[Emerging-Sigs] Daily Ruleset Update Summary 10/21/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 21 14:47:43 EDT 2011


2 new open rules, one was moved from the pro side. 9 new pro subscriber rules. 

We've made a lot of changes to the IRC rules. Some performance changes and deduplication. Please report any issues!

[+++]          Added rules:          [+++]

 2013789 - ET TROJAN Win32.PEx.C.91139756616 Checkin (trojan.rules)
 2013790 - ET CURRENT_EVENTS Cnzz.cn Related Dropper Checkin (current_events.rules)

The Pro rules:

This forst set are an interesting one that use Google and Yahoo translate services to get their cnc commands indirectly. 
 2803897 - ETPRO TROJAN Possible Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Yahoo Translate/Babelfish (trojan.rules)
 2803898 - ETPRO TROJAN Possible Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Yahoo Translate/Babelfish 2 (trojan.rules)
 2803899 - ETPRO TROJAN Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Google Translate (trojan.rules)
 2803900 - ETPRO TROJAN Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Googleusercontent Translate (trojan.rules)
 2803901 - ETPRO TROJAN Sasfis/Atraps.AVWU/AMTU.Proxy Checkin (trojan.rules)

 2803902 - ETPRO TROJAN Win32.Virut.ce Checkin (trojan.rules)
 2803903 - ETPRO TROJAN Win32/DelfInject.W Checkin (trojan.rules)
 2803904 - ETPRO TROJAN Stolen Navsis Corp SSL Cert in Use (trojan.rules)
 2803905 - ETPRO TROJAN Win32/Sefnit.Z Checkin (trojan.rules)


[///]     Modified active rules:     [///]


 2002023 - ET CHAT IRC USER command (chat.rules)
 2002024 - ET CHAT IRC NICK command (chat.rules)
 2002025 - ET CHAT IRC JOIN command (chat.rules)
 2002026 - ET CHAT IRC PRIVMSG command (chat.rules)
 2002027 - ET CHAT IRC PING command (chat.rules)
 2002028 - ET CHAT IRC PONG response (chat.rules)
 2002029 - ET TROJAN IRC Channel topic scan/exploit command (trojan.rules)
 2002030 - ET TROJAN IRC Potential bot scan/exploit command (trojan.rules)
 2002032 - ET TROJAN IRC Potential DDoS command 1 (trojan.rules)
 2002363 - ET TROJAN IRC potential reptile commands (trojan.rules)
 2002384 - ET TROJAN IRC potential bot commands (trojan.rules)
 2002386 - ET TROJAN IRC channel topic misc bot commands (trojan.rules)
 2003132 - ET TROJAN BOT - potential DDoS command (2) (trojan.rules)
 2003302 - ET TROJAN psyBNC IRC Server Connection (trojan.rules)
 2003603 - ET TROJAN W32.Virut.A joining an IRC Channel (trojan.rules)
 2006911 - ET TROJAN perlb0t/w0rmb0t Response 2 (trojan.rules)
 2008123 - ET TROJAN Likely Bot Username in IRC (XP-..) (trojan.rules)
 2008124 - ET TROJAN Likely Bot Nick in IRC (USA +..) (trojan.rules)
 2009171 - ET CURRENT_EVENTS Psyb0t Bot Nick (current_events.rules)
 2011118 - ET USER_AGENTS Suspicious User Agent Maxthon (user_agents.rules)
 2011162 - ET TROJAN IRC Potential bot update/download via ftp command (trojan.rules)
 2013138 - ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity (mobile_malware.rules)
 2013247 - ET TROJAN Ruskill/Palevo KCIK IRC Command (trojan.rules)
 2101639 - GPL CHAT IRC DCC file transfer request (chat.rules)
 2101640 - GPL CHAT IRC DCC chat request (chat.rules)
 2101729 - GPL CHAT IRC Channel join (chat.rules)
 2402000 - ET DROP Dshield Block Listed Source (dshield.rules)
 2803311 - ETPRO TROJAN Likely Bot Nick in Off Port IRC (trojan.rules)


[///]    Modified inactive rules:    [///]

 2001620 - ET ATTACK_RESPONSE Likely Botnet Activity (attack_response.rules)
 2002031 - ET TROJAN IRC Potential bot update/download via http command (trojan.rules)
 2002033 - ET TROJAN IRC Potential bot command response (trojan.rules)


[---]  Disabled and modified rules:  [---]

 2002385 - ET TROJAN IRC channel topic reptile commands (trojan.rules)


[---]         Disabled rules:        [---]

 2001984 - ET POLICY SSH session in progress on Unusual Port (policy.rules)


[---]         Removed rules:         [---]

 2000345 - ET ATTACK_RESPONSE IRC - Nick change on non-std port (attack_response.rules)
 2000346 - ET ATTACK_RESPONSE IRC - Name response on non-std port (attack_response.rules)
 2000347 - ET ATTACK_RESPONSE IRC - Private message on non-std port (attack_response.rules)
 2000348 - ET ATTACK_RESPONSE IRC - Channel JOIN on non-std port (attack_response.rules)
 2000349 - ET ATTACK_RESPONSE IRC - DCC file transfer request on non-std port (attack_response.rules)
 2000350 - ET ATTACK_RESPONSE IRC - DCC chat request on non-std port (attack_response.rules)
 2000351 - ET ATTACK_RESPONSE IRC - channel join on non-std port (attack_response.rules)
 2000352 - ET ATTACK_RESPONSE IRC - dns request on non-std port (attack_response.rules)
 2006910 - ET TROJAN perlb0t/w0rmb0t Response (Case 1) (trojan.rules)
 2006912 - ET TROJAN perlb0t/w0rmb0t Response (Case 3) (trojan.rules)
 2007621 - ET TROJAN Kaiten IRCbotnet login (trojan.rules)
 2007622 - ET TROJAN Kaiten IRCbotnet Response (trojan.rules)
 2007623 - ET TROJAN Kaiten IRCbotnet Commands (trojan.rules)
 2007624 - ET TROJAN Pitbull IRCbotnet Response (trojan.rules)
 2007625 - ET TROJAN Pitbull IRCbotnet Commands (trojan.rules)
 2007672 - ET TROJAN B0tN3t IRCbotnet (trojan.rules)
 2009172 - ET CURRENT_EVENTS Psyb0t joining an IRC Channel (current_events.rules)
 2010824 - ET TROJAN Torpig Ping-Pong Keepalives Outbound (trojan.rules)
 2010825 - ET TROJAN Torpig Ping-Pong Keepalives Inbound (trojan.rules)
 2013782 - ET TROJAN W32.Duqu User-Agent (trojan.rules)
 2101790 - GPL CHAT IRC dns response (chat.rules)
 2800367 - ETPRO CHAT mIRC PRIVMSG Message Processing Buffer Overflow (chat.rules)
 2801284 - ETPRO TROJAN Backdoor.Win32.Gaertob.F Initial connection to IRC (trojan.rules)
 2801285 - ETPRO TROJAN Backdoor.Win32.Gaertob.F Joining IRC server (trojan.rules)
 2801393 - ETPRO CURRENT_EVENTS Cnzz.cn Related Dropper Checkin (current_events.rules)
 2801623 - ETPRO TROJAN Backdoor.Win32.Dorkbot.A Join IRC channel (trojan.rules)
 2801624 - ETPRO TROJAN Backdoor.Win32.Dorkbot.A IRC Login (trojan.rules)
 2801864 - ETPRO TROJAN Backdoor.Win32.Ircbot.dlrl Checkin (trojan.rules)
 2802909 - ETPRO TROJAN Backdoor.Win32.Dorkbot.B IRC Login (trojan.rules)
 2802910 - ETPRO TROJAN Backdoor.Win32.Dorkbot.B Join IRC channel (trojan.rules)
 2802981 - ETPRO TROJAN Backdoor.Win32.IRCBot.iseee Checkin (trojan.rules)
 2803083 - ETPRO TROJAN Backdoor.Win32.Zombie.sm Joining IRC (trojan.rules)
 2803518 - ETPRO TROJAN Backdoor.Win32.WootBot.A IRC LOGIN (trojan.rules)
 2803519 - ETPRO TROJAN Backdoor.Win32.WootBot.A Joining IRC Channel (trojan.rules)

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list