[Emerging-Sigs] Weekly Ruleset Update Summary 12/14/2012

Matt Jonkman jonkman at emergingthreats.net
Fri Dec 14 09:14:18 HAST 2012


32 new Open rules, 64 new Pro Subscriber rules. That's 96 new rules this
week and a good number of tweaks.

As always, great thanks to everyone putting rules up in the community, but
especially the Kit sigs. Best coverage anywhere!

Matt


[+++]          Added rules:          [+++]

 2015998 - ET CURRENT_EVENTS CritXPack Landing Pattern
(current_events.rules)
 2015999 - ET TROJAN W32/Quarian HTTP Proxy Header (trojan.rules)
 2016000 - ET TROJAN Win32/Necurs (trojan.rules)
 2016001 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen
in pamdql and other EKs) (current_events.rules)
 2016002 - ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php
Remote File Inclusion Attempt (web_specific_apps.rules)
 2016003 - ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php
Remote File Inclusion Attempt (web_specific_apps.rules)
 2016004 - ET WEB_SPECIFIC_APPS ViArt Shop Evaluation
previews_functions.php Remote File Inclusion Attempt
(web_specific_apps.rules)
 2016005 - ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File
Inclusion Vulnerability (web_specific_apps.rules)
 2016006 - ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php
Local File Inclusion Vulnerability (web_specific_apps.rules)
 2016007 - ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local
File Inclusion Vulnerability (web_specific_apps.rules)
 2016008 - ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site
Scripting Attempt (web_specific_apps.rules)
 2016009 - ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site
Scripting Attempt (web_specific_apps.rules)
 2016010 - ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site
Scripting Attempt (web_specific_apps.rules)
 2016011 - ET TROJAN SmokeBot grab data plaintext (trojan.rules)
 2016012 - ET CURRENT_EVENTS CritXPack PDF Request (2)
(current_events.rules)
 2016013 - ET CURRENT_EVENTS CritXPack Jar Request (2)
(current_events.rules)
 2016014 - ET TROJAN Win32/Trojan.Agent.AXMO CnC Beacon (trojan.rules)
 2016015 - ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command
Injection (web_specific_apps.rules)
 2016016 - ET CURRENT_EVENTS DNS Amplification Attack Inbound
(current_events.rules)
 2016017 - ET CURRENT_EVENTS DNS Amplification Attack Outbound
(current_events.rules)
 2016018 - ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at
Cool Exploit Kit (current_events.rules)
 2016019 - ET TROJAN PWS-Zbot.gen.als Checkin (trojan.rules)
 2016020 - ET CURRENT_EVENTS FakeScan - Landing Page - Title - Microsoft
Antivirus 2013 (current_events.rules)
 2016021 - ET CURRENT_EVENTS FakeScan - Payload Download Received
(current_events.rules)
 2016022 - ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME
(current_events.rules)
 2016023 - ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats
(current_events.rules)
 2016024 - ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit -
Loading (current_events.rules)
 2016025 - ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit -
/head/head1.html (current_events.rules)
 2016026 - ET CURRENT_EVENTS NuclearPack - Landing Page Received - <applet
and 32HexChar.jar (current_events.rules)
 2016027 - ET CURRENT_EVENTS g01pack - Landing Page Received - <applet and
32AlphaNum.jar (current_events.rules)
 2016028 - ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded
(exploit.rules)
 2016029 - ET CURRENT_EVENTS Kelihos.K Executable Download DGA
(current_events.rules)


ET Pro Subscriber Rules:

 2805773 - ETPRO TROJAN Worm.Win32/Netsky.F at mm spreading via SMTP
(trojan.rules)
 2805774 - ETPRO TROJAN Backdoor.Ceckno.A Checkin (1) (trojan.rules)
 2805775 - ETPRO TROJAN Backdoor.Ceckno.A Checkin (2) (trojan.rules)
 2805776 - ETPRO POLICY PowerPack software bundle
Downloader.Win32.SwiftCleaner.bd <http://downloader.win32.swiftcleaner.bd/>
 (policy.rules)
 2805777 - ETPRO TROJAN Trojan-Proxy.Win32.Agent.di / TROJ_MSGINA.B Checkin
(trojan.rules)
 2805778 - ETPRO TROJAN Win32/AgentBypass.gen!A Checkin (trojan.rules)
 2805779 - ETPRO MOBILE_MALWARE Android/OpFake.A!tr.dial Checkin
(mobile_malware.rules)
 2805780 - ETPRO MALWARE AdWare.Win32.KSG.vl Checkin (malware.rules)
 2805781 - ETPRO MOBILE_MALWARE AndroidOS/Kmin.A Checkin
(mobile_malware.rules)
 2805782 - ETPRO WEB_CLIENT Microsoft Internet Explorer style object Use
After Free (web_client.rules)
 2805783 - ETPRO WEB_CLIENT Win32k TrueType Font Parsing Vulnerability
SearchRange (web_client.rules)
 2805784 - ETPRO WEB_CLIENT Win32k TrueType Font Parsing Vulnerability
EntrySelector (web_client.rules)
 2805785 - ETPRO WEB_CLIENT Win32k TrueType Font Parsing Vulnerability
RangeShift (web_client.rules)
 2805786 - ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download
with invalid listoverridecount (web_client.rules)
 2805787 - ETPRO WEB_CLIENT Microsoft WORD .DOC File download
CLSID_DirectPlay8Peer (web_client.rules)
 2805788 - ETPRO WEB_CLIENT Microsoft WORD .DOC File download
CLSID_DirectPlay8LobbyClient (web_client.rules)
 2805789 - ETPRO WEB_CLIENT Microsoft WORD .DOC File download
CLSID_DirectPlay8LobbiedApplication
(web_client.rules)
 2805790 - ETPRO WEB_CLIENT Microsoft WORD .DOC File download
CLSID_DP8SP_MODEM (web_client.rules)
 2805791 - ETPRO WEB_CLIENT Microsoft WORD .DOC File download
CLSID_DP8SP_SERIAL (web_client.rules)
 2805792 - ETPRO WEB_CLIENT Microsoft WORD .DOC File download
CLSID_DirectPlay8Client (web_client.rules)
 2805793 - ETPRO WEB_CLIENT Microsoft WORD .DOC File download
CLSID_DirectPlay8Address (web_client.rules)
 2805794 - ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download
CLSID_DirectPlay8Peer (web_client.rules)
 2805795 - ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download
CLSID_DirectPlay8LobbyClient (web_client.rules)
 2805796 - ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download
CLSID_DirectPlay8LobbiedApplication (web_client.rules)
 2805797 - ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download
CLSID_DP8SP_MODEM (web_client.rules)
 2805798 - ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download
CLSID_DP8SP_SERIAL (web_client.rules)
 2805799 - ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download
CLSID_DirectPlay8Client (web_client.rules)
 2805800 - ETPRO WEB_CLIENT Microsoft Rich Text File .RTF File download
CLSID_DirectPlay8Address (web_client.rules)
 2805801 - ETPRO TROJAN Win32.TrojDownloader.AutoIt.qu Checkin
(trojan.rules)
 2805802 - ETPRO POLICY GEOIP info online service (freegeoip.net)
(policy.rules)
 2805803 - ETPRO TROJAN Taidoor Checkin 2 (trojan.rules)
 2805804 - ET TROJAN DNS Query to Pseudo Random Domain for Web Malware (.
mynumber.org) (trojan.rules)
 2805805 - ETPRO TROJAN Win32.Downloader-RGC Downloading executable
(trojan.rules)
 2805807 - ETPRO TROJAN Win32/Comisproc Checkin (trojan.rules)
 2805808 - ETPRO TROJAN Trojan.Win32.Jorik.Agent.cqn Checkin (trojan.rules)
 2805809 - ETPRO TROJAN PWS-Zbot.gen.asb Checkin (trojan.rules)
 2805810 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 1
(mobile_malware.rules)
 2805811 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 2
(mobile_malware.rules)
 2805812 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 3
(mobile_malware.rules)
 2805813 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 4
(mobile_malware.rules)
 2805814 - ETPRO POLICY Internal Host Retrieving External IP via
whatismyip.everdot.org - Possible Infection (policy.rules)
 2805815 - ETPRO POLICY Internal Host Retrieving External IP via
whatismyipaddress.com - Possible Infection (policy.rules)
 2805816 - ETPRO POLICY Internal Host Retrieving External IP via
showmyipaddress.com - Possible Infection (policy.rules)
 2805817 - ETPRO MALWARE Adware.Solimba requesting install (malware.rules)
 2805818 - ETPRO MALWARE Adware/W32.KrAdword Checkin (malware.rules)
 2805819 - ETPRO TROJAN W32/Daws.AKWI!tr Checkin (trojan.rules)
 2805820 - ETPRO MOBILE_MALWARE Android/FkToken.A Checkin
(mobile_malware.rules)
 2805821 - ETPRO MOBILE_MALWARE Android/Ksapp.A Checkin
(mobile_malware.rules)
 2805822 - ETPRO TROJAN Android/Gmaster.A Checkin (trojan.rules)
 2805823 - ETPRO TROJAN
Win32/Injector.Autoit.CI<http://injector.autoit.ci/> Checkin
(trojan.rules)
 2805824 - ETPRO TROJAN Mal/FakeSg-B Checkin (trojan.rules)
 2805825 - ETPRO TROJAN Backdoor.Win32.Rbot.kkw Checkin (trojan.rules)
 2805826 - ETPRO MOBILE_MALWARE Android/Adware.AdsWo.A Checkin
(mobile_malware.rules)
 2805827 - ETPRO MOBILE_MALWARE Android.Mobigapp / Android/FakeUpdates.A
Checkin (mobile_malware.rules)
 2805828 - ETPRO MOBILE_MALWARE Andr/Frogonal-A /
Backdoor.AndroidOS.GinMaster.a Checkin (mobile_malware.rules)
 2805829 - ETPRO MOBILE_MALWARE AndroidOS/Anserver.A Checkin
(mobile_malware.rules)
 2805830 - ETPRO MOBILE_MALWARE AndroidOS/Spitmo.A Checkin
(mobile_malware.rules)
 2805831 - ETPRO MOBILE_MALWARE Android.Rabbhome /
Backdoor.AndroidOS.Fjcon.a Checkin (mobile_malware.rules)
 2805832 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.FA /
Trojan-SMS.AndroidOS.Opfake.a Checkin (mobile_malware.rules)
 2805833 - ETPRO TROJAN W32/KeyLogger.ACQH!tr Checkin (trojan.rules)
 2805834 - ETPRO TROJAN Win32/Votwup.W /
Backdoor.Win32.DarkHole.ly<http://backdoor.win32.darkhole.ly/> Checkin
(trojan.rules)
 2805835 - ETPRO WEB_CLIENT Apple QuickTime 7.7.2 TeXML Style Element
font-table Field Stack Buffer Overflow (web_client.rules)
 2805836 - ETPRO TROJAN ponmocup Checkin 1 (trojan.rules)
 2805837 - ETPRO TROJAN ponmocup Checkin 2 (trojan.rules)


[///]     Modified active rules:     [///]

 2011800 - ET POLICY Abnormal User-Agent No space after colon - Likely
Hostile (policy.rules)
 2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
 2014727 - ET POLICY Outdated Mac Flash Version (policy.rules)
 2015575 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class
(current_events.rules)
 2015815 - ET CURRENT_EVENTS CoolEK Font File Download (32-bit Host) Dec 11
2012 (current_events.rules)
 2015816 - ET CURRENT_EVENTS CoolEK Font File Download (64-bit Host) Dec 11
2012 (current_events.rules)
 2015922 - ET CURRENT_EVENTS Possible Glazunov Java exploit request
/9-10-/4-5-digit (current_events.rules)
 2015978 - ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec
03 2012 (current_events.rules)


 2803963 - ETPRO TROJAN Worm.Win32.Socks.s Checkin (trojan.rules)

-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121214/16daa0e2/attachment-0001.html>


More information about the Emerging-sigs mailing list