[Emerging-Sigs] Daily Ruleset Update Summary 12/07/2012

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Dec 7 14:35:21 HAST 2012


[***]          Summary:          [***]

17 new Open rules. 26 new Pro rules (9/17). A few rules disabled for
consolidation of detection logic. 1 moved from Pro to Open.

2015998,2016012-2016013 CritX URL landing and updated detection for PDF/Jar
2059999 Trojan Quarian (This rule will only work inf you are running a
proxy)
2016002 - 2016010 Still Secure Weekly WEB_SPECIFIC_APPS rules. Welcome back!
2016011 Smokebot C2

2805773 - 2805781 Daily Pro Trojan/Malware coverage.

[+++]          Added rules:          [+++]

  Open:
  2015998 - ET CURRENT_EVENTS CritXPack Landing Pattern
(current_events.rules)
  2015999 - ET TROJAN W32/Quarian HTTP Proxy Header (trojan.rules)
  2016000 - ET TROJAN Win32/Necurs (trojan.rules)
  2016001 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen
in pamdql and other EKs) (current_events.rules)
  2016002 - ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php
Remote File Inclusion Attempt (web_specific_apps.rules)
  2016003 - ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php
Remote File Inclusion Attempt (web_specific_apps.rules)
  2016004 - ET WEB_SPECIFIC_APPS ViArt Shop Evaluation
previews_functions.php Remote File Inclusion Attempt
(web_specific_apps.rules)
  2016005 - ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File
Inclusion Vulnerability (web_specific_apps.rules)
  2016006 - ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php
Local File Inclusion Vulnerability (web_specific_apps.rules)
  2016007 - ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local
File Inclusion Vulnerability (web_specific_apps.rules)
  2016008 - ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site
Scripting Attempt (web_specific_apps.rules)
  2016009 - ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site
Scripting Attempt (web_specific_apps.rules)
  2016010 - ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site
Scripting Attempt (web_specific_apps.rules)
  2016011 - ET TROJAN SmokeBot grab data plaintext (trojan.rules)
  2016012 - ET CURRENT_EVENTS CritXPack PDF Request (2)
(current_events.rules)
  2016013 - ET CURRENT_EVENTS CritXPack Jar Request (2)
(current_events.rules)
  2016014 - ET TROJAN Win32/Trojan.Agent.AXMO CnC Beacon (trojan.rules)


  Pro:
  2805773 - ETPRO TROJAN Worm.Win32/Netsky.F at mm spreading via SMTP
(trojan.rules)
  2805774 - ETPRO TROJAN Backdoor.Ceckno.A Checkin (1) (trojan.rules)
  2805775 - ETPRO TROJAN Backdoor.Ceckno.A Checkin (2) (trojan.rules)
  2805776 - ETPRO POLICY PowerPack software bundle
Downloader.Win32.SwiftCleaner.bd (policy.rules)
  2805777 - ETPRO TROJAN Trojan-Proxy.Win32.Agent.di / TROJ_MSGINA.B
Checkin (trojan.rules)
  2805778 - ETPRO TROJAN Win32/AgentBypass.gen!A Checkin (trojan.rules)
  2805779 - ETPRO MOBILE_MALWARE Android/OpFake.A!tr.dial Checkin
(mobile_malware.rules)
  2805780 - ETPRO MALWARE AdWare.Win32.KSG.vl Checkin (malware.rules)
  2805781 - ETPRO MOBILE_MALWARE AndroidOS/Kmin.A Checkin
(mobile_malware.rules)


 [///]     Modified active rules:     [///]

  2011800 - ET POLICY Abnormal User-Agent No space after colon - Likely
Hostile (policy.rules)
  2015575 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class
(current_events.rules)
  2015922 - ET CURRENT_EVENTS Possible Glazunov Java exploit request
/9-10-/4-5-digit (current_events.rules)


 [---]         Removed rules:         [---]

  2015655 - ET CURRENT_EVENTS 0day JRE 17 exploit Class 1
(current_events.rules)
  2015656 - ET CURRENT_EVENTS 0day JRE 17 exploit Class 2
(current_events.rules)

   [-+-]        Moved from Pro to Open:         [-+-]

  Old:
  2805755 - ETPRO WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command
Injection (web_specific_apps.rules)

  Pro:
  2016015 - ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command
Injection (web_specific_apps.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121207/cf7da468/attachment-0001.html>


More information about the Emerging-sigs mailing list