downloading Files (trojan.rules)
2808699 – ETPRO TROJAN Win32/KFTC.Downloader Checkin (trojan.rules)
2808700 – ETPRO TROJAN Win32/KFTC.Downloader Checkin 2 (trojan.rules)
2808701 – ETPRO TROJAN Win32.Farfli.gq Requesting data (trojan.rules)
2808702 – ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IW Checkin (mobile_malware.rules)
2808703 – ETPRO MOBILE_MALWARE Android/DDLight.A Checkin (mobile_malware.rules)
2808704 – ETPRO MALWARE PUP Win32/Adware.MediaFinder Checkin 2 (malware.rules)
2808705 – ETPRO MOBILE_MALWARE Android/SmsSpy.AH Checkin (mobile_malware.rules)
2808706 – ETPRO TROJAN Win32/CoinMiner.SO .exe download 2 (trojan.rules)
2808707 – ETPRO TROJAN Trojan.Keylog!1.9946 Checkin (trojan.rules)
2808708 – ETPRO TROJAN Win32.Farfli Requesting data 2 (trojan.rules)
2808709 – ETPRO TROJAN suspicious X-Mailer (Blat v2) (trojan.rules)
2808710 – ETPRO TROJAN Win32/BrowserPassview sending passwords via SMTP (trojan.rules)
[///] Modified active rules: [///]

2018362 – ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)
2018873 – ET TROJAN Tor based locker Ransom Page (trojan.rules)
2019034 – ET CURRENT_EVENTS Possible Upatre SSL Cert dineshuthayakumar.in (current_events.rules)
2801865 – ETPRO TROJAN Backdoor Darkshell Reporting to CnC (trojan.rules)
2805820 – ETPRO MOBILE_MALWARE Android/FkToken.A Checkin (mobile_malware.rules)
2806210 – ETPRO MOBILE_MALWARE AndroidOS/Gappusin.A Checkin (mobile_malware.rules)
2808138 – ETPRO MOBILE_MALWARE Android/Battpatch.A Checkin (mobile_malware.rules)
2808677 – ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin (mobile_malware.rules)
2808678 – ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin 2 (mobile_malware.rules)
[---] Removed rules: [---]

2014153 – ET CURRENT_EVENTS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA (current_events.rules)
2018976 – ET MALWARE Hoic.zip retrieval (malware.rules)
2018977 – ET MALWARE HOIC with booster outbound (malware.rules)
2018978 – ET WEB_SERVER HOIC with booster inbound (web_server.rules)

 

The post Daily Ruleset Update Summary 08/29/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/02/2014

September 2, 2014, 5:17 pm
$
0
0

[***] Summary: [***]

4 new Open signatures, 16 new Pro (4+12). FlashPack, OneLouder, Various Android, Sality.AM.

Thanks: @EKWatcher

[+++] Added rules: [+++]

Open:

2019100 – ET CURRENT_EVENTS FlashPack EK Redirect Sept 01 2014 (current_events.rules)
2019101 – ET POLICY Radmin Remote Control Session Setup Initiate OUTBOUND (policy.rules)
2019102 – ET DOS Possible SSDP Amplification Scan in Progress (dos.rules)
2019103 – ET CURRENT_EVENTS OneLouder EXE download possibly installing Zeus P2P (current_events.rules)

Pro:

2808711 – ETPRO TROJAN W32/VBCheMan.A Checkin 2 (trojan.rules)
2808712 – ETPRO TROJAN Trojan.Win32.Spy uploading screenshots (trojan.rules)
2808713 – ETPRO MALWARE Win32.Adware.Malplayer.Auto Checkin (malware.rules)
2808714 – ETPRO MALWARE PUP Win32/4Shared.X Checkin (malware.rules)
2808715 – ETPRO TROJAN Win32/Sality.AM GET Request (trojan.rules)
2808716 – ETPRO TROJAN Win32.Downloader.aCm checkin (trojan.rules)
2808717 – ETPRO EXPLOIT Netcore Router Backdoor Usage (exploit.rules)
2808718 – ETPRO TROJAN Backdoor.Win32/Turla.A Checkin (trojan.rules)
2808719 – ETPRO TROJAN Win32.Virut.ua Dropping Files (trojan.rules)
2808720 – ETPRO MOBILE_MALWARE Android/Univert.B Checkin (mobile_malware.rules)
2808721 – ETPRO MOBILE_MALWARE Android/Tekwon.A Checkin 2 (mobile_malware.rules)
2808722 – ETPRO MOBILE_MALWARE Android/Tekwon.A Checkin 3 (mobile_malware.rules)
[///] Modified active rules: [///]

2017936 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 (trojan.rules)
2018141 – ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz (trojan.rules)
2018143 – ET TROJAN Backdoor.Win32.Popwin Checkin (trojan.rules)
2018315 – ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount (web_client.rules)
2018983 – ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P) (current_events.rules)
2019005 – ET CURRENT_EVENTS FlashPack EK Redirect Aug 25 2014 (current_events.rules)
2807636 – ETPRO TROJAN Trojan-Banker.Win32.Agent.ree Checkin (trojan.rules)
2808340 – ETPRO MALWARE PUP Win32/4Shared.U Checkin (malware.rules)
2808658 – ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 1 Specific (current_events.rules)
2808659 – ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 2 Specific (current_events.rules)
2808697 – ETPRO MOBILE_MALWARE Android/AndroRAT.B Checkin (mobile_malware.rules)
[///] Modified inactive rules: [///]

2011367 – ET SCAN Malformed Packet SYN FIN (scan.rules)
2011368 – ET SCAN Malformed Packet SYN RST (scan.rules)
[---] Disabled rules: [---]

2801295 – ETPRO WEB_SERVER Known Fraudulent UA inbound Likely Trojan (web_server.rules)
[---] Removed rules: [---]

2001445 – ET MALWARE PeopleOnPage Install (malware.rules)
2007634 – ET TROJAN Storm Worm Encrypted Traffic Outbound – Likely Search by md5 (trojan.rules)
2007635 – ET TROJAN Storm Worm Encrypted Traffic Inbound – Likely Connect Ack (trojan.rules)
2007636 – ET TROJAN Storm Worm Encrypted Traffic Inbound – Likely Search by md5 (trojan.rules)
2007637 – ET TROJAN Storm Worm Encrypted Traffic Outbound – Likely Connect Ack (trojan.rules)
2010262 – ET TROJAN WindowsEnterpriseSuite FakeAV Dynamic User-Agent (trojan.rules)
2405070 – ET CNC Shadowserver Reported CnC Server Port 38294 Group 1 (botcc.portgrouped.rules)
2405071 – ET CNC Shadowserver Reported CnC Server Port 54321 Group 1 (botcc.portgrouped.rules)
2405072 – ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (botcc.portgrouped.rules)
2800361 – ETPRO MALWARE aSpy v2.12 (malware.rules)
2800387 – ETPRO MALWARE SynRat 2.1 Pro (init connection) (malware.rules)
2800388 – ETPRO MALWARE SynRat 2.1 Pro (malware.rules)
2800681 – ETPRO DOS Veritas Backup Exec Agent Error Status Null Dereference Pre-Auth (dos.rules)
2800784 – ETPRO EXPLOIT UltraVNC VNCLog Buffer Overflow (exploit.rules)
2800813 – ETPRO MALWARE Trojan.Win32.Slagent Connection Test (malware.rules)
2808665 – ETPRO MALWARE KopHack Checkin (malware.rules)

The post Daily Ruleset Update Summary 09/02/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/03/2014

September 3, 2014, 3:27 pm
$
0
0

[***] Summary: [***]

6 new Open signatures, 19 new Pro (13+6). Abuse.sh SSL blacklist, Dyre, Upatre, Various Android.

Thanks: @abuse_ch

[+++] Added rules: [+++]

Open:

2019104 – ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 3 2014 (current_events.rules)
2019105 – ET CURRENT_EVENTS Possible Upatre SSL Cert bluehost.com Aug 27 2014 (current_events.rules)
2019106 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019107 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019108 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019109 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)

Pro:

2808723 – ETPRO MALWARE Win32/DomaIQ Checkin 2 (malware.rules)
2808724 – ETPRO MOBILE_MALWARE Android/Crosate.D Checkin (mobile_malware.rules)
2808725 – ETPRO MOBILE_MALWARE Android/Crosate.D Checkin 2 (mobile_malware.rules)
2808726 – ETPRO TROJAN Win32.Dunik Checkin (trojan.rules)
2808727 – ETPRO MALWARE Win32.Dapato Checkin (malware.rules)
2808728 – ETPRO MALWARE Win32/Adware.AllSum Checkin (malware.rules)
2808729 – ETPRO WEB_SPECIFIC_APPS ABE fingerprinting request (web_specific_apps.rules)
2808730 – ETPRO TROJAN Win32/Spy.Banker.AAXV Retrieving Key (trojan.rules)
2808731 – ETPRO TROJAN Win32.QQPass.abvu Retrieving key from Pinterest (trojan.rules)
2808732 – ETPRO TROJAN Win32/Comame Checkin (trojan.rules)
2808733 – ETPRO TROJAN Win32/Wobotork.A Checkin (trojan.rules)
2808734 – ETPRO MALWARE PUA.DNWRandomHack Checkin (malware.rules)
2808735 – ETPRO TROJAN Backdoor.Backtor DNS lookup Sep 03, 2014 (trojan.rules)
[///] Modified active rules: [///]

2018451 – ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 05 2014 (current_events.rules)
2018459 – ET WEB_SERVER SUSPICIOUS Possible WebShell Login Form (Outbound) (web_server.rules)
2018595 – ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014 (current_events.rules)
2807474 – ETPRO TROJAN Miniduke Checkin 2 (trojan.rules)
2807926 – ETPRO TROJAN Trojan-Ransom.Win32.PornoAsset Checkin (trojan.rules)
2808034 – ETPRO TROJAN Worm.Win32.Marag.f Checkin (trojan.rules)
[---] Removed rules: [---]

2403368 – ET CINS Active Threat Intelligence Poor Reputation IP group 69 (ciarmy.rules)
2403369 – ET CINS Active Threat Intelligence Poor Reputation IP group 70 (ciarmy.rules)
2403370 – ET CINS Active Threat Intelligence Poor Reputation IP group 71 (ciarmy.rules)
2403371 – ET CINS Active Threat Intelligence Poor Reputation IP group 72 (ciarmy.rules)
2803586 – ETPRO TROJAN Variant.Buzy.1519 Download Freezone Search (trojan.rules)

The post Daily Ruleset Update Summary 09/03/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/04/2014

September 4, 2014, 4:16 pm
$
0
0

[***] Summary: [***]

12 new Open signatures, 16 new Pro (12+4). Various Linux, Abuse.ch SSL blacklist, HighTide, Threebyte, Waterspout.

Thanks: Kevin Ross, Jake Warren, @abuse_ch, @EKWatcher and @kafeine.

[+++] Added rules: [+++]

Open:

2019110 – ET WEB_SERVER Likely Malicious Request for /proc/self/fd/ (web_server.rules)
2019111 – ET WEB_CLIENT Malicious iframe guessing router password 1 (web_client.rules)
2019112 – ET WEB_CLIENT Malicious iframe guessing router password 2 (web_client.rules)
2019113 – ET TROJAN HighTide trojan Checkin (trojan.rules)
2019114 – ET TROJAN W32/Threebyte.APT Checkin (trojan.rules)
2019115 – ET TROJAN W32/Waterspout.APT Backdoor CnC Beacon (trojan.rules)
2019117 – ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF (current_events.rules)
2019118 – ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF (current_events.rules)
2019119 – ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF (current_events.rules)
2019120 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019121 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Upatre C2) (trojan.rules)
2019122 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)

Pro:

2808736 – ETPRO TROJAN Backdoor.Comdinter Checkin (trojan.rules)
2808737 – ETPRO TROJAN Backdoor.Tsunami Download (trojan.rules)
2808739 – ETPRO TROJAN Backdoor.Linux.Ganiw.a C2 (trojan.rules)
2808740 – ETPRO TROJAN ELF/Flooder-CA Checkin (trojan.rules)
[///] Modified active rules: [///]

2009481 – ET SCAN Grendel-Scan Web Application Security Scan Detected (scan.rules)
2013730 – ET SCADA PcVue Activex Control Insecure method (AddPage) (scada.rules)
2013731 – ET SCADA PcVue Activex Control Insecure method (DeletePage) (scada.rules)
2017666 – ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (current_events.rules)
2019078 – ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014 (current_events.rules)
2805895 – ETPRO SCADA Possible Siemens SIMATIC RF Manager ActiveX Control Buffer Overflow 2 (scada.rules)
2808252 – ETPRO TROJAN W32.Injector.13824.C config update pull (trojan.rules)
2808608 – ETPRO MOBILE_MALWARE Android.Riskware.SMSPay.AO Checkin 3 (mobile_malware.rules)
2808658 – ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 1 Specific (current_events.rules)
[///] Modified inactive rules: [///]

2000418 – ET POLICY Executable and linking format (ELF) file download (policy.rules)

 

The post Daily Ruleset Update Summary 09/04/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/05/2014

September 5, 2014, 9:21 pm
$
0
0

[***] Summary: [***]

8 new Open signatures, 12 new Pro (8+4). Various Android, Tor based locker.

Thanks: Kevin Ross.

[+++] Added rules: [+++]

Open:

2017895 – ET TROJAN Kuluoz/Asprox Activity (trojan.rules)
2019123 – ET TROJAN Tor based locker .onion DNS Proxy lookup September 5, 2014 (trojan.rules)
2019124 – ET TROJAN Tor based locker .onion Proxy domain in SNI September 5, 2014 (trojan.rules)
2019125 – ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon (mobile_malware.rules)
2019126 – ET POLICY External IP Lookup (policy.rules)
2019127 – ET TROJAN W32/Bapy.Downloader PE Download Request (trojan.rules)
2019128 – ET TROJAN W32/Bravix.Dropper CnC Beacon (trojan.rules)
2019129 – ET TROJAN Backdoor.Win32/Dervec.gen Connectivity Check to Google (trojan.rules)

Pro:

2808741 – ETPRO MALWARE Win32/Tugspay.A Checkin (malware.rules)
2808742 – ETPRO TROJAN Win32.Darpa Checkin (trojan.rules)
2808743 – ETPRO MALWARE PUP MSIL/BrowseFox.G Checkin (malware.rules)
2808744 – ETPRO MALWARE Win32/Sysfade.A Clickfraud Activity (malware.rules)
[///] Modified active rules: [///]

2010140 – ET P2P Vuze BT UDP Connection (p2p.rules)

[---] Removed rules: [---]

2017895 – ET CURRENT_EVENTS Kuluoz/Asprox Activity Dec 23 2013 (current_events.rules)
2805044 – ETPRO TROJAN Backdoor.Win32/Dervec.gen Connectivity Check to Google (trojan.rules)
2807771 – ETPRO TROJAN Win32/Kuluoz.D Checkin (trojan.rules)

 

The post Daily Ruleset Update Summary 09/05/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/08/2014

September 8, 2014, 2:46 pm
$
0
0

[***] Summary: [***]

11 new Open signatures, 21 new Pro (11+10). Abuse.ch SSL blacklist, Battdil.B, Flashpack EK, Zbot.

Thanks: Patrick Olsen, @abuse_ch

[+++] Added rules: [+++]

Open:

2009809 – ET MALWARE Generic/Unknown Downloader Config to client (malware.rules)
2019130 – ET CURRENT_EVENTS Unknown EK Landing (current_events.rules)
2019131 – ET CURRENT_EVENTS Unknown EK Landing (current_events.rules)
2019134 – ET CURRENT_EVENTS Flashpack Redirect Method 2 (current_events.rules)
2019135 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019136 – ET TROJAN APT OSX.XSLCmd CnC Beacon (trojan.rules)
2019137 – ET WEB_SPECIFIC_APPS Possible WP CuckooTap Arbitrary File Download (web_specific_apps.rules)
2019138 – ET TROJAN Win32/Poweliks GET Request (trojan.rules)
2019139 – ET WEB_SPECIFIC_APPS WordPress Huge IT Image Gallery 1.0.0 SQL Injection (web_specific_apps.rules)
2019140 – ET POLICY External IP Lookup maxmind.com (policy.rules)
2019141 – ET TROJAN Zbot POST Request to C2 (trojan.rules)

Pro:

2808745 – ETPRO TROJAN Win32/Battdil.B SSL Cert 1 (trojan.rules)
2808746 – ETPRO TROJAN Win32/Battdil.B SSL Cert 2 (trojan.rules)
2808747 – ETPRO MOBILE_MALWARE Android/Tekwon.A Checkin 4 (mobile_malware.rules)
2808748 – ETPRO TROJAN Win32/Picazen.A Dropping Files (trojan.rules)
2808749 – ETPRO TROJAN Win32/Battdil.B SSL Cert 3 (trojan.rules)
2808750 – ETPRO CURRENT_EVENTS Flashpack EK Thread 3 Sep 05 2014 (current_events.rules)
2808751 – ETPRO TROJAN Win32.Yakes.fvbs Checkin (trojan.rules)
2808752 – ETPRO MOBILE_MALWARE Trojan.AndroidOS.MTK.e Checkin (mobile_malware.rules)
2808753 – ETPRO TROJAN Win32.Biruleibi Checkin (trojan.rules)
2808754 – ETPRO MOBILE_MALWARE Trojan.AndroidOS.Krosec.a Checkin (mobile_malware.rules)
[///] Modified active rules: [///]

2002910 – ET SCAN Potential VNC Scan 5800-5820 (scan.rules)
2002911 – ET SCAN Potential VNC Scan 5900-5920 (scan.rules)
2018368 – ET MALWARE W32/PullUpdate.Adware CnC Beacon (malware.rules)
2018958 – ET TROJAN Worm.Win32.Vobfus Checkin 3 (trojan.rules)
2019074 – ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
2019078 – ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014 (current_events.rules)
2808043 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ao / Cardbuyer Checkin (mobile_malware.rules)
[///] Modified inactive rules: [///]

2003022 – ET CHAT Skype Bootstrap Node (udp) (chat.rules)
2009414 – ET DOS Large amount of TCP ZeroWindow – Possible Nkiller2 DDos attack (dos.rules)
[---] Removed rules: [---]

2001312 – ET MALWARE Rdxrp.com Traffic (Generic) (malware.rules)
2009809 – ET TROJAN Generic/Unknown Downloader Config to client (trojan.rules)
2803566 – ETPRO MALWARE zugobingtoolbar Install (malware.rules)

 

The post Daily Ruleset Update Summary 09/08/2014 appeared first on Emerging Threats.

Search

September 2014 Microsoft Patch Tuesday Coverage

September 9, 2014, 1:30 pm
$
0
0
BulletinCVETitleNotesET Pro Coverage
MS14-0522014-4065Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808756
MS14-0522014-2799Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808755
MS14-0522014-4080Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808757
MS14-0522014-4081Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808758
MS14-0522014-4084Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808759
MS14-0522014-4087Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808760
MS14-0522014-4088Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808761
MS14-0522014-4089Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808762
MS14-0522014-4092Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808763
MS14-0522014-4092Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808763
MS14-0522014-4094Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808764
MS14-0522014-4095Internet Explorer Memory Corruption VulnerabilityExploit Code Likely2808765

The post September 2014 Microsoft Patch Tuesday Coverage appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/092014

September 9, 2014, 3:12 pm
$
0
0

[***] Summary: [***]

4 new Open signatures, 27 new Pro (4+23). MS Patch Tuesday, Various Android, Win32.Yakes.

Thanks: Kevin Ross

Check out our Microsoft Patch Tuesday coverage details here:

http://emergingthreats.net/september-2014-microsoft-patch-tuesday-coverage/

[+++] Added rules: [+++]

Open:

2019142 – ET TROJAN Win32/Frosparf.B Downloading Hosts File (trojan.rules)
2019143 – ET MALWARE PUP Win32.SoftPulse Retrieving data (malware.rules)
2019144 – ET MALWARE MAC/Conduit Component Download (malware.rules)
2019145 – ET MALWARE W32/Stan Malvertising.Dropper CnC Beacon (malware.rules)

Pro:

2808755 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-2799 (web_client.rules)
2808756 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4065 (web_client.rules)
2808757 – ETPRO WEB_CLIENT Possible Internet Explorer Remote Code Execution CVE-2014-4080 (web_client.rules)
2808758 – ETPRO WEB_CLIENT Possible Internet Explorer Remote Code Execution CVE-2014-4081 (web_client.rules)
2808759 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4084 (web_client.rules)
2808760 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4087 (web_client.rules)
2808761 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4088 (web_client.rules)
2808762 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4089 (web_client.rules)
2808763 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4092 (web_client.rules)
2808764 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4094 (web_client.rules)
2808765 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4095 (web_client.rules)
2808766 – ETPRO TROJAN Win32.Black.cvdvox Checkin (trojan.rules)
2808767 – ETPRO TROJAN Win32.Yakes.fpbx C2 Beacon (INBOUND) (trojan.rules)
2808768 – ETPRO TROJAN Win32.Yakes.fpbx Checkin (trojan.rules)
2808769 – ETPRO TROJAN Backdoor.Win32.Androm Requesting payload 2 (trojan.rules)
2808770 – ETPRO TROJAN Backdoor.Win32.Androm Requesting payload (trojan.rules)
2808771 – ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 6 (mobile_malware.rules)
2808772 – ETPRO TROJAN Win32.Yakes.fudl Checkin (trojan.rules)
2808773 – ETPRO MOBILE_MALWARE Android/Koler.B Checkin (mobile_malware.rules)
2808774 – ETPRO TROJAN Win32.Sasfis Checkin (trojan.rules)
2808775 – ETPRO TROJAN Trojan.MulDrop3.53344 Checkin (trojan.rules)
2808776 – ETPRO TROJAN Win32/ProxyChanger.EO Checkin 2 (trojan.rules)
2808777 – ETPRO MOBILE_MALWARE Android.Svpeng.D Checkin (mobile_malware.rules)
[///] Modified active rules: [///]

2001219 – ET SCAN Potential SSH Scan (scan.rules)
2014726 – ET POLICY Outdated Windows Flash Version IE (policy.rules)
2014727 – ET POLICY Outdated Mac Flash Version (policy.rules)
2017817 – ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013 (current_events.rules)
2018998 – ET CURRENT_EVENTS Archie EK Landing Aug 24 2014 (current_events.rules)
2806076 – ETPRO TROJAN Win32/Carberp.A Checkin 3 (trojan.rules)
2808050 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.jgb Checkin (trojan.rules)
2808480 – ETPRO TROJAN Trojan.Win32.Banload.BTVS SQL Checkin (trojan.rules)
2808658 – ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 1 Specific (current_events.rules)
2808717 – ETPRO EXPLOIT Netcore Router Backdoor Usage (exploit.rules)
[---] Disabled and modified rules: [---]

2014618 – ET TROJAN W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel (trojan.rules)
[---] Removed rules: [---]

2403338 – ET CINS Active Threat Intelligence Poor Reputation IP group 39 (ciarmy.rules)
2403339 – ET CINS Active Threat Intelligence Poor Reputation IP group 40 (ciarmy.rules)
2808415 – ETPRO MALWARE PUP Win32.SoftPulse Retrieving data (malware.rules)
2808602 – ETPRO MOBILE_MALWARE Android/Crosate.N Checkin (mobile_malware.rules)

The post Daily Ruleset Update Summary 09/092014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/10/2014

September 10, 2014, 2:09 pm
$
0
0

[***] Summary: [***]

11 new Open signatures, 24 new Pro (11+13). Abuse.ch SSL Blacklist, Sweet Orange EK, Crilock.D, Various Android.

Thanks: Kevin Ross, Jake Warren, @abuse_ch, @EKwatcher.

[+++] Added rules: [+++]

Open:

2019146 – ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2 (current_events.rules)
2019147 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019148 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019149 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019150 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019151 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019152 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019153 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019154 – ET CURRENT_EVENTS Sweet Orange EK Java Exploit (current_events.rules)
2019155 – ET TROJAN Possible Zeus GameOver Connectivity Check 2 (trojan.rules)
2019156 – ET MALWARE W32/Kyle Malvertising.Dropper CnC Beacon (malware.rules)
2019157 – ET WEB_SPECIFIC_APPS Webmin Directory Traversal (web_specific_apps.rules)

Pro:

2808778 – ETPRO TROJAN Win32/Malagent!gmb connectivity check (trojan.rules)
2808779 – ETPRO TROJAN Win32.Wemosis.ia Checkin (trojan.rules)
2808780 – ETPRO WEB_SPECIFIC_APPS WordPress config.php in HTTP response (web_specific_apps.rules)
2808781 – ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.AL Checkin (mobile_malware.rules)
2808782 – ETPRO TROJAN Win32/Crilock.D SSL connection (trojan.rules)
2808783 – ETPRO TROJAN Win32/Crilock.D SSL Cert (trojan.rules)
2808784 – ETPRO MOBILE_MALWARE Android/TrojanSMS.Hippo.Q Checkin (mobile_malware.rules)
2808785 – ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.dc Checkin (mobile_malware.rules)
2808786 – ETPRO TROJAN Win32/Pitou.A Checkin (trojan.rules)
2808787 – ETPRO TROJAN SpyEye Checkin version unknown (trojan.rules)
2808788 – ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.fb Checkin (mobile_malware.rules)
2808789 – ETPRO MALWARE AdWare.Win32.EoRezo SSL Cert (malware.rules)
2808790 – ETPRO MOBILE_MALWARE Android/Netisend.A Checkin 2 (mobile_malware.rules)
[///] Modified active rules: [///]

2016450 – ET TROJAN Backdoor.Win32/Likseput.A Checkin (trojan.rules)
2019085 – ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection (exploit.rules)
2803980 – ETPRO TROJAN Backdoor.Win32.Salamdom!IK Checkin 2 (trojan.rules)
2804876 – ETPRO TROJAN Win32/Coswid.A Checkin (trojan.rules)
2807145 – ETPRO TROJAN Backdoor.Win32.Simda.abpn Checkin (trojan.rules)
[---] Disabled and modified rules: [---]

2017005 – ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length (current_events.rules)
2807027 – ETPRO TROJAN Win32/Meredrop Checkin (trojan.rules)
[---] Removed rules: [---]

2008597 – ET SCAN Cisco Torch SNMP Scan (scan.rules)
2014748 – ET CURRENT_EVENTS RedKit Repeated Exploit Request Pattern (current_events.rules)
2015851 – ET CURRENT_EVENTS Georgian Targeted Attack – Client Request (current_events.rules)
2015852 – ET CURRENT_EVENTS Georgian Targeted Attack – Server Response (current_events.rules)
2016405 – ET CURRENT_EVENTS CoolEK – PDF Exploit – Feb 12 2013 (current_events.rules)
2018703 – ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)

The post Daily Ruleset Update Summary 09/10/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/11/2014

September 11, 2014, 2:01 pm
$
0
0

[***] Status: [***]

9 new Open signatures, 23 new Pro (9+14). DecebalPOS, JackPOS, Various Android.

Thanks: Kevin Ross.
[+++] Added rules: [+++]

Open:

2019158 – ET TROJAN Possible Malicious Invoice EXE (trojan.rules)
2019159 – ET TROJAN TSPY_POCARDL.U Possible FTP Login (trojan.rules)
2019160 – ET TROJAN DecebalPOS Checkin (trojan.rules)
2019161 – ET TROJAN DecebalPOS User-Agent (trojan.rules)
2019162 – ET TROJAN Win.Trojan.Chewbacca connectivity check (trojan.rules)
2019163 – ET TROJAN JackPOS Checkin (trojan.rules)
2019164 – ET TROJAN JackPOS XOR Encoded HTTP Client Body (key AA) (trojan.rules)
2019165 – ET TROJAN Possible Banload Downloading Executable (trojan.rules)
2019166 – ET TROJAN Stobox Connectivity Check (trojan.rules)

Pro:

2808791 – ETPRO TROJAN Win32/Xymne Checkin (trojan.rules)
2808792 – ETPRO TROJAN Win32/FlyAgent variant MYSQL C2 (trojan.rules)
2808793 – ETPRO TROJAN Win32.Androm.cxb Requesting PE (trojan.rules)
2808794 – ETPRO TROJAN Win32.Weelsof.qko Possible Connectivity Check wikipedia.org (trojan.rules)
2808796 – ETPRO TROJAN W32/Magania.IDPJ C2 (trojan.rules)
2808797 – ETPRO TROJAN Trojan-PSW.Reedum FTP password (trojan.rules)
2808798 – ETPRO MOBILE_MALWARE AdWare.AndroidOS.Vidma.a Checkin (mobile_malware.rules)
2808799 – ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.LJ Checkin (mobile_malware.rules)
2808800 – ETPRO TROJAN Win32.Llac.bbeh downloading files (trojan.rules)
2808801 – ETPRO TROJAN Win32.Reconyc Checkin (trojan.rules)
2808802 – ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Zedat.a Checkin (mobile_malware.rules)
2808803 – ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.DB Checkin (mobile_malware.rules)
2808804 – ETPRO TROJAN Win32/Cendelf.gen!A connectivity check (trojan.rules)
[///] Modified active rules: [///]

2001998 – ET MALWARE UCMore Spyware Downloading Ads (malware.rules)
2002763 – ET TROJAN Dumador Reporting User Activity (trojan.rules)
2003058 – ET MALWARE 180solutions (Zango) Spyware Installer Download (malware.rules)
2018912 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2806306 – ETPRO TROJAN Trojan-PSW.Reedum FTP long Port (LPRT) (trojan.rules)
2808760 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4087 (web_client.rules)
2808761 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4088 (web_client.rules)
2808764 – ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4094 (web_client.rules)

 

The post Daily Ruleset Update Summary 09/11/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/12/2014

September 12, 2014, 1:32 pm
$
0
0

[***] Summary: [***]

4 new Open signatures, 9 new Pro (4+5). Tinba, Nuclear EK, Critroni, Cendelf.

Thanks: @kafeine and @malware_traffic

[+++] Added rules: [+++]

2019167 – ET CURRENT_EVENTS Nuclear EK Silverlight URI Struct (current_events.rules)
2019168 – ET TROJAN Tinba Checkin (trojan.rules)
2019169 – ET TROJAN Tinba Server Response (trojan.rules)
2019171 – ET TROJAN DoS.Linux/Elknot.E Checkin (trojan.rules)

Pro:

2808805 – ETPRO TROJAN Win32/Cendelf.gen!A checkin (trojan.rules)
2808806 – ETPRO MOBILE_MALWARE Android/FakeDefender.A Checkin (mobile_malware.rules)
2808807 – ETPRO TROJAN Win32/PSWTool.WebBrowserPassView.B checkin (trojan.rules)
2808808 – ETPRO TROJAN Win32/ChkBot.A Checkin (trojan.rules)
2808809 – ETPRO TROJAN Win32/Critroni Tor DNS Proxy lookup (trojan.rules)
[///] Modified active rules: [///]

2011797 – ET CURRENT_EVENTS Driveby Bredolab – client exploited by acrobat (current_events.rules)
2011906 – ET CURRENT_EVENTS exploit kit x/load/svchost.exe (current_events.rules)
2017667 – ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (current_events.rules)
2808804 – ETPRO TROJAN Win32/Cendelf.gen!A www.163.com connectivity check (trojan.rules)
[---] Disabled and modified rules: [---]

2018594 – ET CURRENT_EVENTS Possible Upatre SSL Cert webhostingpad.com (current_events.rules)

 

The post Daily Ruleset Update Summary 09/12/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/15/2014

September 15, 2014, 3:29 pm
$
0
0

[***] Summary: [***]

6 new Open signatures, 10 new Pro (6+4). Linux.DDoS, SpyEyes.arbc, iOS/AppBuyer.

Thanks: @kafeine

 

[+++] Added rules: [+++]

Open:

2019172 – ET TROJAN Linux.DDoS Checkin (trojan.rules)
2019173 – ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 15 2014 (current_events.rules)
2019174 – ET MOBILE_MALWARE iOS/AppBuyer Checkin 1 (mobile_malware.rules)
2019175 – ET MOBILE_MALWARE iOS/AppBuyer Checkin 2 (mobile_malware.rules)
2019176 – ET CURRENT_EVENTS Possible Astrum EK URI Struct (current_events.rules)
2019177 – ET TROJAN Linux/AES.DDoS Sending Real/Fake CPU&BW Info (trojan.rules)

Pro:

2808810 – ETPRO TROJAN Win32/LightMoon variant C2 (trojan.rules)
2808811 – ETPRO TROJAN Win32.SpyEyes.arbc Checkin 1 (trojan.rules)
2808812 – ETPRO TROJAN Win32.SpyEyes.arbc Checkin 2 (trojan.rules)
2808814 – ETPRO TROJAN Backdoor.Nitol Checkin Response (trojan.rules)
[///] Modified active rules: [///]

2002997 – ET WEB_SERVER PHP Remote File Inclusion (monster list http) (web_server.rules)
2013328 – ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com (current_events.rules)
2014560 – ET CURRENT_EVENTS Modified Metasploit Jar (current_events.rules)
2014797 – ET CURRENT_EVENTS ZeuS Ransomware win_unlock (current_events.rules)
2014929 – ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip (current_events.rules)
2019130 – ET CURRENT_EVENTS Astrum EK Landing (current_events.rules)
2019131 – ET CURRENT_EVENTS Astrum EK Landing (current_events.rules)
2019168 – ET TROJAN Tinba Checkin (trojan.rules)
2807580 – ETPRO TROJAN Backdoor.Win32/Hupigon.FI Checkin 2 (trojan.rules)
2808397 – ETPRO TROJAN Gozi/Ursnif/Papras Connectivity Check (trojan.rules)
[///] Modified inactive rules: [///]

2008042 – ET TROJAN Hupigon CnC Data Post (variant abb) (trojan.rules)
[---] Disabled and modified rules: [---]

2016801 – ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013 (current_events.rules)
2803129 – ETPRO TROJAN Palevo CnC Response (trojan.rules)
[---] Removed rules: [---]

2008041 – ET TROJAN Hupigon CnC init (variant abb) (trojan.rules)
2808588 – ETPRO TROJAN Linux.DDoS Checkin (trojan.rules)

 

The post Daily Ruleset Update Summary 09/15/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/16/2014

September 16, 2014, 2:38 pm
$
0
0

[***] Summary: [***]

9 new Open signatures, 19 new Pro (9+10). Fiesta EK, Hupigon, Various Android, Dyre SSL certs.

Thanks: tdzmont, Kevin Ross and @MalwareSigs

[+++] Added rules: [+++]

Open:

2019178 – ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014 (current_events.rules)
2019179 – ET TROJAN MSIL/Spy.RapidStealer.B Checkin (trojan.rules)
2019180 – ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M4 (current_events.rules)
2019181 – ET CURRENT_EVENTS Possible Android CVE-2014_6041 (current_events.rules)
2019182 – ET WEB_SERVER HTTP POST Generic eval of base64_decode (web_server.rules)
2019183 – ET CURRENT_EVENTS Fiesta EK Gate (current_events.rules)
2019184 – ET CURRENT_EVENTS Fiesta EK Silverlight Based Redirect (current_events.rules)
2019185 – ET CURRENT_EVENTS Nuclear EK Gate Sep 16 2014 (current_events.rules)
2019186 – ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014 (current_events.rules)

Pro:

2808815 – ETPRO TROJAN Trojan.Rontokbro C2 (trojan.rules)
2808816 – ETPRO TROJAN Win32/Cendelf.gen!A Dropping Files (trojan.rules)
2808817 – ETPRO TROJAN Win32.Chifrax Variant C2 (trojan.rules)
2808818 – ETPRO MALWARE Riskware/EliteKeylogger checkin (malware.rules)
2808819 – ETPRO TROJAN Win32.Hupigon.cbtep Checkin (trojan.rules)
2808820 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.aq Checkin (mobile_malware.rules)
2808821 – ETPRO TROJAN Win32.IRCBot Variant C2 (trojan.rules)
2808822 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a Checkin 4 (mobile_malware.rules)
2808823 – ETPRO TROJAN Gozi/Ursnif/Papras SSL Cert (trojan.rules)
2808824 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Stealer.a Checkin 3 (mobile_malware.rules)
[///] Modified active rules: [///]

2017667 – ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (current_events.rules)
2018979 – ET TROJAN Miras C2 Activity (trojan.rules)
2019143 – ET MALWARE PUP Win32.SoftPulse Retrieving data (malware.rules)
2805882 – ETPRO MOBILE_MALWARE Android/JSmsHider.B Checkin (mobile_malware.rules)
2806877 – ETPRO MOBILE_MALWARE Android/TheftSpy.C Checkin (mobile_malware.rules)
2808670 – ETPRO TROJAN POSCARDSTEALER.Q Checkin (trojan.rules)
2808791 – ETPRO TROJAN Win32/Xymne Checkin (trojan.rules)
[---] Disabled and modified rules: [---]

2018171 – ET CURRENT_EVENTS Angler Landing Page Feb 24 2014 (current_events.rules)
[---] Removed rules: [---]

2805319 – ETPRO NETBIOS Microsoft Remote Administration Protocol Windows XP NetServerEnum API Heap Buffer Overflow (netbios.rules)

The post Daily Ruleset Update Summary 09/16/2014 appeared first on Emerging Threats.

Search

Daily Ruleset Update Summary 09/17/2014

September 17, 2014, 2:20 pm
$
0
0

[***] Summary: [***]

3 new Open signatures, 18 new Pro (3+15). Nuclear EK CVE-2013-2551, Various Android, HttpFileServer RCE, ALCASAR RCE.

[+++] Added rules: [+++]

Open:

2019187 – ET TROJAN Kuluoz/Asprox CnC Response (trojan.rules)
2019188 – ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 Sept 17 2014 (current_events.rules)
2019189 – ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014 (current_events.rules)

Pro:

2808825 – ETPRO MOBILE_MALWARE Android/Agent.CI!tr Checkin (mobile_malware.rules)
2808826 – ETPRO TROJAN Win32/Regitry Checkin (trojan.rules)
2808827 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.bz Checkin (mobile_malware.rules)
2808828 – ETPRO WEB_SPECIFIC_APPS HttpFileServer 2.3.x Remote Command Execution (web_specific_apps.rules)
2808829 – ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.DO Checkin (mobile_malware.rules)
2808830 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ap Checkin (mobile_malware.rules)
2808831 – ETPRO WEB_SPECIFIC_APPS ALCASAR up to 2.8.1 RCE Vulnerabily being exploited (web_specific_apps.rules)
2808832 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.eg Checkin (mobile_malware.rules)
2808833 – ETPRO POLICY Proxy.pac Download (policy.rules)
2808834 – ETPRO MALWARE Hoax.Win32.ArchSMS.YU Checkin (malware.rules)
2808836 – ETPRO TROJAN suspicious User-Agent (payloadworking) (trojan.rules)
2808837 – ETPRO TROJAN Troj/BadCab CnC (trojan.rules)
2808838 – ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.o Checkin (mobile_malware.rules)
2808839 – ETPRO POLICY WebSocket Session Initiation Request (policy.rules)
2808840 – ETPRO POLICY WebSocket Session Initiation Response (policy.rules)
[///] Modified active rules: [///]

2014435 – ET TROJAN Infostealer.Banprox Proxy.pac Download (trojan.rules)
2017895 – ET TROJAN Kuluoz/Asprox Activity (trojan.rules)
2807621 – ETPRO TROJAN Zegost.Gen CnC (OUTBOUND) (trojan.rules)
2808776 – ETPRO TROJAN Win32/ProxyChanger.EO Checkin 2 (trojan.rules)

 

The post Daily Ruleset Update Summary 09/17/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/18/2014

September 18, 2014, 2:47 pm
$
0
0

[***] Summary: [***]

7 new Open signatures, 14 new Pro (7+7). RIG EK, Nuclear EK, Various Android, Win.Bifrose.agn, Win32.Banload.

Thanks: @malwaresigs and @abuse_ch

[+++] Added rules: [+++]

Open:

2019190 – ET TROJAN Infostealer.Banprox Proxy.pac Download 2 (trojan.rules)
2019191 – ET TROJAN Infostealer.Banprox Proxy.pac Download 3 (trojan.rules)
2019192 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (trojan.rules)
2019193 – ET CURRENT_EVENTS RIG EK Landing Page Sept 17 2014 (current_events.rules)
2019194 – ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014 (current_events.rules)
2019195 – ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014 (current_events.rules)
2019196 – ET CURRENT_EVENTS Androm SSL Cert Sept 18 2014 (current_events.rules)

Pro:

2808841 – ETPRO MOBILE_MALWARE Android/JSmsHider.A Checkin 2 (mobile_malware.rules)
2808842 – ETPRO MOBILE_MALWARE Android/Agent.FP Checkin (mobile_malware.rules)
2808843 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh Checkin 2 (mobile_malware.rules)
2808844 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh Response 2 (mobile_malware.rules)
2808845 – ETPRO TROJAN Backdoor.Win32.Bifrose.agn Checkin (trojan.rules)
2808846 – ETPRO TROJAN Win32.Banload Variant Checkin (trojan.rules)
2808847 – ETPRO MALWARE Win32.Chifrax.Wuhc Checkin (malware.rules)
[///] Modified active rules: [///]

2000357 – ET P2P BitTorrent Traffic (p2p.rules)
2010144 – ET P2P Vuze BT UDP Connection (5) (p2p.rules)
2014435 – ET TROJAN Infostealer.Banprox Proxy.pac Download (trojan.rules)
2805446 – ETPRO TROJAN Win32/Recslurp.A Checkin (trojan.rules)
[---] Disabled rules: [---]

2808839 – ETPRO POLICY WebSocket Session Initiation Request (policy.rules)
2808840 – ETPRO POLICY WebSocket Session Initiation Response (policy.rules)
[---] Removed rules: [---]

2011918 – ET TROJAN FAKEAV Gemini – JavaScript Redirection To FakeAV Binary (trojan.rules)

The post Daily Ruleset Update Summary 09/18/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/19/2014

September 19, 2014, 3:10 pm
$
0
0

[***] Summary: [***]

5 new Open signatures, 18 new Pro (5+13). NewPosThings, Sefnit.R, TROJANCLICKER.MSIL UFONet DDoS activity.

Thanks: Jake Warren.

[+++] Added rules: [+++]

Open:

2019197 – ET TROJAN NewPosThings Checkin (trojan.rules)
2019198 – ET TROJAN NewPosThings Data Exfiltration (trojan.rules)
2019199 – ET TROJAN NewPosThings POST with Fake UA and Accept Header (trojan.rules)
2019200 – ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 19 2014 (current_events.rules)
2019201 – ET TROJAN Backdoor.Win32/PcClient.AA Checkin (trojan.rules)

Pro:

2808848 – ETPRO TROJAN Win32/Sefnit.R Checkin (trojan.rules)
2808849 – ETPRO TROJAN Win32.CFPass.dcb Checkin (trojan.rules)
2808850 – ETPRO TROJAN Troj/Buzus-CZ checkin (trojan.rules)
2808851 – ETPRO TROJAN Win32/Spy.Rehtesyk.A Checkin 1 (trojan.rules)
2808852 – ETPRO TROJAN Win32/Spy.Rehtesyk.A Checkin 2 (trojan.rules)
2808853 – ETPRO TROJAN W32/Banker.GAJ!tr Checkin via SMTP (trojan.rules)
2808854 – ETPRO TROJAN TROJANCLICKER.MSIL/EZBRO.A Checkin (trojan.rules)
2808855 – ETPRO TROJAN TROJANCLICKER.MSIL/EZBRO.A Keep-Alive (trojan.rules)
2808856 – ETPRO WEB_SPECIFIC_APPS Possible UFONet DDoS Participation (web_specific_apps.rules)
2808857 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a Checkin 5 (mobile_malware.rules)
2808858 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a Response (mobile_malware.rules)
2808859 – ETPRO TROJAN W32/Scribble-B CnC via IRC (trojan.rules)
2808860 – ETPRO TROJAN Win32/Ramnit.A Checkin (trojan.rules)
[///] Modified active rules: [///]

2017505 – ET TROJAN Gh0st Trojan CnC 2 (trojan.rules)
2806414 – ETPRO TROJAN FakeAV-BT Checkin (trojan.rules)
2808721 – ETPRO MOBILE_MALWARE Android/Tekwon.A Checkin 2 (mobile_malware.rules)

 

The post Daily Ruleset Update Summary 09/19/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/22/2014

September 22, 2014, 2:31 pm
$
0
0

[***] Summary: [***]

12 new Open signatures, 20 new Pro (12+8). Linux/BillGates, Various Android, Nuclear EK.

Thanks: @MalwareMustDie and @abuse_ch
[+++] Added rules: [+++]

Open:

2019202 – ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2 (trojan.rules)
2019203 – ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3 (trojan.rules)
2019204 – ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) (trojan.rules)
2019205 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019206 – ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC) (trojan.rules)
2019207 – ET TROJAN Linux/BillGates Checkin (trojan.rules)
2019208 – ET TROJAN Linux/BillGates Checkin Response (trojan.rules)
2019209 – ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF Struct (no alert) (current_events.rules)
2019210 – ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF (current_events.rules)
2019211 – ET TROJAN Win32/Badur.igh Checkin 2 (trojan.rules)
2019212 – ET TROJAN Bossabot DDoS tool RFI attempt (trojan.rules)
2019213 – ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 22 2014 (current_events.rules)

Pro:

2808861 – ETPRO TROJAN Likely Win32/Spy.Zbot.AAQ .onion Proxy DNS lookup (trojan.rules)
2808862 – ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 4 (mobile_malware.rules)
2808863 – ETPRO TROJAN TROJAN Win32/Seey.A Checkin (trojan.rules)
2808864 – ETPRO MOBILE_MALWARE Android/InfoStealer.BL Checkin via SMTP (mobile_malware.rules)
2808865 – ETPRO TROJAN TROJAN Win32/Seey.A User-Agent (trojan.rules)
2808866 – ETPRO TROJAN TROJAN Win32/Seey.A Checkin 2 (trojan.rules)
2808867 – ETPRO WEB_CLIENT Possible Adobe Reader CVE-2014-0567 (web_client.rules)
2808868 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 10 (mobile_malware.rules)
[///] Modified active rules: [///]

2019134 – ET CURRENT_EVENTS Flashpack Redirect Method 2 (current_events.rules)
2019172 – ET TROJAN Linux.DDoS Checkin (trojan.rules)
2019177 – ET TROJAN Linux/AES.DDoS Sending Real/Fake CPU&BW Info (trojan.rules)
2019185 – ET CURRENT_EVENTS Nuclear EK Gate Sep 16 2014 (current_events.rules)
2807357 – ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.SD Checkin (mobile_malware.rules)
2808659 – ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 2 Specific (current_events.rules)
2808843 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh Checkin 2 (mobile_malware.rules)
2808844 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh Response 2 (mobile_malware.rules)
[---] Removed rules: [---]

2403321 – ET CINS Active Threat Intelligence Poor Reputation IP group 22 (ciarmy.rules)
2405062 – ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (botcc.portgrouped.rules)
2803491 – ETPRO TROJAN Suspicious HTTP STOP Return – Trojan.Win32.FakeAV.cfty or Related Controller (trojan.rules)
2807626 – ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) (trojan.rules)
2807683 – ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2 (trojan.rules)
2807710 – ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3 (trojan.rules)

The post Daily Ruleset Update Summary 09/22/2014 appeared first on Emerging Threats.

Daily Ruleset Update Summary 09/23/2014

September 23, 2014, 3:20 pm
$
0
0

[***] Summary: [***]

12 new Open rules, 22 new Pro. NjRAT, Angler EK, Various Android, Cryptolocker C2.

Thanks: Patrick Olsen, Kevin Ross, @kafeine and @abuse_ch

[+++] Added rules: [+++]

Open:

2019214 – ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture) (trojan.rules)
2019215 – ET TROJAN njrat ver 0.7d Malware CnC Callback (Microphone) (trojan.rules)
2019216 – ET TROJAN njrat ver 0.7d Malware CnC Callback (Message) (trojan.rules)
2019217 – ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Shell) (trojan.rules)
2019218 – ET TROJAN njrat ver 0.7d Malware CnC Callback (Services Listing) (trojan.rules)
2019219 – ET TROJAN njrat ver 0.7d Malware CnC Callback (Registry Listing) (trojan.rules)
2019220 – ET TROJAN njrat ver 0.7d Malware CnC Callback (Process Listing) (trojan.rules)
2019221 – ET TROJAN njrat ver 0.7d Malware CnC Callback (File Manager Actions) (trojan.rules)
2019222 – ET TROJAN njrat ver 0.7d Malware CnC Callback (Keylogging) (trojan.rules)
2019223 – ET TROJAN njrat ver 0.7d Malware CnC Callback (trojan.rules)
2019224 – ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (current_events.rules)
2019225 – ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC) (trojan.rules)

Pro:

2808869 – ETPRO MALWARE Riskware.Chindo Checkin 2 (malware.rules)
2808870 – ETPRO MOBILE_MALWARE Android/MMarketPay.C Checkin (mobile_malware.rules)
2808871 – ETPRO MOBILE_MALWARE Android/MMarketPay.C Checkin 2 (mobile_malware.rules)
2808872 – ETPRO TROJAN Trojan.StoleCert.SPK CnC (trojan.rules)
2808873 – ETPRO TROJAN Win32.Themida Variant CnC (trojan.rules)
2808874 – ETPRO TROJAN Trojan.Win32.Kilva Checkin (trojan.rules)
2808875 – ETPRO TROJAN FakeAV.Malwaredoctor Checkin (trojan.rules)
2808876 – ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.u Checkin 4 (mobile_malware.rules)
2808877 – ETPRO TROJAN Win32/Yeltminky.A Checkin (trojan.rules)
2808878 – ETPRO TROJAN Cryptographic Locker C2 (trojan.rules)
[///] Modified active rules: [///]

2006546 – ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! (scan.rules)
2017430 – ET TROJAN Bladabindi/njrat CnC Command (Keylogger) (trojan.rules)
2017817 – ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013 (current_events.rules)
2019074 – ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
2019078 – ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014 (current_events.rules)
2019146 – ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2 (current_events.rules)
2807427 – ETPRO TROJAN Cryp_Banker14 Checkin (trojan.rules)
2807767 – ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.c Checkin (mobile_malware.rules)
2807768 – ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.c Checkin 2 (mobile_malware.rules)
2808846 – ETPRO TROJAN Win32.Banload Variant Checkin (trojan.rules)
2808859 – ETPRO TROJAN W32/Scribble-B CnC via IRC (trojan.rules)
[---] Removed rules: [---]

2006435 – ET SCAN LibSSH Based SSH Connection – Often used as a BruteForce Tool (scan.rules)
2018689 – ET SCAN LibSSH2 Based SSH Connection – Often used as a BruteForce Tool (scan.rules)
2807913 – ETPRO CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (current_events.rules)

The post Daily Ruleset Update Summary 09/23/2014 appeared first on Emerging Threats.

Viewing all 489 articles
Browse latest View live
Search