[Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary 09/29/2014

Darien Huss dhuss at emergingthreats.net
Tue Sep 30 08:05:02 EDT 2014


Also, thanks Kevin Ross for sids 2019294-2019304!

On Mon, Sep 29, 2014 at 6:51 PM, Francis Trudeau <
ftrudeau at emergingthreats.net> wrote:

>  [***] Summary: [***]
>
>  27 new Open signatures, 34 new Pro (27+7).  ShellshockCampaign,
> Sourtoff, Job314 EK.
>
>  Thanks:  Markus Manzke, rmkml, @EKwatcher, @abuse_ch and @kafeine.
>
>  [+++]          Added rules:          [+++]
>
>  Open:
>
>   2019291 - ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line
> Continuation Evasion LF (web_server.rules)
>   2019292 - ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line
> Continuation Evasion CRLF (web_server.rules)
>   2019293 - ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt
> (exploit.rules)
>   2019294 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Reporting IP
> (trojan.rules)
>   2019295 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC
> Server Message (trojan.rules)
>   2019296 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Ping CnC Server
> Message (trojan.rules)
>   2019297 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Scanner CnC
> Server Message (trojan.rules)
>   2019298 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Execute Shell
> Command CnC Server Message (trojan.rules)
>   2019299 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Random Byte
> Flood CnC Server Message (trojan.rules)
>   2019300 - ET TROJAN Linux/ShellshockCampaign.DDOSBot UDP Flood CnC
> Server Message (trojan.rules)
>   2019301 - ET TROJAN Linux/ShellshockCampaign.DDOSBot TCP Flood CnC
> Server Message (trojan.rules)
>   2019302 - ET TROJAN Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood
> CnC Server Message (trojan.rules)
>   2019303 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Kill Attack CnC
> Server Message (trojan.rules)
>   2019304 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Terminate
> Process CnC Server Message (trojan.rules)
>   2019305 - ET TROJAN Dyre SSL Cert 1 (trojan.rules)
>   2019306 - ET TROJAN Dyre SSL Cert 2 (trojan.rules)
>   2019307 - ET TROJAN Dyre SSL Cert 3 (trojan.rules)
>   2019308 - ET WEB_SERVER CURL Command Specifying Output in HTTP
> Headers (web_server.rules)
>   2019309 - ET WEB_SERVER WGET Command Specifying Output in HTTP
> Headers (web_server.rules)
>   2019310 - ET WEB_SERVER WGET Command Specifying Output in HTTP
> Headers (web_server.rules)
>   2019311 - ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014
> (current_events.rules)
>   2019312 - ET TROJAN Sourtoff Download Simda Request (trojan.rules)
>   2019313 - ET TROJAN Sourtoff Receiving Simda Payload (trojan.rules)
>   2019314 - ET WEB_SERVER Possible bash shell piped to dev udp Inbound
> to WebServer (web_server.rules)
>   2019315 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014
> (current_events.rules)
>   2019316 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
> certificate detected (KINS CnC) (trojan.rules)
>   2019317 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (UPATRE CnC) (trojan.rules)
>
>  Pro:
>
>   2808907 - ETPRO MALWARE W32.HfsAutoB Checkin (malware.rules)
>   2808908 - ETPRO MALWARE Win32.Adware.Bho.Szux Checkin (malware.rules)
>   2808909 - ETPRO TROJAN W32/Virtumonde.OQ HTTP Client Headers
> (trojan.rules)
>   2808910 - ETPRO TROJAN Trojan-Spy.MSIL.KeyLogger.babx Checkin
> (trojan.rules)
>   2808911 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.O Leaking
> Private Information (mobile_malware.rules)
>   2808912 - ETPRO TROJAN Win32/Hyteod Checkin (trojan.rules)
>   2808914 - ETPRO TROJAN Win32/Banker-LAR Dropping Files (trojan.rules)
>
>
>  [///]     Modified active rules:     [///]
>
>   2017135 - ET CURRENT_EVENTS PHISH Remax - function Validate
> (current_events.rules)
>   2018194 - ET MALWARE Adware.iBryte.B Install (malware.rules)
>   2019282 - ET CURRENT_EVENTS BlackEnergy Possible SSL Cert Sept 26
> 2014 (current_events.rules)
>   2019285 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound
> to WebServer (web_server.rules)
>   2019287 - ET CURRENT_EVENTS DRIVEBY Job314 EK Landing
> (current_events.rules)
>   2804505 - ETPRO MALWARE Riskware/Cheathappens Checkin (malware.rules)
>   2808881 - ETPRO TROJAN Flooder.LYI Checkin (trojan.rules)
>
>
>  [---]         Removed rules:         [---]
>
>   2808745 - ETPRO TROJAN Win32/Battdil.B SSL Cert 1 (trojan.rules)
>   2808746 - ETPRO TROJAN Win32/Battdil.B SSL Cert 2 (trojan.rules)
>   2808749 - ETPRO TROJAN Win32/Battdil.B SSL Cert 3 (trojan.rules)
> _______________________________________________
> Etpro-sigs mailing list
> Etpro-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140930/3aa3b005/attachment.html>


More information about the Emerging-sigs mailing list