[Emerging-Sigs] Daily Ruleset Update Summary 10/19/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 19 18:49:56 EDT 2011


We've got a lot of changes today, and 36 new rules. 12 of those open, 24 Pro subscriber rules. 


[+++]          Added rules:          [+++]

 2010234 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1 (current_events.rules)
 2010235 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2 (current_events.rules)
 2010236 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3 (current_events.rules)
 2010237 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 4 (current_events.rules)
 2010238 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5 (current_events.rules)
 2010239 - ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6 (current_events.rules)
 2013778 - ET SCAN NMAP SQL Spider Scan (scan.rules)
 2013779 - ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX) (scan.rules)
 2013780 - ET TROJAN Suspicious HTTP Request for gift.exe (trojan.rules)
 2013781 - ET TROJAN Win32.Scar.dvov Searchstar.co.kr related Checkin (trojan.rules)

The new Stux-like strain, more on these coming soon. We've done 2 versions, one specific and one just the UA:
 2013782 - ET TROJAN W32.Duqu User-Agent (trojan.rules)
 2013783 - ET TROJAN W32.Duqu UA and Filename Requested (trojan.rules)


The Pro Subscriber rules:

 2803790 - ETPRO MALWARE Win32/Gabpath User-Agent (FPUpdater) (malware.rules)
 2803867 - ETPRO MALWARE Adware/Win32.MediaGet Install (malware.rules)
 2803868 - ETPRO TROJAN Suspicious User-Agent string containing {[ (trojan.rules)
 2803869 - ETPRO TROJAN Rootkit.ZAccess.cj Checkin (trojan.rules)
 2803870 - ETPRO MALWARE Adware/Win32.Gamevance.hfco Install (malware.rules)
 2803871 - ETPRO TROJAN Win32/Chir.B at mm User-Agent (KPeerUpdater) (trojan.rules)
 2803872 - ETPRO MALWARE AdWare.Win32.Gabpath User-Agent (OCInstaller) (malware.rules)
 2803873 - ETPRO MALWARE AdWare.Win32.Gabpath User-Agent (Oncues) (malware.rules)
 2803874 - ETPRO MALWARE Win32/Adware.Gamevance.BE Checkin (malware.rules)
 2803875 - ETPRO TROJAN Win32/Agent.KA Checkin (trojan.rules)
 2803876 - ETPRO TROJAN Win32/Chir.B at mm (trojan.rules)
 2803877 - ETPRO TROJAN Win32/Delfsnif.DU Checkin (trojan.rules)
 2803878 - ETPRO TROJAN Win32/Pameseg.AA Checkin (trojan.rules)
 2803879 - ETPRO TROJAN Trj/CI.A Checkin (trojan.rules)
 2803880 - ETPRO TROJAN Win32/Sality.AT Checkin (trojan.rules)
 2803881 - ETPRO TROJAN Worm.AutoIt/Renocide.gen!C Checkin (trojan.rules)
 2803882 - ETPRO POLICY DynDNS IP Check Response (policy.rules)
 2803883 - ETPRO TROJAN Win32/Emold.C Checkin (trojan.rules)
 2803884 - ETPRO TROJAN Trojan.Win32.Scar.evwl Checkin (trojan.rules)
 2803885 - ETPRO TROJAN Win32/Calelk.C User-Agent (Informer) (trojan.rules)
 2803886 - ETPRO TROJAN Win32/Dogrobot.G Checkin (trojan.rules)
 2803887 - ETPRO TROJAN Win32/Vake.A Checkin (trojan.rules)
 2803888 - ETPRO TROJAN TrojanDownloader.Win32/Adload.CX Checkin (trojan.rules)
 2803889 - ETPRO MALWARE Adware/Win32.MediaGet User-Agent (mediaget) (malware.rules)


[///]     Modified active rules:     [///]

Performance tweaks here, mostly Suricata only:
 2000026 - ET USER_AGENTS Gator Agent Traffic (user_agents.rules)
 2001493 - ET USER_AGENTS ISearchTech.com XXXPornToolbar Activity (IST) (user_agents.rules)
 2002803 - ET EXPLOIT BMP with invalid bfOffBits (exploit.rules)
 2003062 - ET USER_AGENTS 180 Solutions (Zango Installer) User Agent (user_agents.rules)
 2003385 - ET USER_AGENTS sgrunt Dialer User Agent (sgrunt) (user_agents.rules)
 2003449 - ET USER_AGENTS Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4) (user_agents.rules)
 2003631 - ET POLICY Centralops.net Probe (policy.rules)
 2008073 - ET TROJAN Suspicious User-Agent (App4) (trojan.rules)
 2008187 - ET SCAN Paros Proxy Scanner Detected (scan.rules)
 2009092 - ET CURRENT_EVENTS New Malware Information Post (current_events.rules)
 2009486 - ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1) (trojan.rules)
 2009516 - ET TROJAN Generic Win32.Autorun HTTP Post (trojan.rules)
 2010087 - ET SCAN Suspicious User-Agent Containing SQL Inject/ion, Likely SQL Injection Scanner (scan.rules)
 2010088 - ET SCAN Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner (scan.rules)
 2010089 - ET SCAN Suspicious User-Agent Containing Security Scan/ner, Likely Scan (scan.rules)
 2010290 - ET TROJAN Clod/Sereki Checkin with C&C (noalert) (trojan.rules)
 2010889 - ET USER_AGENTS Win32.Tdss User Agent Detected (Mozzila) (user_agents.rules)
 2011478 - ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt (exploit.rules)
 2011704 - ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x) (p2p.rules)
 2011768 - ET WEB_SERVER PHP tags in HTTP POST (web_server.rules)
 2011816 - ET TROJAN Zeus POST Request to CnC (trojan.rules)
 2012136 - ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected (trojan.rules)
 2012278 - ET USER_AGENTS Suspicious User-Agent (Our_Agent) (user_agents.rules)
 2012607 - ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE (user_agents.rules)
 2012619 - ET USER_AGENTS Suspicious User-Agent Mozilla/3.0 (user_agents.rules)
 2803567 - ETPRO TROJAN Suspicious User-Agent (LuaSocket) (trojan.rules)
 2803836 - ETPRO TROJAN Win32.Cycbot-MM Checkin (trojan.rules)

Changed to use the Suricata ssh protocol keyword:
 2001984 - ET POLICY SSH session in progress on Unusual Port (policy.rules)
 2006435 - ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool (scan.rules)
 2006546 - ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! (scan.rules)



[///]    Modified inactive rules:    [///]

Added the Suricata ssh protocol keyword:
 2001978 - ET POLICY SSH session in progress on Expected Port (policy.rules)

Performance and http_* tweaks:
 2003749 - ET USER_AGENTS QQHelper related Spyware User-Agent (H) (user_agents.rules)
 2010906 - ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis) (user_agents.rules)
 2012251 - ET MOBILE_MALWARE Google Android Device HTTP Request (mobile_malware.rules)
100000168 - GPL WEB_SERVER Hydra Web Scanner Detected (web_server.rules)


[---]  Disabled and modified rules:  [---]

 2010262 - ET TROJAN WindowsEnterpriseSuite FakeAV Dynamic User-Agent (trojan.rules)
 2011576 - ET TROJAN nte Binary Download Attempt (multiple malware variants served) (trojan.rules)

Added the Suricata ssh protocol keyword:
 2013167 - ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server (exploit.rules)


[---]         Disabled rules:        [---]

Less relevant to most organizations, enable if useful:
 2012689 - ET POLICY LoJack asset recovery/tracking - not malicious (policy.rules)


[---]         Removed rules:         [---]

Deduplications:
 2003432 - ET TROJAN Nukebot related infection - Unique HTTP get request (trojan.rules)
 2003433 - ET TROJAN Nukebot Checkin (trojan.rules)
 2008174 - ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (trojan.rules)
 2008328 - ET TROJAN Banload iLLBrain Trojan Activity (trojan.rules)
 2008600 - ET TROJAN Suspicious User-Agent Detected (Windows+NT) (trojan.rules)
 2008848 - ET TROJAN Worm.Win32.Koobface.C User-Agent (trojan.rules)
 2009837 - ET SCAN OWASP Joomla Vulnerability Scanner Detected (scan.rules)

Obsoleted:
 2011275 - ET POLICY Akamai Redswoosh CLIOnlineManager Connection Detected (policy.rules)
 2800560 - ETPRO POP3 Microsoft Windows Mail and Outlook Express Stat (pop3.rules)
 2800561 - ETPRO POP3 Microsoft Windows Mail and Outlook Express Integer Overflow (pop3.rules)
 2800562 - ETPRO POP3 Microsoft Windows Mail and Outlook Express Integer Overflow 2 (pop3.rules)
 2801923 - ETPRO TROJAN Trojan-Downloader.Win32.Pingbed.B Checkin (trojan.rules)
 2802918 - ETPRO TROJAN Backdoor.Win32.Downbot.A Checkin (trojan.rules)
 2803125 - ETPRO TROJAN Win32.Dofoil.J Checkin 2 (trojan.rules)
 2803173 - ETPRO TROJAN Cycbot Checkin (trojan.rules)
 2803395 - ETPRO DNS Microsoft DNS Server NAPTR Record Sign Extension Memory Corruption 1 (dns.rules)
 2803396 - ETPRO DNS Microsoft DNS Server NAPTR Record Sign Extension Memory Corruption 2 (dns.rules)
 2803397 - ETPRO DNS Microsoft DNS Server NAPTR Record Sign Extension Memory Corruption 3 (dns.rules)
 2803398 - ETPRO DNS Microsoft DNS Server NAPTR Record Sign Extension Memory Corruption 4 (dns.rules)
 2803399 - ETPRO DNS Microsoft DNS Server NAPTR Record Sign Extension Memory Corruption 5 (dns.rules)
 2803400 - ETPRO DNS Microsoft DNS Server NAPTR Record Sign Extension Memory Corruption 6 (dns.rules)
 2803767 - ETPRO TROJAN Backdoor.Cycbot.B Checkin (trojan.rules)
 2803790 - ETPRO TROJAN Win32/Gabpath User-Agent (FPUpdater) (trojan.rules)


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list