[Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary 10/5/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 5 10:08:06 EDT 2011


I tried, but we busted it. :)

Pedro is working out a way to fix, and to do it on multiple palatforms…. It'll be out today assuming we solve the issue!

Good news is we have about 30 other similar samples in sandnetting, so we have a good base of data to work from. 

Matt


On Oct 5, 2011, at 9:33 AM, Martin Holste wrote:

> I thought you were posting my UDP rule, but I don't see it in here.
> 
> On Wed, Oct 5, 2011 at 12:17 AM, Matthew Jonkman
> <jonkman at emergingthreatspro.com> wrote:
>> 35 new rules total. 13 in the Open ruleset and 20 in Pro.
>> 
>> Enjoy!
>> 
>> We have new SCADA,  Loads of good stuff today. [+++]          Added rules:          [+++]
>> 
>>  2013730 - ET SCADA PcVue Activex Control Insecure method (AddPage) (scada.rules)
>>  2013731 - ET SCADA PcVue Activex Control Insecure method (DeletePage) (scada.rules)
>>  2013732 - ET SCADA PcVue Activex Control Insecure method (SaveObject) (scada.rules)
>>  2013733 - ET SCADA PcVue Activex Control Insecure method (LoadObject) (scada.rules)
>>  2013734 - ET SCADA PcVue Activex Control Insecure method (GetExtendedColor) (scada.rules)
>>  2013735 - ET SCADA Sunway ForceControl Activex Control Vulnerability (scada.rules)
>>  2013736 - ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2 (scada.rules)
>>  2013737 - ET TROJAN Suspicious User-Agent (GenericHttp/VER_STR_COMMA) (trojan.rules)
>>  2013738 - ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt (web_specific_apps.rules)
>>  2013740 - ET CURRENT_EVENTS Zeus Variant Post to CnC Server (current_events.rules)
>>  2013741 - ET TROJAN Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin (trojan.rules)
>>  2013742 - ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt (web_client.rules)
>>  2013743 - ET DNS Query for a Suspicious no-ip Dynamic DNS Domain (dns.rules)
>>  2013744 - ET TROJAN HTTP Request to no-ip Dynamic DNS Domain (trojan.rules)
>>  2013745 - ET TROJAN Double HTTP/1.1 Header Likely Hostile Traffic (trojan.rules)
>> 
>> Pro rules:
>> 
>>  2803791 - ETPRO TROJAN Win32/Plingky.A Checkin (trojan.rules)
>>  2803792 - ETPRO TROJAN Trojan.Generic.KDV.367757 Checkin (trojan.rules)
>>  2803793 - ETPRO TROJAN Virus.Win32.CrazyPrier.A Checkin (trojan.rules)
>>  2803794 - ETPRO TROJAN Trojan.Win32.OddJob.A Checkin 3 (trojan.rules)
>>  2803795 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 1 (trojan.rules)
>>  2803796 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 1 (trojan.rules)
>>  2803797 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 2 (trojan.rules)
>>  2803798 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 2 (trojan.rules)
>>  2803799 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP flowbit set 3 (trojan.rules)
>>  2803800 - ETPRO TROJAN Worm.Win32.Ackantta.B via SMTP 3 (trojan.rules)
>>  2803801 - ETPRO ACTIVEX PIPI Player PIPIWebPlayer ActiveX Control Buffer Overflow (activex.rules)
>>  2803802 - ETPRO POLICY PIPIWebPlayer User-Agent (PIPIPlayer) (policy.rules)
>>  2803803 - ETPRO POLICY PIPIWebPlayer User-Agent (jfCacheMgr) (policy.rules)
>>  2803804 - ETPRO POLICY Games Site lava.cn User-Agent (DDVInstall) (policy.rules)
>>  2803805 - ETPRO TROJAN Win32/Hermes.B at mm User-Agent (Hermes) (trojan.rules)
>>  2803806 - ETPRO TROJAN Variant.Buzy.4001 Checkin (trojan.rules)
>>  2803807 - ETPRO TROJAN Win32/Sefnit.O Checkin (trojan.rules)
>>  2803808 - ETPRO TROJAN Worm.Win32/Chiviper.A Checkin (trojan.rules)
>>  2803809 - ETPRO MALWARE Win32/Adware.GabPath.BM User-Agent (Blammi) (malware.rules)
>>  2803810 - ETPRO TROJAN Win32/Unruy.R Checkin (trojan.rules)
>> 
>> 
>> 
>> [///]     Modified active rules:     [///]
>> 
>>  2008049 - ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin (trojan.rules)
>>  2011996 - ET TROJAN Darkness DDoS Bot Checkin (trojan.rules)
>>  2013376 - ET TROJAN W32/Nolja Trojan User-Agent (FileNolja) (trojan.rules)
>> 
>>  2803364 - ETPRO TROJAN Win32/Sefnit.L Checkin (trojan.rules)
>> 
>> 
>> [---]         Removed rules:         [---]
>> 
>> Just renaming:
>>  2801670 - ETPRO TROJAN Backdoor.Win32.Dtd.A Checkin (trojan.rules)
>>  2803162 - ETPRO TROJAN Win32/Sefnit Checkin (trojan.rules)
>> 
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> 
>> _______________________________________________
>> Etpro-sigs mailing list
>> Etpro-sigs at emergingthreatspro.com
>> http://lists.emergingthreatspro.com/mailman/listinfo/etpro-sigs
>> 
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111005/cf8a6ed6/smime.bin


More information about the Emerging-sigs mailing list