[Emerging-Sigs] Daily Ruleset Update Summary 09/11/2014

Darien Huss dhuss at emergingthreats.net
Thu Sep 11 18:48:39 EDT 2014


Yes that is correct as well.
On Sep 11, 2014 6:14 PM, "rmkml" <rmkml at yahoo.fr> wrote:

> Thx Darien,
>
> another question, TROJAN TSPY_POCARDL.U really use two times USER user
> please ?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN TSPY_POCARDL.U
> Possible FTP Login"; flow:established,to_server; content:"USER user
> drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,
> trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-
> papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity;
> sid:2019159; rev:1;)
>
> Regards
> @Rmkml
>
>
>
> On Thu, 11 Sep 2014, Darien Huss wrote:
>
>
>> Those are there on purpose :)
>>
>> On Sep 11, 2014 5:56 PM, "rmkml" <rmkml at yahoo.fr> wrote:
>>       Thx again Community and @EmergingThreats team,
>>
>>       Sig 2019166 use really "...&&..." on uri please ?
>>
>>       alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> TROJAN Stobox Connectivity Check"; flow:established,to_server;
>> content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; http_uri;
>>       fast_pattern:28,20; content:"Host|3a 20|update.microsoft.com|0d
>> 0a|"; http_header; depth:28; content:!"Accept-Language|3a|";
>> content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"|0d 0a
>> 0d
>>       0a|"; threshold: type both, count 5, seconds 300, track by_src;
>> reference:md5,aba20c8289b37b10d42979730674a2ca;
>> classtype:trojan-activity; sid:2019166; rev:3;)
>>
>>       Regards
>>       @Rmkml
>>
>>
>>       On Thu, 11 Sep 2014, Francis Trudeau wrote:
>>
>>             [***] Status: [***]
>>
>>             9 new Open signatures, 23 new Pro (9+14).  DecebalPOS,
>> JackPOS, Various Andoid.
>>
>>             Thanks:  Kevin Ross.
>>
>>
>>             [+++]          Added rules:          [+++]
>>
>>             Open:
>>
>>              2019158 - ET TROJAN Possible Malicious Invoice EXE
>> (trojan.rules)
>>              2019159 - ET TROJAN TSPY_POCARDL.U Possible FTP Login
>> (trojan.rules)
>>              2019160 - ET TROJAN DecebalPOS Checkin (trojan.rules)
>>              2019161 - ET TROJAN DecebalPOS User-Agent (trojan.rules)
>>              2019162 - ET TROJAN Win.Trojan.Chewbacca connectivity check
>> (trojan.rules)
>>              2019163 - ET TROJAN JackPOS Checkin (trojan.rules)
>>              2019164 - ET TROJAN JackPOS XOR Encoded HTTP Client Body
>> (key AA)
>>             (trojan.rules)
>>              2019165 - ET TROJAN Possible Banload Downloading Executable
>> (trojan.rules)
>>              2019166 - ET TROJAN Stobox Connectivity Check (trojan.rules)
>>
>>             Pro:
>>
>>              2808791 - ETPRO TROJAN Win32/Xymne Checkin (trojan.rules)
>>              2808792 - ETPRO TROJAN Win32/FlyAgent variant MYSQL C2
>> (trojan.rules)
>>              2808793 - ETPRO TROJAN Win32.Androm.cxb Requesting PE
>> (trojan.rules)
>>              2808794 - ETPRO TROJAN Win32.Weelsof.qko Possible
>> Connectivity Check
>>             wikipedia.org (trojan.rules)
>>              2808796 - ETPRO TROJAN W32/Magania.IDPJ C2 (trojan.rules)
>>              2808797 - ETPRO TROJAN Trojan-PSW.Reedum FTP password
>> (trojan.rules)
>>              2808798 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Vidma.a
>> Checkin
>>             (mobile_malware.rules)
>>              2808799 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.LJ
>> Checkin
>>             (mobile_malware.rules)
>>              2808800 - ETPRO TROJAN Win32.Llac.bbeh downloading files
>> (trojan.rules)
>>              2808801 - ETPRO TROJAN Win32.Reconyc Checkin (trojan.rules)
>>              2808802 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Zedat.a
>> Checkin
>>             (mobile_malware.rules)
>>              2808803 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.DB
>> Checkin
>>             (mobile_malware.rules)
>>              2808804 - ETPRO TROJAN Win32/Cendelf.gen!A connectivity
>> check (trojan.rules)
>>
>>
>>             [///]     Modified active rules:     [///]
>>
>>              2001998 - ET MALWARE UCMore Spyware Downloading Ads
>> (malware.rules)
>>              2002763 - ET TROJAN Dumador Reporting User Activity
>> (trojan.rules)
>>              2003058 - ET MALWARE 180solutions (Zango) Spyware Installer
>> Download
>>             (malware.rules)
>>              2018912 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL
>> certificate
>>             detected (KINS C2) (trojan.rules)
>>              2806306 - ETPRO TROJAN Trojan-PSW.Reedum FTP long Port
>> (LPRT) (trojan.rules)
>>              2808760 - ETPRO WEB_CLIENT Possible Internet Explorer
>> Use-After-Free
>>             CVE-2014-4087 (web_client.rules)
>>              2808761 - ETPRO WEB_CLIENT Possible Internet Explorer
>> Use-After-Free
>>             CVE-2014-4088 (web_client.rules)
>>              2808764 - ETPRO WEB_CLIENT Possible Internet Explorer
>> Use-After-Free
>>             CVE-2014-4094 (web_client.rules)
>>             _______________________________________________
>>             Emerging-sigs mailing list
>>             Emerging-sigs at lists.emergingthreats.net
>>             https://lists.emergingthreats.net/mailman/listinfo/emerging-
>> sigs
>>
>>             Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>       _______________________________________________
>>       Emerging-sigs mailing list
>>       Emerging-sigs at lists.emergingthreats.net
>>       https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>       Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140911/6bd697a9/attachment.html>


More information about the Emerging-sigs mailing list