[Emerging-Sigs] Daily Ruleset Update Summary 09/11/2014

Darien Huss dhuss at emergingthreats.net
Thu Sep 11 18:02:50 EDT 2014


Those are there on purpose :)
On Sep 11, 2014 5:56 PM, "rmkml" <rmkml at yahoo.fr> wrote:

> Thx again Community and @EmergingThreats team,
>
> Sig 2019166 use really "...&&..." on uri please ?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Stobox Connectivity Check"; flow:established,to_server;
> content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; http_uri;
> fast_pattern:28,20; content:"Host|3a 20|update.microsoft.com|0d 0a|";
> http_header; depth:28; content:!"Accept-Language|3a|";
> content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"|0d 0a
> 0d 0a|"; threshold: type both, count 5, seconds 300, track by_src;
> reference:md5,aba20c8289b37b10d42979730674a2ca;
> classtype:trojan-activity; sid:2019166; rev:3;)
>
> Regards
> @Rmkml
>
>
> On Thu, 11 Sep 2014, Francis Trudeau wrote:
>
>  [***] Status: [***]
>>
>> 9 new Open signatures, 23 new Pro (9+14).  DecebalPOS, JackPOS, Various
>> Andoid.
>>
>> Thanks:  Kevin Ross.
>>
>>
>> [+++]          Added rules:          [+++]
>>
>> Open:
>>
>>  2019158 - ET TROJAN Possible Malicious Invoice EXE (trojan.rules)
>>  2019159 - ET TROJAN TSPY_POCARDL.U Possible FTP Login (trojan.rules)
>>  2019160 - ET TROJAN DecebalPOS Checkin (trojan.rules)
>>  2019161 - ET TROJAN DecebalPOS User-Agent (trojan.rules)
>>  2019162 - ET TROJAN Win.Trojan.Chewbacca connectivity check
>> (trojan.rules)
>>  2019163 - ET TROJAN JackPOS Checkin (trojan.rules)
>>  2019164 - ET TROJAN JackPOS XOR Encoded HTTP Client Body (key AA)
>> (trojan.rules)
>>  2019165 - ET TROJAN Possible Banload Downloading Executable
>> (trojan.rules)
>>  2019166 - ET TROJAN Stobox Connectivity Check (trojan.rules)
>>
>> Pro:
>>
>>  2808791 - ETPRO TROJAN Win32/Xymne Checkin (trojan.rules)
>>  2808792 - ETPRO TROJAN Win32/FlyAgent variant MYSQL C2 (trojan.rules)
>>  2808793 - ETPRO TROJAN Win32.Androm.cxb Requesting PE (trojan.rules)
>>  2808794 - ETPRO TROJAN Win32.Weelsof.qko Possible Connectivity Check
>> wikipedia.org (trojan.rules)
>>  2808796 - ETPRO TROJAN W32/Magania.IDPJ C2 (trojan.rules)
>>  2808797 - ETPRO TROJAN Trojan-PSW.Reedum FTP password (trojan.rules)
>>  2808798 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Vidma.a Checkin
>> (mobile_malware.rules)
>>  2808799 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.LJ Checkin
>> (mobile_malware.rules)
>>  2808800 - ETPRO TROJAN Win32.Llac.bbeh downloading files (trojan.rules)
>>  2808801 - ETPRO TROJAN Win32.Reconyc Checkin (trojan.rules)
>>  2808802 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Zedat.a Checkin
>> (mobile_malware.rules)
>>  2808803 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.DB Checkin
>> (mobile_malware.rules)
>>  2808804 - ETPRO TROJAN Win32/Cendelf.gen!A connectivity check
>> (trojan.rules)
>>
>>
>> [///]     Modified active rules:     [///]
>>
>>  2001998 - ET MALWARE UCMore Spyware Downloading Ads (malware.rules)
>>  2002763 - ET TROJAN Dumador Reporting User Activity (trojan.rules)
>>  2003058 - ET MALWARE 180solutions (Zango) Spyware Installer Download
>> (malware.rules)
>>  2018912 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
>> detected (KINS C2) (trojan.rules)
>>  2806306 - ETPRO TROJAN Trojan-PSW.Reedum FTP long Port (LPRT)
>> (trojan.rules)
>>  2808760 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
>> CVE-2014-4087 (web_client.rules)
>>  2808761 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
>> CVE-2014-4088 (web_client.rules)
>>  2808764 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
>> CVE-2014-4094 (web_client.rules)
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>  _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140911/3c7b591f/attachment.html>


More information about the Emerging-sigs mailing list