[Emerging-Sigs] Daily Ruleset Update Summary 09/11/2014

rmkml rmkml at yahoo.fr
Thu Sep 11 18:11:44 EDT 2014


Thx Darien,

another question, TROJAN TSPY_POCARDL.U really use two times USER user please ?

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN TSPY_POCARDL.U Possible FTP Login"; flow:established,to_server; content:"USER user 
drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; 
classtype:trojan-activity; sid:2019159; rev:1;)

Regards
@Rmkml



On Thu, 11 Sep 2014, Darien Huss wrote:

> 
> Those are there on purpose :)
> 
> On Sep 11, 2014 5:56 PM, "rmkml" <rmkml at yahoo.fr> wrote:
>       Thx again Community and @EmergingThreats team,
>
>       Sig 2019166 use really "...&&..." on uri please ?
>
>       alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stobox Connectivity Check"; flow:established,to_server; content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; http_uri;
>       fast_pattern:28,20; content:"Host|3a 20|update.microsoft.com|0d 0a|"; http_header; depth:28; content:!"Accept-Language|3a|"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"|0d 0a 0d
>       0a|"; threshold: type both, count 5, seconds 300, track by_src; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; sid:2019166; rev:3;)
>
>       Regards
>       @Rmkml
> 
>
>       On Thu, 11 Sep 2014, Francis Trudeau wrote:
>
>             [***] Status: [***]
>
>             9 new Open signatures, 23 new Pro (9+14).  DecebalPOS, JackPOS, Various Andoid.
>
>             Thanks:  Kevin Ross.
> 
>
>             [+++]          Added rules:          [+++]
>
>             Open:
>
>              2019158 - ET TROJAN Possible Malicious Invoice EXE (trojan.rules)
>              2019159 - ET TROJAN TSPY_POCARDL.U Possible FTP Login (trojan.rules)
>              2019160 - ET TROJAN DecebalPOS Checkin (trojan.rules)
>              2019161 - ET TROJAN DecebalPOS User-Agent (trojan.rules)
>              2019162 - ET TROJAN Win.Trojan.Chewbacca connectivity check (trojan.rules)
>              2019163 - ET TROJAN JackPOS Checkin (trojan.rules)
>              2019164 - ET TROJAN JackPOS XOR Encoded HTTP Client Body (key AA)
>             (trojan.rules)
>              2019165 - ET TROJAN Possible Banload Downloading Executable (trojan.rules)
>              2019166 - ET TROJAN Stobox Connectivity Check (trojan.rules)
>
>             Pro:
>
>              2808791 - ETPRO TROJAN Win32/Xymne Checkin (trojan.rules)
>              2808792 - ETPRO TROJAN Win32/FlyAgent variant MYSQL C2 (trojan.rules)
>              2808793 - ETPRO TROJAN Win32.Androm.cxb Requesting PE (trojan.rules)
>              2808794 - ETPRO TROJAN Win32.Weelsof.qko Possible Connectivity Check
>             wikipedia.org (trojan.rules)
>              2808796 - ETPRO TROJAN W32/Magania.IDPJ C2 (trojan.rules)
>              2808797 - ETPRO TROJAN Trojan-PSW.Reedum FTP password (trojan.rules)
>              2808798 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Vidma.a Checkin
>             (mobile_malware.rules)
>              2808799 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.LJ Checkin
>             (mobile_malware.rules)
>              2808800 - ETPRO TROJAN Win32.Llac.bbeh downloading files (trojan.rules)
>              2808801 - ETPRO TROJAN Win32.Reconyc Checkin (trojan.rules)
>              2808802 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Zedat.a Checkin
>             (mobile_malware.rules)
>              2808803 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.DB Checkin
>             (mobile_malware.rules)
>              2808804 - ETPRO TROJAN Win32/Cendelf.gen!A connectivity check (trojan.rules)
> 
>
>             [///]     Modified active rules:     [///]
>
>              2001998 - ET MALWARE UCMore Spyware Downloading Ads (malware.rules)
>              2002763 - ET TROJAN Dumador Reporting User Activity (trojan.rules)
>              2003058 - ET MALWARE 180solutions (Zango) Spyware Installer Download
>             (malware.rules)
>              2018912 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
>             detected (KINS C2) (trojan.rules)
>              2806306 - ETPRO TROJAN Trojan-PSW.Reedum FTP long Port (LPRT) (trojan.rules)
>              2808760 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
>             CVE-2014-4087 (web_client.rules)
>              2808761 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
>             CVE-2014-4088 (web_client.rules)
>              2808764 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
>             CVE-2014-4094 (web_client.rules)
>             _______________________________________________
>             Emerging-sigs mailing list
>             Emerging-sigs at lists.emergingthreats.net
>             https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>             Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> 
>
>       _______________________________________________
>       Emerging-sigs mailing list
>       Emerging-sigs at lists.emergingthreats.net
>       https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>       Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> 
> 
>


More information about the Emerging-sigs mailing list