[Emerging-Sigs] Daily Ruleset Update Summary 09/11/2014

rmkml rmkml at yahoo.fr
Thu Sep 11 17:53:34 EDT 2014


Thx again Community and @EmergingThreats team,

Sig 2019166 use really "...&&..." on uri please ?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stobox Connectivity Check"; flow:established,to_server; 
content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; http_uri; fast_pattern:28,20; content:"Host|3a 20|update.microsoft.com|0d 0a|"; 
http_header; depth:28; content:!"Accept-Language|3a|"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"|0d 
0a 0d 0a|"; threshold: type both, count 5, seconds 300, track by_src; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; 
sid:2019166; rev:3;)

Regards
@Rmkml


On Thu, 11 Sep 2014, Francis Trudeau wrote:

> [***] Status: [***]
>
> 9 new Open signatures, 23 new Pro (9+14).  DecebalPOS, JackPOS, Various Andoid.
>
> Thanks:  Kevin Ross.
>
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>  2019158 - ET TROJAN Possible Malicious Invoice EXE (trojan.rules)
>  2019159 - ET TROJAN TSPY_POCARDL.U Possible FTP Login (trojan.rules)
>  2019160 - ET TROJAN DecebalPOS Checkin (trojan.rules)
>  2019161 - ET TROJAN DecebalPOS User-Agent (trojan.rules)
>  2019162 - ET TROJAN Win.Trojan.Chewbacca connectivity check (trojan.rules)
>  2019163 - ET TROJAN JackPOS Checkin (trojan.rules)
>  2019164 - ET TROJAN JackPOS XOR Encoded HTTP Client Body (key AA)
> (trojan.rules)
>  2019165 - ET TROJAN Possible Banload Downloading Executable (trojan.rules)
>  2019166 - ET TROJAN Stobox Connectivity Check (trojan.rules)
>
> Pro:
>
>  2808791 - ETPRO TROJAN Win32/Xymne Checkin (trojan.rules)
>  2808792 - ETPRO TROJAN Win32/FlyAgent variant MYSQL C2 (trojan.rules)
>  2808793 - ETPRO TROJAN Win32.Androm.cxb Requesting PE (trojan.rules)
>  2808794 - ETPRO TROJAN Win32.Weelsof.qko Possible Connectivity Check
> wikipedia.org (trojan.rules)
>  2808796 - ETPRO TROJAN W32/Magania.IDPJ C2 (trojan.rules)
>  2808797 - ETPRO TROJAN Trojan-PSW.Reedum FTP password (trojan.rules)
>  2808798 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Vidma.a Checkin
> (mobile_malware.rules)
>  2808799 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.LJ Checkin
> (mobile_malware.rules)
>  2808800 - ETPRO TROJAN Win32.Llac.bbeh downloading files (trojan.rules)
>  2808801 - ETPRO TROJAN Win32.Reconyc Checkin (trojan.rules)
>  2808802 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Zedat.a Checkin
> (mobile_malware.rules)
>  2808803 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.DB Checkin
> (mobile_malware.rules)
>  2808804 - ETPRO TROJAN Win32/Cendelf.gen!A connectivity check (trojan.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2001998 - ET MALWARE UCMore Spyware Downloading Ads (malware.rules)
>  2002763 - ET TROJAN Dumador Reporting User Activity (trojan.rules)
>  2003058 - ET MALWARE 180solutions (Zango) Spyware Installer Download
> (malware.rules)
>  2018912 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (KINS C2) (trojan.rules)
>  2806306 - ETPRO TROJAN Trojan-PSW.Reedum FTP long Port (LPRT) (trojan.rules)
>  2808760 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4087 (web_client.rules)
>  2808761 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4088 (web_client.rules)
>  2808764 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
> CVE-2014-4094 (web_client.rules)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>
>


More information about the Emerging-sigs mailing list