[Emerging-Sigs] Daily Ruleset Update Summary 09/092014

rmkml rmkml at yahoo.fr
Wed Sep 10 16:06:02 EDT 2014


Thx Community and @EmergingThreats team,

Could you share url with this sig please ?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; 
content:"GET"; http_method; content:"/maxpower-static/"; http_uri; fast_pattern:only; content:"templates/"; offset:17; depth:10; http_uri; 
content:!"Referer|3a|"; http_header; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:trojan-activity; 
sid:2019143; rev:2;)

because I am curious with offset/depth.

Regards
@Rmkml


On Tue, 9 Sep 2014, Francis Trudeau wrote:

> [***] Summary: [***]
>
> 4 new Open signatures, 27 new Pro (4+23).  MS Patch Tuesday, Various
> Android, Win32.Yakes.
>
> Thanks:  Kevin Ross
>
> Check out our Microsoft Patch Tuesday coverage details here:
>
> http://emergingthreats.net/september-2014-microsoft-patch-tuesday-coverage/
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>  2019142 - ET TROJAN Win32/Frosparf.B Downloading Hosts File (trojan.rules)
>  2019143 - ET MALWARE PUP Win32.SoftPulse Retrieving data (malware.rules)
>  2019144 - ET MALWARE MAC/Conduit Component Download (malware.rules)
>  2019145 - ET MALWARE W32/Stan Malvertising.Dropper CnC Beacon (malware.rules)
>
> Pro:
>
>  2808755 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-2799 (web_client.rules)
>  2808756 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4065 (web_client.rules)
>  2808757 - ETPRO WEB_CLIENT Possible Internet Explorer Remote Code
> Execution CVE-2014-4080 (web_client.rules)
>  2808758 - ETPRO WEB_CLIENT Possible Internet Explorer Remote Code
> Execution CVE-2014-4081 (web_client.rules)
>  2808759 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4084 (web_client.rules)
>  2808760 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4087 (web_client.rules)
>  2808761 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4088 (web_client.rules)
>  2808762 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4089 (web_client.rules)
>  2808763 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4092 (web_client.rules)
>  2808764 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4094 (web_client.rules)
>  2808765 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4095 (web_client.rules)
>  2808766 - ETPRO TROJAN Win32.Black.cvdvox Checkin (trojan.rules)
>  2808767 - ETPRO TROJAN Win32.Yakes.fpbx C2 Beacon (INBOUND) (trojan.rules)
>  2808768 - ETPRO TROJAN Win32.Yakes.fpbx Checkin (trojan.rules)
>  2808769 - ETPRO TROJAN Backdoor.Win32.Androm Requesting payload 2
> (trojan.rules)
>  2808770 - ETPRO TROJAN Backdoor.Win32.Androm Requesting payload (trojan.rules)
>  2808771 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 6
> (mobile_malware.rules)
>  2808772 - ETPRO TROJAN Win32.Yakes.fudl Checkin (trojan.rules)
>  2808773 - ETPRO MOBILE_MALWARE Android/Koler.B Checkin (mobile_malware.rules)
>  2808774 - ETPRO TROJAN Win32.Sasfis Checkin (trojan.rules)
>  2808775 - ETPRO TROJAN Trojan.MulDrop3.53344 Checkin (trojan.rules)
>  2808776 - ETPRO TROJAN Win32/ProxyChanger.EO Checkin 2 (trojan.rules)
>  2808777 - ETPRO MOBILE_MALWARE Android.Svpeng.D Checkin (mobile_malware.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2001219 - ET SCAN Potential SSH Scan (scan.rules)
>  2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
>  2014727 - ET POLICY Outdated Mac Flash Version (policy.rules)
>  2017817 - ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013
> (current_events.rules)
>  2018998 - ET CURRENT_EVENTS Archie EK Landing Aug 24 2014
> (current_events.rules)
>  2806076 - ETPRO TROJAN Win32/Carberp.A Checkin 3 (trojan.rules)
>  2808050 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.jgb Checkin (trojan.rules)
>  2808480 - ETPRO TROJAN Trojan.Win32.Banload.BTVS SQL Checkin (trojan.rules)
>  2808658 - ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 1
> Specific (current_events.rules)
>  2808717 - ETPRO EXPLOIT Netcore Router Backdoor Usage (exploit.rules)
>
>
> [---]  Disabled and modified rules:  [---]
>
>  2014618 - ET TROJAN W32/Sogu Remote Access Trojan Social Media
> Embedded CnC Channel (trojan.rules)
>
>
> [---]         Removed rules:         [---]
>
>  2403338 - ET CINS Active Threat Intelligence Poor Reputation IP
> group 39 (ciarmy.rules)
>  2403339 - ET CINS Active Threat Intelligence Poor Reputation IP
> group 40 (ciarmy.rules)
>  2808415 - ETPRO MALWARE PUP Win32.SoftPulse Retrieving data (malware.rules)
>  2808602 - ETPRO MOBILE_MALWARE Android/Crosate.N Checkin
> (mobile_malware.rules)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>
>


More information about the Emerging-sigs mailing list