[Emerging-Sigs] Daily Ruleset Update Summary 2017/12/12

Travis Green tgreen at emergingthreats.net
Tue Dec 12 13:31:49 HST 2017


[***]            Summary:            [***]

1 new Open, 28 new Pro (27 + 1). Carbanak/FIN7, GreenFlash SunDown EK,
Various Phishing, Various Mobile.

December MAPP Coverage:
2828863 -> CVE-2017-11894
2828864 -> CVE-2017-11903
2828865 -> CVE-2017-11907

[+++]          Added rules:          [+++]

Open:

 2025146 - ET DNS Query for Suspicious .gr .com Domain (gr .com in DNS
Lookup) (dns.rules)

Pro:

 2828848 - ETPRO TROJAN Carbanak/FIN7 JS.Backdoor Checkin (trojan.rules)
 2828849 - ETPRO TROJAN Carbanak/FIN7 SSL Certificate Detected
(trojan.rules)
 2828850 - ETPRO CURRENT_EVENTS Microsoft Tech Support Scam 2017-12-12
(current_events.rules)
 2828851 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2017-12-12 M1
(current_events.rules)
 2828852 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2017-12-12 M2
(current_events.rules)
 2828853 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2017-12-12 M3
(current_events.rules)
 2828854 - ETPRO TROJAN Carbanak/FIN7 SSL Dropper Domain Detected (download
.gr .com in TLS SNI) (trojan.rules)
 2828855 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2017-12-12
(current_events.rules)
 2828856 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
254 (mobile_malware.rules)
 2828857 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.js
Contact/SMS Exfil via SMTP (mobile_malware.rules)
 2828858 - ETPRO CURRENT_EVENTS Malicious VBScript Inbound (seen dropping
Ursnif) (current_events.rules)
 2828859 - ETPRO CURRENT_EVENTS Possible GreenFlash SunDown EK Exploit
(current_events.rules)
 2828860 - ETPRO CURRENT_EVENTS GreenFlash SunDown EK Payload Dec 12 2017
(current_events.rules)
 2828861 - ETPRO TROJAN njRAT/Bladabindi Variant CnC Activity (ll)
(trojan.rules)
 2828862 - ETPRO TROJAN Observed Malicious SSL Cert (Minergate Module DL)
(trojan.rules)
 2828863 - ETPRO WEB_CLIENT MS Edge Scripting Engine Memory Corruption Vuln
(CVE-2017-11894) (web_client.rules)
 2828864 - ETPRO WEB_CLIENT MS IE 11 UAF Vulnerability (CVE-2017-11903)
(web_client.rules)
 2828865 - ETPRO WEB_CLIENT MS IE 11 OOB Write Vulnerability
(CVE-2017-11907) (web_client.rules)
 2828866 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload 2017-12-12
(current_events.rules)
 2828867 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-12 1) (trojan.rules)
 2828868 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-12 2) (trojan.rules)
 2828869 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-12 3) (trojan.rules)
 2828870 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-12 4) (trojan.rules)
 2828871 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-12 5) (trojan.rules)
 2828872 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-12 6) (trojan.rules)
 2828873 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-12 7) (trojan.rules)
 2828874 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2017-12-12
(current_events.rules)


[///]     Modified active rules:     [///]

 2014726 - ET POLICY Outdated Flash Version M1 (policy.rules)
 2022054 - ET INFO Possible MSXMLHTTP Request to Dotted Quad (info.rules)
 2024379 - ET POLICY Outdated Flash Version M2 (policy.rules)
 2815247 - ETPRO CURRENT_EVENTS Successful Excel Online Phish 2015-12-08
(current_events.rules)
 2825562 - ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (ll)
(trojan.rules)


[---]         Disabled rules:        [---]

 2004313 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php
e_id SELECT (web_specific_apps.rules)
 2004314 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php
e_id UNION SELECT (web_specific_apps.rules)
 2004315 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php
e_id INSERT (web_specific_apps.rules)
 2004316 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php
e_id DELETE (web_specific_apps.rules)
 2004317 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php
e_id UPDATE (web_specific_apps.rules)
 2004318 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php
e_id ASCII (web_specific_apps.rules)
 2004379 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection
Attempt -- index.php list SELECT (web_specific_apps.rules)
 2004380 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection
Attempt -- index.php list UNION SELECT (web_specific_apps.rules)
 2004381 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection
Attempt -- index.php list INSERT (web_specific_apps.rules)
 2004382 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection
Attempt -- index.php list DELETE (web_specific_apps.rules)
 2004383 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection
Attempt -- index.php list ASCII (web_specific_apps.rules)
 2004384 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection
Attempt -- index.php list UPDATE (web_specific_apps.rules)
 2004469 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php cat_id UNION SELECT (web_specific_apps.rules)
 2004470 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php cat_id INSERT (web_specific_apps.rules)
 2004471 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php cat_id DELETE (web_specific_apps.rules)
 2004472 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php cat_id ASCII (web_specific_apps.rules)
 2004473 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php cat_id UPDATE (web_specific_apps.rules)
 2004474 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php year SELECT (web_specific_apps.rules)
 2004475 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php year UNION SELECT (web_specific_apps.rules)
 2004476 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php year INSERT (web_specific_apps.rules)
 2004477 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php year DELETE (web_specific_apps.rules)
 2004478 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php year ASCII (web_specific_apps.rules)
 2004479 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php year UPDATE (web_specific_apps.rules)
 2004492 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt --
index.php cat_id SELECT (web_specific_apps.rules)
 2004754 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt --
index.php strid SELECT (web_specific_apps.rules)
 2004755 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt --
index.php strid UNION SELECT (web_specific_apps.rules)
 2004756 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt --
index.php strid INSERT (web_specific_apps.rules)
 2004757 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt --
index.php strid DELETE (web_specific_apps.rules)
 2004758 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt --
index.php strid ASCII (web_specific_apps.rules)
 2004759 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt --
index.php strid UPDATE (web_specific_apps.rules)
 2004881 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php
showonly SELECT (web_specific_apps.rules)
 2004882 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php
showonly UNION SELECT (web_specific_apps.rules)
 2004883 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php
showonly INSERT (web_specific_apps.rules)
 2004884 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php
showonly DELETE (web_specific_apps.rules)
 2004885 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php
showonly ASCII (web_specific_apps.rules)
 2004886 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php
showonly UPDATE (web_specific_apps.rules)
 2005533 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php f DELETE (web_specific_apps.rules)
 2005534 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php f ASCII (web_specific_apps.rules)
 2005535 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php f UPDATE (web_specific_apps.rules)
 2005536 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php code SELECT (web_specific_apps.rules)
 2005537 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php code UNION SELECT (web_specific_apps.rules)
 2005538 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php code INSERT (web_specific_apps.rules)
 2005539 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php code DELETE (web_specific_apps.rules)
 2005540 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php code ASCII (web_specific_apps.rules)
 2005541 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt --
index.php code UPDATE (web_specific_apps.rules)
 2005567 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php
board SELECT (web_specific_apps.rules)
 2005568 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php
board UNION SELECT (web_specific_apps.rules)
 2005569 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php
board INSERT (web_specific_apps.rules)
 2005571 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php
board ASCII (web_specific_apps.rules)
 2005572 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php
board UPDATE (web_specific_apps.rules)
 2006609 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt --
index.php D SELECT (web_specific_apps.rules)
 2006610 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt --
index.php D UNION SELECT (web_specific_apps.rules)
 2006611 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt --
index.php D INSERT (web_specific_apps.rules)
 2006612 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt --
index.php D DELETE (web_specific_apps.rules)
 2006613 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt --
index.php D ASCII (web_specific_apps.rules)
 2006614 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt --
index.php D UPDATE (web_specific_apps.rules)
 2006951 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php seite_id SELECT (web_specific_apps.rules)
 2006952 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php seite_id UNION SELECT (web_specific_apps.rules)
 2006953 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php seite_id INSERT (web_specific_apps.rules)
 2006954 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php seite_id DELETE (web_specific_apps.rules)
 2006955 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php seite_id ASCII (web_specific_apps.rules)
 2006956 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php seite_id UPDATE (web_specific_apps.rules)
 2006957 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php gruppe_id SELECT (web_specific_apps.rules)
 2006958 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php gruppe_id UNION SELECT (web_specific_apps.rules)
 2006960 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php gruppe_id DELETE (web_specific_apps.rules)
 2006961 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php gruppe_id ASCII (web_specific_apps.rules)
 2006962 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php gruppe_id UPDATE (web_specific_apps.rules)
 2006963 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php go_target SELECT (web_specific_apps.rules)
 2006964 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php go_target UNION SELECT (web_specific_apps.rules)
 2006965 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php go_target INSERT (web_specific_apps.rules)
 2006966 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php go_target DELETE (web_specific_apps.rules)
 2006967 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php go_target ASCII (web_specific_apps.rules)
 2006968 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt --
index.php go_target UPDATE (web_specific_apps.rules)
 2008872 - ET WEB_SPECIFIC_APPS Ultrastats serverid parameter SQL Injection
(web_specific_apps.rules)
 2008934 - ET WEB_SPECIFIC_APPS Turnkey Arcade Script id parameter SQL
injection (web_specific_apps.rules)
 2009709 - ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo)
(web_specific_apps.rules)
 2009710 - ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system)
(web_specific_apps.rules)
 2011555 - ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter
Arbitrary Command Execution Attempt (web_specific_apps.rules)
 2011875 - ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter SELECT FROM SQL
Injection Attempt (web_specific_apps.rules)
 2011940 - ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary
Command Execution Attempt (web_specific_apps.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171212/7c95b02f/attachment-0001.html>


More information about the Emerging-sigs mailing list