[Emerging-Sigs] Daily Ruleset Update Summary 09/26/2014

Francis Trudeau ftrudeau at emergingthreats.net
Fri Sep 26 18:27:44 EDT 2014


 [***] Summary: [***]

 18 new Open signatures, 29 new Pro.  More CVE-2014-6271, Dyre,
Various Android, Nucom ADSL Cred disclosure, ZyXEL Cred disclosure.

 Thanks:  Livio Ricciulli,Packet Hack, @kafeine, @jaimeblascob, @abuse_ch.


 [+++]          Added rules:          [+++]

 Open:

  2019242 - ET TROJAN Linux/DDoS.M distributed via CVE-2014-6271
Checkin (trojan.rules)
  2019274 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
(current_events.rules)
  2019275 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
(current_events.rules)
  2019276 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
(current_events.rules)
  2019277 - ET CURRENT_EVENTS Possible Upatre SSL Cert santa.my
(current_events.rules)
  2019278 - ET CURRENT_EVENTS Possible Upatre SSL Cert glynwedasia.com
(current_events.rules)
  2019279 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (TorrentLocker CnC) (trojan.rules)
  2019280 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (TorrentLocker CnC) (trojan.rules)
  2019281 - ET TROJAN BlackEnergy v2 POST Request (trojan.rules)
  2019282 - ET CURRENT_EVENTS BlackEnergy Possbile SSL Cert Sept 26
2014 (current_events.rules)
  2019283 - ET TROJAN BlackEnergy POST Request (trojan.rules)
  2019284 - ET ATTACK_RESPONSE Output of id command from HTTP server
(attack_response.rules)
  2019285 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound
to WebServer (web_server.rules)
  2019286 - ET TROJAN Job314 EK Payload Checkin (trojan.rules)
  2019287 - ET CURRENT_EVENTS DRIVEBY Job314 EK Landing (current_events.rules)
  2019288 - ET CURRENT_EVENTS DRIVEBY Possible Job314 EK JAR URI
Struct (current_events.rules)
  2019289 - ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP
Proxy (exploit.rules)
  2019290 - ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP
Proxy (exploit.rules)

  Pro:

  2808896 - ETPRO EXPLOIT All In One WP Security WordPress Plugin
Possible SQL Injection Attempt (exploit.rules)
  2808897 - ETPRO MOBILE_MALWARE AndroidOS.Ifacefone.A Checkin
(mobile_malware.rules)
  2808898 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.v Checkin
(mobile_malware.rules)
  2808899 - ETPRO TROJAN Win32/Spy.Zbot.ACB SSL Cert (trojan.rules)
  2808900 - ETPRO TROJAN Likely Trojan-Ransom.Win32.Foreign.lefc
.onion Proxy DNS lookup (trojan.rules)
  2808901 - ETPRO POLICY Likely icanhazip.com IP lookup over SSL (policy.rules)
  2808902 - ETPRO TROJAN Win32/Rustock.G Checkin (trojan.rules)
  2808903 - ETPRO EXPLOIT Nucom ADSL ADSLR5000UN ISP Credential
Disclosure Attempt (exploit.rules)
  2808904 - ETPRO EXPLOIT ZyXEL Prestig P-660HNU-T1v2 Credential
Disclosure Attempt (exploit.rules)
  2808905 - ETPRO TROJAN Win32/Xorer.O Checkin (trojan.rules)
  2808906 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Maxit.a Checkin
(mobile_malware.rules)


 [+++]  Enabled and modified rules:   [+++]

  2019244 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 1 (web_server.rules)
  2019245 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 2 (web_server.rules)
  2019246 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 3 (web_server.rules)
  2019247 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 4 (web_server.rules)
  2019248 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 5 (web_server.rules)
  2019249 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 6 (web_server.rules)
  2019250 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 7 (web_server.rules)
  2019251 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 8 (web_server.rules)
  2019252 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 9 (web_server.rules)
  2019253 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 10 (web_server.rules)
  2019254 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 11 (web_server.rules)
  2019255 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 12 (web_server.rules)
  2019256 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 13 (web_server.rules)
  2019257 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 14 (web_server.rules)
  2019258 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 15 (web_server.rules)
  2019259 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 16 (web_server.rules)
  2019260 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 17 (web_server.rules)
  2019261 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 18 (web_server.rules)
  2019262 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 19 (web_server.rules)
  2019263 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 20 (web_server.rules)
  2019264 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 21 (web_server.rules)
  2019265 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 22 (web_server.rules)
  2019266 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 23 (web_server.rules)
  2019267 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 24 (web_server.rules)
  2019268 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 25 (web_server.rules)
  2019269 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 26 (web_server.rules)
  2019270 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 27 (web_server.rules)
  2019271 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 28 (web_server.rules)
  2019272 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 29 (web_server.rules)
  2019273 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
URLENCODE Generic 30 (web_server.rules)


 [///]     Modified active rules:     [///]

  2019181 - ET CURRENT_EVENTS Possible Android CVE-2014-6041
(current_events.rules)
  2019243 - ET TROJAN Infostealer.Boleteiro checking stolen boleto
payment information (trojan.rules)
  2805260 - ETPRO TROJAN Trojan.Win32.Jorik.Yoddos.no Checkin (trojan.rules)


More information about the Emerging-sigs mailing list