[Emerging-Sigs] Daily Ruleset Update Summary 09/29/2014

Francis Trudeau ftrudeau at emergingthreats.net
Mon Sep 29 18:51:12 EDT 2014


 [***] Summary: [***]

 27 new Open signatures, 34 new Pro (27+7).  ShellshockCampaign,
Sourtoff, Job314 EK.

 Thanks:  Markus Manzke, rmkml, @EKwatcher, @abuse_ch and @kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2019291 - ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line
Continuation Evasion LF (web_server.rules)
  2019292 - ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line
Continuation Evasion CRLF (web_server.rules)
  2019293 - ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt
(exploit.rules)
  2019294 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Reporting IP
(trojan.rules)
  2019295 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC
Server Message (trojan.rules)
  2019296 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Ping CnC Server
Message (trojan.rules)
  2019297 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Scanner CnC
Server Message (trojan.rules)
  2019298 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Execute Shell
Command CnC Server Message (trojan.rules)
  2019299 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Random Byte
Flood CnC Server Message (trojan.rules)
  2019300 - ET TROJAN Linux/ShellshockCampaign.DDOSBot UDP Flood CnC
Server Message (trojan.rules)
  2019301 - ET TROJAN Linux/ShellshockCampaign.DDOSBot TCP Flood CnC
Server Message (trojan.rules)
  2019302 - ET TROJAN Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood
CnC Server Message (trojan.rules)
  2019303 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Kill Attack CnC
Server Message (trojan.rules)
  2019304 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Terminate
Process CnC Server Message (trojan.rules)
  2019305 - ET TROJAN Dyre SSL Cert 1 (trojan.rules)
  2019306 - ET TROJAN Dyre SSL Cert 2 (trojan.rules)
  2019307 - ET TROJAN Dyre SSL Cert 3 (trojan.rules)
  2019308 - ET WEB_SERVER CURL Command Specifying Output in HTTP
Headers (web_server.rules)
  2019309 - ET WEB_SERVER WGET Command Specifying Output in HTTP
Headers (web_server.rules)
  2019310 - ET WEB_SERVER WGET Command Specifying Output in HTTP
Headers (web_server.rules)
  2019311 - ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014
(current_events.rules)
  2019312 - ET TROJAN Sourtoff Download Simda Request (trojan.rules)
  2019313 - ET TROJAN Sourtoff Receiving Simda Payload (trojan.rules)
  2019314 - ET WEB_SERVER Possible bash shell piped to dev udp Inbound
to WebServer (web_server.rules)
  2019315 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014
(current_events.rules)
  2019316 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS CnC) (trojan.rules)
  2019317 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (UPATRE CnC) (trojan.rules)

 Pro:

  2808907 - ETPRO MALWARE W32.HfsAutoB Checkin (malware.rules)
  2808908 - ETPRO MALWARE Win32.Adware.Bho.Szux Checkin (malware.rules)
  2808909 - ETPRO TROJAN W32/Virtumonde.OQ HTTP Client Headers (trojan.rules)
  2808910 - ETPRO TROJAN Trojan-Spy.MSIL.KeyLogger.babx Checkin (trojan.rules)
  2808911 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.O Leaking
Private Information (mobile_malware.rules)
  2808912 - ETPRO TROJAN Win32/Hyteod Checkin (trojan.rules)
  2808914 - ETPRO TROJAN Win32/Banker-LAR Dropping Files (trojan.rules)


 [///]     Modified active rules:     [///]

  2017135 - ET CURRENT_EVENTS PHISH Remax - function Validate
(current_events.rules)
  2018194 - ET MALWARE Adware.iBryte.B Install (malware.rules)
  2019282 - ET CURRENT_EVENTS BlackEnergy Possible SSL Cert Sept 26
2014 (current_events.rules)
  2019285 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound
to WebServer (web_server.rules)
  2019287 - ET CURRENT_EVENTS DRIVEBY Job314 EK Landing (current_events.rules)
  2804505 - ETPRO MALWARE Riskware/Cheathappens Checkin (malware.rules)
  2808881 - ETPRO TROJAN Flooder.LYI Checkin (trojan.rules)


 [---]         Removed rules:         [---]

  2808745 - ETPRO TROJAN Win32/Battdil.B SSL Cert 1 (trojan.rules)
  2808746 - ETPRO TROJAN Win32/Battdil.B SSL Cert 2 (trojan.rules)
  2808749 - ETPRO TROJAN Win32/Battdil.B SSL Cert 3 (trojan.rules)


More information about the Emerging-sigs mailing list