[Emerging-Sigs] Special Ruleset Update Summary 2017/05/12

Travis Green tgreen at emergingthreats.net
Fri May 12 15:14:20 EDT 2017


All, we have performed a ruleset update to bring you coverage for WannaCry
Ransomware and associated infection activity. The regular update schedule
will not be affected.

[***]            Summary:            [***]

2 new Open, 5 new Pro (2 + 3). WannaCry DNS Lookup, Bitcoin QR Code
Generated via Btcfrog.com, Bank Phishing.


[+++]          Added rules:          [+++]

Open:

 2024291 - ET TROJAN Possible WannaCry DNS Lookup (trojan.rules)
 2024292 - ET INFO Bitcoin QR Code Generated via Btcfrog.com (info.rules)

Pro:

 2826370 - ETPRO TROJAN Win32/TrojanDownloader.VB.RBO CnC Beacon
(trojan.rules)
 2826371 - ETPRO CURRENT_EVENTS Successful National Australia Bank Phish
May 12 2017 (current_events.rules)
 2826372 - ETPRO CURRENT_EVENTS Successful Suntrust Bank Phish May 12 2017
(current_events.rules)


[///]     Modified active rules:     [///]

 2001569 - ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or
Infection (scan.rules)
 2001579 - ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or
Infection (scan.rules)
 2001580 - ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or
Infection (scan.rules)
 2001581 - ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or
Infection (scan.rules)
 2001582 - ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or
Infection (scan.rules)
 2001583 - ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or
Infection (scan.rules)
 2001972 - ET SCAN Behavioral Unusually fast Terminal Server Traffic
Potential Scan or Infection (Inbound) (scan.rules)
 2003380 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader
(ver18/ver19 etc) (trojan.rules)
 2008017 - ET TROJAN Philis.J ICMP Sweep (Payload Hello World)
(trojan.rules)
 2008150 - ET MALWARE Avsystemcare.com Fake AV User-Agent (LocusSoftware
NetInstaller) (malware.rules)
 2008738 - ET TROJAN Suspicious Accept-Language HTTP Header zh-cn likely
Kernelbot/Conficker Trojan Related (trojan.rules)
 2009714 - ET WEB_SERVER Script tag in URI Possible Cross Site Scripting
Attempt (web_server.rules)
 2010087 - ET SCAN Suspicious User-Agent Containing SQL Inject/ion Likely
SQL Injection Scanner (scan.rules)
 2010088 - ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web
Scanner (scan.rules)
 2010089 - ET SCAN Suspicious User-Agent Containing Security Scan/ner
Likely Scan (scan.rules)
 2010284 - ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind
SQL Injection Attempt (web_server.rules)
 2010285 - ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL
Injection Attempt (web_server.rules)
 2010494 - ET SCAN Multiple MySQL Login Failures Possible Brute Force
Attempt (scan.rules)
 2010625 - ET TROJAN FakeAV Landing Page (aid sid) (trojan.rules)
 2010641 - ET SCAN ICMP @hello request Likely Precursor to Scan (scan.rules)
 2010681 - ET SCAN ICMP Delphi Likely Precursor to Scan (scan.rules)
 2010719 - ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access
cookie and HTTP POST (web_specific_apps.rules)
 2011243 - ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like
planetwork) (web_server.rules)
 2011285 - ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)
(web_server.rules)
 2011457 - ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share
Possible DLL Preloading Exploit Attempt (web_client.rules)
 2011499 - ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly
Related to Remote Code Execution Attempt (web_client.rules)
 2011505 - ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code
Execution Attempt (web_client.rules)
 2013479 - ET SCAN Behavioral Unusually fast Terminal Server Traffic
Potential Scan or Infection (Outbound) (scan.rules)
 2017528 - ET WEB_SERVER UA WordPress probable DDOS-Attack
(web_server.rules)
 2018247 - ET TROJAN Snake rootkit usermode-centric client request
(trojan.rules)
 2018248 - ET TROJAN Snake rootkit usermode-centric encrypted command from
server (trojan.rules)
 2018872 - ET TROJAN Tor based locker .onion Proxy domain in SNI July 31
2014 (trojan.rules)
 2018874 - ET TROJAN Tor based locker .onion Proxy DNS lookup July 31 2014
(trojan.rules)
 2018877 - ET TROJAN Tor based locker knowledgewiki.info in SNI July 31
2014 (trojan.rules)
 2018892 - ET TROJAN Zbot .onion Proxy domain in SNI Aug 04 2014
(trojan.rules)
 2018893 - ET TROJAN Zbot .onion Proxy DNS lookup July 31 2014
(trojan.rules)
 2019606 - ET TROJAN Poweliks Abnormal HTTP Headers high likelihood of
Poweliks infection (trojan.rules)
 2021630 - ET TROJAN MS Terminal Server Single Character Login possible
Morto inbound (trojan.rules)
 2808735 - ETPRO TROJAN Backdoor.Backtor DNS lookup Sep 03 2014
(trojan.rules)
 2809169 - ETPRO TROJAN PE downloaded with malicious APT OPH certificate
(CallTogether Inc.) (trojan.rules)
 2815959 - ETPRO TROJAN APT Related DNS Lookup (PlugX Gh0st Bergard)
(trojan.rules)
 2816780 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS
Lookup (trojan.rules)
 2816781 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS
Lookup (trojan.rules)
 2816782 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS
Lookup (trojan.rules)
 2816783 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS
Lookup (trojan.rules)
 2816784 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS
Lookup (trojan.rules)
 2816785 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS
Lookup (trojan.rules)
 2821738 - ETPRO TROJAN Babylon RAT C2 Server Response (trojan.rules)
 2822485 - ETPRO TROJAN Automated Tor EXE Download Possibly Raum Trojan
(trojan.rules)


[///]    Modified inactive rules:    [///]

 2001539 - ET MALWARE Spyspotter.com Access Likely Spyware (malware.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20170512/b1caf0a9/attachment.html>


More information about the Emerging-sigs mailing list