[Emerging-Sigs] Emerging-sigs Digest, Vol 121, Issue 5

Jason Williams jwilliams at emergingthreats.net
Wed Dec 6 05:14:09 HST 2017


Looking into this, thanks!

Jason

On Wed, Dec 6, 2017 at 5:31 AM, Maxim <Maxim.Parpaley at netwatcher.com> wrote:

> Hello,
>
> Looks like we are dealing with FP for:
> TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity Check
>
> During simple request to  support.microsoft.com rule triggers .
>
> PCAP details:
>
> GET /kb/949104 HTTP/1.1
> Host: support.microsoft.com
> Connection: Keep-Alive
>
> HTTP/1.1 301 Moved Permanently
> Server: AkamaiGHost
> Content-Length: 0
> Location: https://support.microsoft.com/kb/949104
> Expires: Wed, 06 Dec 2017 10:20:59 GMT
> Cache-Control: max-age=0, no-cache, no-store
> Pragma: no-cache
> Date: Wed, 06 Dec 2017 10:20:59 GMT
> Connection: keep-alive
> Set-Cookie: sXXXXXX; path=/; domain=.microsoft.com
>
>
>
> Thank you,
> Best Regards
> Maxim
>
> -----Original Message-----
> From: Emerging-sigs [mailto:emerging-sigs-bounces@
> lists.emergingthreats.net] On Behalf Of emerging-sigs-request at lists.
> emergingthreats.net
> Sent: Wednesday, December 6, 2017 9:57 AM
> To: emerging-sigs at lists.emergingthreats.net
> Subject: Emerging-sigs Digest, Vol 121, Issue 5
>
> Send Emerging-sigs mailing list submissions to
>         emerging-sigs at lists.emergingthreats.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> or, via email, send a message with subject or body 'help' to
>         emerging-sigs-request at lists.emergingthreats.net
>
> You can reach the person managing the list at
>         emerging-sigs-owner at lists.emergingthreats.net
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Emerging-sigs digest..."
>
>
> Today's Topics:
>
>    1. Announcing Suricata-Update (Jason Ish)
>    2. Daily Ruleset Update Summary 2017/12/05 (Travis Green)
>    3. Rules for detect Oneplus sending data to  open.oneplus.net
>       (Arnold Chan)
>    4. Suricata 3.2.5 released (Victor Julien)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 5 Dec 2017 14:00:54 -0600
> From: Jason Ish <ish at unx.ca>
> To: emerging-sigs at lists.emergingthreats.net
> Subject: [Emerging-Sigs] Announcing Suricata-Update
> Message-ID: <e63250ec-583f-fa45-b8ab-33aff850813f at unx.ca>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> We are excited to announce the first alpha release of our new tool for
> updating Suricata rules. This is a new rule update tool specifically built
> for Suricata with a goal of being useful out of the box, even with no
> configuration.
>
> This release also introduces the Suricata Intel Index, which is currently
> a list of available rule sources which Suricata-Update is aware of. The
> idea here is to make it easier for users to find available rule sets, as
> well as allowing rule writers to make their rules more discoverable.
>
> Features include:
>
>   * Default to Emerging Threats Open ruleset if no configuration
>     provided.
>   * Automatic discovery of Suricata version for use in ruleset URLs.
>   * Flowbit resolution
>   * Enable, disable, drop and modify filters that should be familiar to
>     users of Pulled Pork and Oinkmaster.
>   * Easy enabling of additional rule sets from the index.
>
> We invite all interested users to checkout the Quick Start documentation,
> and leave us feedback on the Suricata-Update issue tracker.
>
> If you are a rule writer and would like to get listed in the index, please
> leave a ticket in the issue tracker.
>
> Quick Start Documentation
>    http://suricata-update.readthedocs.io/en/1.0.0a1/quickstart.html
>
> Github Project Page
>    https://github.com/OISF/suricata-update
>
> Issue Tracker
>    https://redmine.openinfosecfoundation.org/projects/suricata-update
>
> --
> Jason Ish
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 5 Dec 2017 15:37:57 -0700
> From: Travis Green <tgreen at emergingthreats.net>
> To: "emerging-sigs at emergingthreats.net"
>         <emerging-sigs at emergingthreats.net>,  Emerging-updates redirect
>         <emerging-updates at emergingthreats.net>,  ETPro-sigs List
>         <etpro-sigs at emergingthreatspro.com>
> Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2017/12/05
> Message-ID:
>         <CAKgkF6nsiN77cAnLDO4YebM-3ZNUEmLEYF8ojiO+M_D8KEyQng@
> mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> [***]            Summary:            [***]
>
> 4 new Open, 18 new Pro (4 + 14). SluttyPutty UA, Smoke Loader Update,
> Reaver C2, Various Phishing, Various Mobile.
>
> Thanks: @AttackDetection
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>  2025118 - ET TROJAN Observed SluttyPutty Maldoc User-Agent (trojan.rules)
>  2025119 - ET TROJAN Sharik/Smoke CnC Beacon 7 (trojan.rules)
>  2025120 - ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity
> check (trojan.rules)
>  2025121 - ET TROJAN MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS
> Lookup) (trojan.rules)
>
> Pro:
>
>  2828789 - ETPRO TROJAN Reaver C2 Checkin Command (trojan.rules)
>  2828790 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.gen CnC
> Beacon (mobile_malware.rules)
>  2828791 - ETPRO MOBILE_MALWARE Android/Guerrilla.AM Checkin
> (mobile_malware.rules)
>  2828792 - ETPRO MOBILE_MALWARE Android/SMForw.RA SMS Exfil via SMTP
> (mobile_malware.rules)
>  2828793 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Reporting
> Infection via SMTP (mobile_malware.rules)
>  2828794 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.kj Contact
> Exfil via SMTP (mobile_malware.rules)
>  2828795 - ETPRO TROJAN Observed Malicious SSL Cert (Likely Pentester CnC)
> (trojan.rules)
>  2828796 - ETPRO TROJAN Molerats/GazaHacker Checkin M2 (trojan.rules)
>  2828797 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-05 1) (trojan.rules)
>  2828798 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-05 2) (trojan.rules)
>  2828799 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-05 3) (trojan.rules)
>  2828800 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-05 4) (trojan.rules)
>  2828801 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-05 5) (trojan.rules)
>  2828802 - ETPRO CURRENT_EVENTS Successful Chase Phish 2017-12-05
> (current_events.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2017060 - ET EXPLOIT SolusVM 1.13.03 SQL injection (exploit.rules)
>
>
> [---]         Removed rules:         [---]
>
>  2814971 - ETPRO TROJAN Liudoor Handshake Init (trojan.rules)
>  2814972 - ETPRO TROJAN Liudoor Handshake Successful (trojan.rules)
>  2814973 - ETPRO TROJAN Liudoor Sending Shell (trojan.rules)
>  2814974 - ETPRO TROJAN Liudoor Handshake Failed (trojan.rules)
>  2821585 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Congur.al Checkin
> (mobile_malware.rules)
>
>
> --
> PGP: 0xBED7B297
> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/
> attachments/20171205/ef9a3bda/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 6 Dec 2017 12:40:16 +1100
> From: Arnold Chan <arnold at midnightslayer.com>
> To: Emerging-sigs at lists.emergingthreats.net
> Subject: [Emerging-Sigs] Rules for detect Oneplus sending data to
>         open.oneplus.net
> Message-ID:
>         <CAMOON1K3ha_G66c=c+nEMpJawgrz-jLDam+
> d2L3Xmd5COfr0Bg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> Is that possible to create rules that'll be useful to detect OnePlus phone
> that possible trigger the data leakage dns (Oneplus sending data to
> open.oneplus.net)?
>
> https://thehackernews.com/2017/10/oneplus-oxygenos-analytics-data.html
> https://thehackernews.com/2017/11/oneplus-root-exploit.html
>
>
> I recall there's something similar for Xiaomi phone data leakage DNS policy
> rule.
>
> alert udp any any -> any 53 (msg:"ET POLICY possible Xiaomi phone data
> leakage DNS"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10;
> offset:2; content:"|03|api|07|account|06|xiaomi|03|com|00|"; fast_pattern;
> nocase; distance:0; reference:url,
> thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html;
> classtype:policy-violation; sid:2018918; rev:1; metadata:created_at
> 2014_08_11, updated_at 2014_08_11;)
>
>
>
> Kind Regards,
>
> Arnold
>
> IMPORTANT: This email and any attachments may be confidential and
> privileged. If you have received this email in error, please contact the
> sender and delete all copies immediately. Any unauthorised use,
> dissemination, forwarding, printing, or copying of this email is strictly
> prohibited. This communication may contain confidential or copyright
> information.
>
> [image: Tree] Think before you print.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/
> attachments/20171206/477395dd/attachment-0001.html>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 6 Dec 2017 08:56:52 +0100
> From: Victor Julien <victor at inliniac.net>
> To: "emerging-sigs at emergingthreats.net"
>         <Emerging-sigs at emergingthreats.net>
> Subject: [Emerging-Sigs] Suricata 3.2.5 released
> Message-ID: <1dd8611c-e566-58f9-600e-962bf8ed8b41 at inliniac.net>
> Content-Type: text/plain; charset=utf-8
>
> We're pleased to announce *Suricata 3.2.5*. This release fixes a number
> of issues.
>
> Get the release here:
> https://www.openinfosecfoundation.org/download/suricata-3.2.5.tar.gz
>
> This will be the last 3.2 release, as 3.2 will go 'end of life' later
> this month.
>
>
> *Changes*
>
> Bug #2328: detect: mixing byte_extract and isdataat leads to FP & FN
> (3.2.x)
> Bug #2329: various config parsing issues
> Bug #2330: rules: depth < content rules not rejected (3.2.x)
> Bug #2331: Suricata segfaults on ICMP and flowint check (3.2.x)
>
>
> *Special thanks*
>
> Wolfgang Hotwagner
> Harley H
> Edward Fjellskål
>
>
> *End of life announcement*
>
> The 3.2 branch will be end-of-life on December 18. After this it will
> receive no more updates of any kind, so please plan for your upgrade to
> Suricata 4.0+ before that date.
>
> https://suricata-ids.org/about/eol-policy/
>
>
> *About Suricata*
>
> Suricata is a high performance Network Threat Detection, IDS, IPS and
> Network Security Monitoring engine. Open Source and owned by a community
> run non-profit foundation, the Open Information Security Foundation
> (OISF). Suricata is developed by the OISF, its supporting vendors and
> the community.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ------------------------------
>
> End of Emerging-sigs Digest, Vol 121, Issue 5
> *********************************************
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171206/d76f9c2b/attachment-0001.html>


More information about the Emerging-sigs mailing list