[Emerging-Sigs] Weekly Ruleset Update 12/28/2012

Matt Jonkman jonkman at emergingthreats.net
Fri Dec 28 07:54:44 HAST 2012


38 total new rules this week so far (more coming yet today). All but one
were open rules. Thanks to Stillsecure and the usual list of contributors!
Bad stuff doesn't take the holidays off!

Happy Holidays to all.



[+++]          Added rules:          [+++]

 2016073 - ET CURRENT_EVENTS SofosFO - possible second stage landing page
(current_events.rules)
 2016074 - ET TROJAN User-Agent seen with confirmed C&C check-in
(trojan.rules)
 2016075 - ET TROJAN FakeAV Checkin (trojan.rules)
 2016076 - ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg
parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2016077 - ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery albumid
parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2016078 - ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery file
parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2016079 - ET WEB_SPECIFIC_APPS simple machines forum include parameter
Local File Inclusion Attempt (web_specific_apps.rules)
 2016080 - ET WEB_SPECIFIC_APPS WordPress Cloudsafe365 file parameter Local
File Inclusion Attempt (web_specific_apps.rules)
 2016081 - ET WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site
Scripting Attempt (web_specific_apps.rules)
 2016082 - ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin
tokenmanageredit page XSS Attempt (web_specific_apps.rules)
 2016083 - ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin
tokenmanagertypeedit page XSS Attempt (web_specific_apps.rules)
 2016084 - ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control
SetShapeNodeType method Remote Code Execution (activex.rules)
 2016085 - ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control
ShowPropertiesDialog arbitrary code execution (activex.rules)
 2016086 - ET WEB_SPECIFIC_APPS SonicWALL SonicOS searchStr XML Tag Script
Insertion Attempt (web_specific_apps.rules)
 2016087 - ET CURRENT_EVENTS TROJAN Unk_Banker - Check In
(current_events.rules)
 2016088 - ET TROJAN SmokeLoader - Init 0x (trojan.rules)
 2016089 - ET TROJAN FakeAV checkin (trojan.rules)
 2016090 - ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet
Orange /in.php?q= (current_events.rules)
 2016091 - ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet
Orange base64 (current_events.rules)
 2016092 - ET CURRENT_EVENTS pamdql/Sweet Orange delivering hostile XOR
trojan payload from robots.php (current_events.rules)
 2016093 - ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit
payload (current_events.rules)
 2016094 - ET MOBILE_MALWARE Android/Updtkiller Sending Device Information
(mobile_malware.rules)
 2016095 - ET TROJAN W32/Dexter Infostealer CnC POST (trojan.rules)
 2016096 - ET TROJAN W32/Stabuniq CnC POST (trojan.rules)
 2016097 - ET TROJAN Unknown - Loader - Check .exe Updated (trojan.rules)
 2016098 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound
(current_events.rules)
 2016099 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound
(current_events.rules)
 2016100 - ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache
Directory (web_specific_apps.rules)
 2016101 - ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24
 (trojan.rules)
 2016102 - ET TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
 (trojan.rules)
 2016103 - ET TROJAN DNS Reply Sinkhole - Microsoft - 207.46.90.0/24
 (trojan.rules)
 2016104 - ET TROJAN DNS Reply Sinkhole - Google - 1.1.1.0/24 (trojan.rules)
 2016105 - ET TROJAN DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32
(trojan.rules)
 2016106 - ET CURRENT_EVENTS Unknown EK Landing Page (current_events.rules)
 2016107 - ET CURRENT_EVENTS Unknown EK Requesting Jar
(current_events.rules)
 2016108 - ET CURRENT_EVENTS Unknown EK Requesting PDF
(current_events.rules)
 2016109 - ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin uploadify.php
Arbitrary File Upload Vulnerability (web_specific_apps.rules)

 2805857 - ETPRO TROJAN Virus.Win32.Virut.a Proxy Registration 2
(trojan.rules)


[///]     Modified active rules:     [///]

 2016070 - ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible
landing (current_events.rules)
 2016071 - ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request
(current_events.rules)
 2016072 - ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request
(current_events.rules)

 2805761 - ETPRO TROJAN Trojan-Ransom.Win32.Foreign.vcs Checkin
(trojan.rules)


[---]         Removed rules:         [---]

 2001508 - ET MALWARE Medialoads.com Spyware Reporting (download.cgi)
(malware.rules)
 2804588 - ETPRO POLICY HTTP Get on port 53 DNS (policy.rules)
 2805808 - ETPRO TROJAN Trojan.Win32.Jorik.Agent.cqn Checkin (trojan.rules)
 2805850 - ETPRO MALWARE Mail.ru Downloader Checkin 1 (malware.rules)
 2805851 - ETPRO MALWARE Mail.ru Downloader Checkin 2 (malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to drop.rules (2):
        #  VERSION 2361
        #  Generated 2012-12-23 00:05:01 EDT

     -> Added to sid-msg.map (43):
        2001508 || ET DELETED Medialoads.com Spyware Reporting
(download.cgi) || url,doc.emergingthreats.net/bin/view/Main/2001508
        2016073 || ET CURRENT_EVENTS SofosFO - possible second stage
landing page
        2016074 || ET TROJAN User-Agent seen with confirmed C&C check-in
        2016075 || ET TROJAN FakeAV Checkin || md5,
527e115876d0892c9a0ddfc96e852a16
        2016076 || ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin
errMsg parameter Cross Site Scripting Attempt || url,
packetstormsecurity.org/files/118466/WordPress-Video-Lead-Form-0.5-Cross-Site-Scripting.html
        2016077 || ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery
albumid parameter Cross Site Scripting Attempt || url,
packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html
        2016078 || ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery
file parameter Local File Inclusion Attempt || url,
packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html
        2016079 || ET WEB_SPECIFIC_APPS simple machines forum include
parameter Local File Inclusion Attempt || url,
packetstormsecurity.org/files/116709/SMF-2.0.2-Local-File-Inclusion.html
        2016080 || ET WEB_SPECIFIC_APPS WordPress Cloudsafe365 file
parameter Local File Inclusion Attempt || url,
packetstormsecurity.org/files/115972/WordPress-Cloudsafe365-Local-File-Inclusion.html
        2016081 || ET WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site
Scripting Attempt || url,
packetstormsecurity.org/files/117067/Zenphoto-1.4.3.2-Cross-Site-Scripting.html
        2016082 || ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin
tokenmanageredit page XSS Attempt || url,
packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html
        2016083 || ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin
tokenmanagertypeedit page XSS Attempt || url,
packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html
        2016084 || ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control
SetShapeNodeType method Remote Code Execution || url,
packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html
        2016085 || ET ACTIVEX Possible Cyme ChartFX client server ActiveX
Control ShowPropertiesDialog arbitrary code execution || url,
packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html
        2016086 || ET WEB_SPECIFIC_APPS SonicWALL SonicOS searchStr XML Tag
Script Insertion Attempt || url,seclists.org/bugtraq/2012/Dec/110 || url,
securelist.com/en/advisories/51615
        2016087 || ET CURRENT_EVENTS TROJAN Unk_Banker - Check In
        2016088 || ET TROJAN SmokeLoader - Init 0x
        2016089 || ET TROJAN FakeAV checkin || md5,
5a864ccfeee9c0c893cfdc35dd8820a6 || md5,dd4d18c07e93c34d082dab57a38f1b86
        2016090 || ET CURRENT_EVENTS Hostile Gate landing seen with
pamdql/Sweet Orange /in.php?q=
        2016091 || ET CURRENT_EVENTS Hostile Gate landing seen with
pamdql/Sweet Orange base64
        2016092 || ET CURRENT_EVENTS pamdql/Sweet Orange delivering hostile
XOR trojan payload from robots.php
        2016093 || ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit
kit payload
        2016094 || ET MOBILE_MALWARE Android/Updtkiller Sending Device
Information || url,
www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2
        2016095 || ET TROJAN W32/Dexter Infostealer CnC POST || url,
contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html
        2016096 || ET TROJAN W32/Stabuniq CnC POST || url,
www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers
||
url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html
        2016097 || ET TROJAN Unknown - Loader - Check .exe Updated
        2016098 || ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound
        2016099 || ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound
        2016100 || ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in
dbcache Directory || url,seclists.org/fulldisclosure/2012/Dec/242
        2016101 || ET TROJAN DNS Reply Sinkhole - Microsoft -
131.253.18.0/24
        2016102 || ET TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
        2016103 || ET TROJAN DNS Reply Sinkhole - Microsoft - 207.46.90.0/24
        2016104 || ET TROJAN DNS Reply Sinkhole - Google - 1.1.1.0/24
        2016105 || ET TROJAN DNS Reply Sinkhole - zeus.redheberg.com -
95.130.14.32
        2016106 || ET CURRENT_EVENTS Unknown EK Landing Page
        2016107 || ET CURRENT_EVENTS Unknown EK Requesting Jar
        2016108 || ET CURRENT_EVENTS Unknown EK Requesting PDF
        2016109 || ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin
uploadify.php Arbitrary File Upload Vulnerability || url,
downloads.securityfocus.com/vulnerabilities/exploits/53787.php || url,
www.securityfocus.com/bid/53787/info
        2804588 || ETPRO DELETED HTTP Get on port 53 DNS
        2805808 || ETPRO DELETED Trojan.Win32.Jorik.Agent.cqn Checkin ||
md5,66295a57451486b01ec5aae7a48dabbc
        2805850 || ETPRO DELETED Mail.ru Downloader Checkin 1 || url,
sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Mail.ru
 Downloader/detailed-analysis.aspx || md5,1840acbde5c43d113e96b14ea9d03a34
        2805851 || ETPRO DELETED Mail.ru Downloader Checkin 2 || url,
sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Mail.ru
 Downloader/detailed-analysis.aspx || md5,1840acbde5c43d113e96b14ea9d03a34
        2805857 || ETPRO TROJAN Virus.Win32.Virut.a Proxy Registration 2 ||
url,
anubis.iseclab.org/?action=result&task_id=1ba603051a07c3984e54bf0433fdcd118 ||
url,
www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3AWin32%2FVirut.A
||
md5,7ac9814825f0a97b5fdafda2dae6ab1c || md5,7b2d8bf4ef145d1b31856143447675fc
|| md5,7a836a70a4e3bfceab3753cbf77d683f

-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121228/95190607/attachment-0001.html>


More information about the Emerging-sigs mailing list